I have a Malicious Backdoor Trojan INSIDE my Kazaa DAT files

[dragonsi]

To make a long story short, I learned the hard way that Kazaa does have some nasty viruses and some people don't bother to delete them, thereby spreading them more, or some don't have a Virus Scanner which leaves them completely open etc.

I originally got my computer in Jan of this year, it's only a P3 550mhz with 256 ram, but a huge upgrade over my P1 120 with like 40 megs ram I had for 4 years. I then got a virus on IRC which promptly cleaned my C drive clean within the first week I had the computer. Then 3 months later I learned about P2P and Kazaa and have Norton's Antiv up and running. I sometimes get those "GO.exe" dialups disguised as cracks, and sometimes I get DOS files without an icon. I learned the hard way not to open dos files without an icon. I had a secret IRC virus hidden under Windows/System32/INF/Inf/ that was running. I also had other smaller ones that installed something small but I quickly found, sometimes my Norton caught it sometimes not.

Now, moving on, I found Kazaa in March and had all the benefits of IRC rooms without bad queue lines. I even voluntarily downloaded the huge spyware infested Bonzi for my 5 year old to enjoy. I then found that Kazaa had spyware etc which I didn't originally know about, so I got AdAware and deleted Bonzi, Gator, Weather Bug etc.

I didn't know about Kazaalite yet, and found 2 files on Kazaa, one named Kazaacydoor.exe and Kazaa Ad remover.exe so I dled them and installed both, and it worked great, no more ads or spy files other than a dummy cydoor.dll.

I always share my latest movies files etc, what I can on my spare 10 gig drive, maybe 3 gigs worth of files. But then one day after installing those two files, and maybe others of course, I noticed info flying out of my computer when I start Kazaa up a minute or so after connecting to dial up but BEFORE any files are going out in my upload list. I trying to logically figure this out, closed down all IMs, and turned off sharing in Kazaa. I connected to dial up, and yep, not counting normal auto updates from files etc, I should have practically nill info going out of my computer, but in 6 hours, before my ISP auto disconnects then I redial again, I have about 6 megs going out for the past month now or so!!
I then started to logically investigate the two Kazaa cydoor remover files. I open them in notepad, and most small files just to see what type of commands I see in regular text mode. I found a webpage inside the text edition of the one that led to myguiguy.com and it looked like an official site where someone just wanted to remove the spyware. The second one I'm not sure about. So I tried some more experimenting. I originally noticed my dat files from Kazaa 1.50 were small like 39k only. then I naturally upgraded to 1.51 1.60 to 1.71, I didn't do 1.72, I'm waiting for a little yet. As a side note, when I upgraded from 1.50 to 1.51, my first Kazaa upgrade, I was downloading the upgrade and I guess it tried to auto install it or something, but I saw a flash and here I lost my entire list of files I had in my queue. So I went to the shared folder and sure enough all my dats were gone!

I really don't know about anyone else's download habits, but I'm a very "click happy" person. I could easily browse a person's files and click on 100 of them, so eventually I have 1,000 dat files that starts up with Kazaa. I sometimes weed them out and move them or put them on CDRW for later so there's less to load. I also move ALL of my dat files and have a blank shared folder or else with finished files only when I upgrade to the next version, I learned my lesson the first time.

Now sometime after 1.60 I noticed the dat files are 100k, then some are even 400k, 700k and now .97m. Needles to say this is filling up my 10gig hard drive pretty quick since I thought they were all still 40k - 100k only. I then got curious to see what are in some of this "bigger" new dats, so I turned off Kazaa and began opening them in notepad about 5 weeks ago. I was totally surprised!!! I found my personal webpages that I visited and different directories etc, even parts of my personal emails that I read. So I guess this backdoor trojan that I have is sending out my info through my dats or something for the past 6 weeks.

I was going to reformat once I buy a new harddrive, not because I wanted to but because of this now. Here's the really ironic part, the person controlling the backdoor trojan never deleted anything etc, and who knows what kind of info I'm sending out, but this morning I logged into Yahoo Mail and Auctions, and I was going to bid on a new 80 gig hard drive, but that didn't finish until 8pm. I then went out with my son all day instead of sitting in like we usually do. I came home at 7:30 and was watching until a few minutes before the auction ended, and I went to bid on it, and I entered my password to confirm my bid and here, that person went into my account and changed my password on me since I had logged in sometime after 8am, so not only couldn't I place my bid, I had to worry about my whole Yahoo account that is my primary mail account and auction account. I also have a second Yahoo account that I rarely use, only for unimportant things and I have a hotmail account also.

I had to send for a new temp password and change it and hopefully this person didn't lock me out of all 3 email addresses. I hadn't used my "fun, secondary" Yahoo account in about a month, but I had used it since this trojan or whatever is on my system. Well I logged into that I was waiting for my email to come on my hotmail account, and this person didn't lock me out of either of those accounts, and I noticed what he DID do to my secondary Yahoo account, was fill in my real name and address, which I had never filled out before, especially at my current address, which I was only living at for 2 years.

Has anyone else ever looked inside their dat files, or turned off sharing and see if info is flying out of your computer also? I have the files that I suspect of being the culprit, of course it could have been a different one, but I think I had originally narrowed it down to this day that I installed these.

And yes, I have scanned my whole computer many times with Norton and it didn't pick anything up. I have found other small viruses that I deleted along the way, like a Diablo 2 crack with a devil with horns icon, I clicked on it one time and nothing happened or else a DOS screen pops up and is gone instantly, then it's time to worry. I found the Diablo 2 crack file hidden inside my Win/Sys file and apparently it downloaded a bigger file and I found that and had to reboot and go in dos mode to delete it since it started up with Windows.

