Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found my screensaver


  • Please log in to reply
9 replies to this topic

#1 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:01:55 AM

Posted 19 April 2005 - 03:39 PM

I was surprised this morning to find a box on my desktop telling me that Microsoft Antispyware had found a file that it thought was a serious threat.

Yesterday, I had installed the ASUS screensaver that came with the motherboard, and it found the .dat file, apparently. I chose not to delete it and then ran Ad-Aware, and it found it too!

I decided that since I really didn't need the screensaver, I would just uninstall it, which I did, then removed the folder. I don't know what it would be about this file that it appears to be a threat, except that it probably has some executable script in it to start it.

I'm sorry now that I didn't write down the name of the file. I'm new to using MS Antispyware and this is the first hit I've had with it.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 AM

Posted 20 April 2005 - 11:41 PM

It was probably a string inside the file that triggered it. Without knowing the file you installed will be hard to tell ya more than that though

#3 Herk

Herk
  • Topic Starter

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:01:55 AM

Posted 22 April 2005 - 09:35 AM

OK, now it's found a keylogger in SpywareBlaster. It's the unins000.dat file. The file hasn't been changed in ten days, but today it decided it was a keylogger. Weird.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 AM

Posted 22 April 2005 - 04:18 PM

Did you just update the definitions for the av program?

#5 Herk

Herk
  • Topic Starter

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:01:55 AM

Posted 22 April 2005 - 09:37 PM

Did you just update the definitions for the av program?

No - I think it's been a while since I updated it. (Computer's only been built for a week or ten days.)

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 AM

Posted 22 April 2005 - 10:38 PM

Strange...gotta be a false positive.

#7 Herk

Herk
  • Topic Starter

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:01:55 AM

Posted 23 April 2005 - 10:21 AM

I think that the three things it's found in the last 11 days are all false positives.

c:\program files\ai - series\insthlp.dat
(from the ASUS screensaver)

c:\windows\system32\grwinsthlp.exe

c:\program files\spywareblaster\unins000.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 AM

Posted 23 April 2005 - 01:34 PM

I tend to agree with you

#9 Elijah5

Elijah5

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 19 December 2005 - 10:39 PM

Not a False Positive at all. :thumbsup:

Definitely delete this thing. insthlp.dat basically will disguise itself as a legit ASUS MOBO file,
if you want to know the symptoms it causes later - I can tell you all about it as I've experienced them

1. Sucks up your CPU usage in Windows Normal Mode

2. Prevents you from running in Safe Mode effectively at all

3. In Safe Mode with Networking, will time out your DNS and ISP so you have no internet access
beyond 1 minute or so - I highly recommend putting http://www.pandasoftware.com/ as your homepage


Panda caught it as spyware.

This thing was buried so deep in my registry, you have no idea.

4. In Safe Mode when you do disable this file using Hijack this from running to associated seemingly legit
files - will actually ONLY then allow you to type RUN: REGEDIT

5. Otherwise, will stop your Keyboard from working (if USB connection) - use old skool key board to resolve.

6. Will stop your mouse and keyboard activity (wireless or USB Mouse/Keyboard) whenever.

7. When you search for the file insthlp.dat in regedit - will NOT show up - you need to look under ASUA and notice the extra folder it installs there and delete it.

My computer is running flawlessly ever since it was gone!

I am a tech/admin support person - whoever designed this bugger was smart, but not smart enough for me!

Also, if you type this into google, you will notice it points to a KNOWN spyware/trojan/adware designer page - put his URL in as a restricted site in your browser. He can time execute scripts when he wants without your knowledge.

Yes, I have all my Microsoft Windows Updates - YES I have all my anti-spyware up-to-date and run it regularly and YES I have Norton System Works 2006 installed and updated and run daily.

Another symptom of this bugger? It will shut down legit Firewalls (Zone Alarm) and Anti-Virus software (Norton) at will....

:flowers:

Whoever designed this should be shot with a ball of his own frozen poo. :trumpet: :inlove: :)

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 AM

Posted 22 December 2005 - 12:50 AM

Have a sample of the file? I am still not so sure its not a false positive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users