At 18:52 10/19/00, Arthur Barnett wrote:
>I have a trojan (Runtime Error 16 @) which starts when I run
>Start/Control Panel. When I close Control Panel the trojan starts.
>If I have a log application that records starting exe files I think
>I have a good chance of locating the culprit. With that in mind, what
>do you suggest as a logger?

Hi Arthur

First, I mention two other ways to find a trojan which I think might
be easier. Then I'll mention something similar to your idea.

(1) You could download and run "The Cleaner". This program detects over
2500 trojans. There are definition updates several times a week. It
will remove detected trojans if you tell it to. You can download a
fully functional 30 day trial version from
<http://www.moosoft.com/download.php>. The program also has other
functions. (For example, if run permanently in the background, it will
warn you if you ever download a known trojan. It will also log all
changes made to the registry when you install any program.)

(2) You could download and install the free firewall ZoneAlarm.
http://www.zdnet.com/downloads/partners/zonealarm/download.html

The first time any program tries to access the net, ZoneAlarm will ask
you to give permission. (If you deny permission, the attempt will be
blocked.) Once you give permission to a program, you can choose to tell
ZoneAlarm not to ask again for that program. (It only takes a few minutes
to give your normal programs permanent permission. Also, you can always
go back and revoke any permissions.) When a program that you don't
recognize tries to access the net, you may have your trojan. (However,
be aware that some trojans will have names that are rather close in
spelling to real system files that might have to access the net.)

(3) You could run a process viewer before and after you use Control Panel
and look for changes. PrcView <http://www.teamcti.com/pview/PrcView.zip>
is a nice one you can download. (It's free and only about a 70KB
download.) It will even save results to file!

Documentation for PrcView is at <http://www.teamcti.com/pview/prcview.htm>.
Here's just a little bit from the description of PrcView on that page:
"PrcView is a process viewer utility that displays detailed information
about processes running under Windows. For each process it displays
memory, threads and module usage. For each DLL it shows full path and
version information, displays DLL usage summary, displays all DLL's
currently in use (FULL PATH for each loaded module), and shows processes
which use selected DLL. Displays complete task tree ­ parent/child
relationships for all processes in the system. Displays Task list like
the standard task manager...Saves output as a tab-separated text file by
just pressing F2..."

Suppose you notice that keyhook.dll appears after you close Control Panel.
To find the .exe corresponding to this file, click on PrcView's
"View/Module Usage" for a list of the all modules in the system
alphabetically sorted. Highlight the "keyhook.dll" and PrcView will show
you the module(s) that use this dll. You've found your trojan...in this
example, Netbus.

This might not work if the trojan is running before you use Control Panel
and Control Panel is just the trigger that makes it come alive.

Regards,
Bill

        The NOSPIN Group provides a monthly newsletter with great
       tips, information and ideas: NOSPIN-L, The NOSPIN Magazine
             Visit our web site to signup: http://nospin.com