I'm on Win ME, and have found files that, in text mode say del USER32.dll Gdi.dll etc and rename and NUL= so my guess is this one may have deleted my good user.exe and installed their own and I would never know. I already found amatuer ones that are named tray.exe instead of systray.exe. I could post a list of what files normally run on startup for Win ME: kernel32.dll, msgsrv32.exe, spool32.exe, mprexe.exe, mstask.exe mmtask.tsk, taskmon.exe (I found a taskMAN.exe next to it in the system folder, but I never saw that in my files that is being used), systray.exe, wmiexe.exe, ddhelp.exe (which I guess is for DX8.1), and pstores.exe. I can account for all other files running, like my normal personal files and rnaapp.exe and tapisrv.exe.
Now, not to get sidetracked, but I downloaded an interesting file on Kazaa telling me about Win ME and it's System Restore logging EVERYTHING, such as personal emails on Outlook and even Hotmail accounts, and every webpage you visited. I occasionally do a search for files and folders, and go by date, files created in the last 24 hours. I found these two files ending in .cpl and that had my whole entire history minute by minute of what webpages I went to and each individual email I read. That I think is MS's doing and not a virus. I read a statement about this person including "pstores.exe" in the next edition of his letter, so I would like to know what that is and why it only run occasionally, like it is right now while I type this. And I never did find another text file like that to find about pstores.

If I use Authoritative Administrative Tools, I can get a list of current programs running and terminate the ones I don't want on, that's an easier way for me to delete viruses when I see them. They have a list of currently running dlls, and today I noticed my Kazaalite is on the dll list also, which was strange to me that it would be both on the programs list and dll list. I installed Kazaalite about a month ago, and uninstalled Kazaa, but that didn't help AND I also had to recreate the Kazaa/My Shared Folder again, since when my files were done they instantly disappeared! I even did a "search" for them and I figured it out myself that they had the old folder as a finished location to go to.

I also installed Zone ALarm to find the problem, It asked if my Yahoo, ICQ, etc can have access to the internet and I say yes to them all, then it asked about Kazaa, if I say no it stops downloading immediately, and cuts off my dialup connection totally, if I say yes then I let this upload all my info. Alot of the time Zone Alarm freezes up totally so I just don't use it after a few days.

I don't know if I should try moving all my dats to a different folder, (or removing them to CDRW) and possibly starting up Kazaa, download nothing and see what happens over a 24 hour period or what. Will I have to delete this dats that have my personal info in them and get new ones? Perhaps there is no small 24k EXE file that I can just delete easily to solve this and the hacker configured Kazaa to upload all my info for him? I wanted to copy some of the info I found in my dat files into this letter but it won't paste it when I have it copied to the clipboard.

If anyone would like the suspected files I'd be glad to shared them, maybe some else like me enjoys investigating the makeup of trojans etc. I have a whole folder of viruses that my Norton found so I never clicked on.

I thought maybe the virus deleted my gdi.dll and user32.dll and created their own versions so I even reinstalled Win ME over my current version but that didn't help.

Does anyone know where my Desktop Appearance Schemes are located at? I have some cool colors my son and I like and I tried to search for my nickname for them but didn't find it anywhere, I'd like to save that before I reformat.

I also see a dll called Netbios, is that a good file or a virus type?

If anyone has any ideas let me know, feel free to reply here, send me a private message, or send me one at dragonsi@yahoo.com.

I needed a larger hard drive anyhow since I constantly only have 1 Gig free at one time, and am getting cable modem in 1-2 weeks, so needless to say I want this virus cleared up and a huge 80-100 Gig hard drive before my modem is installed.

Aren't you glad this is the "to make a long story short" version? I was always the shy quite kid when we were younger, but whenever I did open my mouth everyone new it was storytime. Even my various friends that don't know each other call me "The Storyteller", lol. I can type a mile a minute when inspired to!

In the past 2 hours, with all my IM's up and running, but no Kazaa on, I only sent out 217K of info compared to about 2-3 megs in 2 hours with Kazaa on but not sharing files, that was how I first noticed all of this.

[tenders]

WOW! you really must be a curious cat. if this were me,i would banish kazaa forever. i use to use kazaa alot,but now only occationally. perhaps if you were a little less "click happy"you would not have this problem now

[Greg12]

delete the dat file and run the anti-virus

[jexster]

delete the dat file and run the anti-virus

You can also cheak out http://symantec.com/ for removel instructions of almost all viruses and trojens.Go get norton system works if you get a trojen it will block it from accessing the internet.

[deadpac]

To make a long story short

That's VERY FUNNY considering the length of your post.

In my 2-3 years at this site, that is probably the longest post I've ever seen by any one user at one time, excluding user guides.

[jexster]

To make a long story short

That's VERY FUNNY considering the length of your post.

In my 2-3 years at this site, that is probably the longest post I've ever seen by any one user at one time, excluding user guides.

Hell i had to take a nap twice before i could finish reading it.

[NeVeRLiFt]

I have been using mirc and downloading off ftp's, 0day dumps or pubs... and doing xdcc for over 7 years now and have never got a virus.
The groups and channels I'm with are tight and trust worthy.

I also have never used kazaa, who needs to when you got mirc and know the right networks and channels to goto

[Greg12]

I hate that Norton starts when windows starts, I hate the senor monitoring system.


Anti-Virus protects and doesn't use so much ram.