Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Damn popups


  • This topic is locked This topic is locked
54 replies to this topic

#16 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 13 June 2005 - 08:39 PM

Hi robinmuir. If you have the names of these programs have you done a search to see where they are located? They are not showing up in any scans so they must be in a location outside of the scan areas.

Try this:

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Search for the following files:newvirtualcasino.com
gamblingkey.com
sexandpoker.com

Post back the complete path to each one.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

BC AdBot (Login to Remove)

 


#17 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 14 June 2005 - 05:37 AM

I have done a scan as you suggested of all disks for these names and nothing comes up. There is definitely traffic recorded by sygate each time a popup happens.

#18 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 14 June 2005 - 07:12 AM

I downloaded XoftSpy trial version and it found 3 references to Aurora in the registry. I removed them with regedit, rebooted and scanned again: clear.
Now a waiting game to see if the popups have gone. I will post again either way.

#19 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 14 June 2005 - 10:54 AM

Nope, the popups are still here. Please help.......
Same IPs and another different name.

#20 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 14 June 2005 - 06:12 PM

Hi robinmuir. Well, there is nothing that is showing up in any of the scans so let's try this.

I see that you have ewido installed on this machine. Perform an update and then boot into Safe Mode and run a complete system scan and see what it turns up.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#21 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 June 2005 - 05:19 AM

Done. It found one cookie and loads of spyware in the restore files:
If its in the restore files, it is not active though, right??
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:06:19, 15/06/2005
+ Report-Checksum: 8DCC6BA8

+ Date of database: 15/06/2005
+ Version of scan engine: v3.0

+ Duration: 96 min
+ Scanned Files: 69825
+ Speed: 12.02 Files/Second
+ Infected files: 90
+ Removed files: 90
+ Files put in quarantine: 90
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\
G:\

+ Scan result:
C:\Documents and Settings\Robin\Cookies\robin@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027094.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027095.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027096.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027106.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027128.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027131.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027132.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP111\A0027160.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027168.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027169.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027170.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027175.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027179.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027236.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0027237.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028175.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028181.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028183.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028197.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028201.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028202.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP112\A0028203.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0028204.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0028210.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0028214.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0029211.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0029222.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0029229.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0029230.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP113\A0029231.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029232.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029233.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029264.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029265.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029266.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029271.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029273.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029282.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029285.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP114\A0029289.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029293.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029294.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029295.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029297.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029298.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029302.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029319.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029328.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029329.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP115\A0029330.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029337.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029341.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029345.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029349.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029360.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029361.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029364.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029368.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029370.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029374.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029452.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029453.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029470.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP116\A0029474.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP117\A0029483.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP117\A0029484.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP117\A0029485.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029490.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029496.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029510.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029515.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029518.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0029523.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0030518.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0030523.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0030527.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0030531.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP118\A0030532.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030591.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030595.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030597.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030605.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030626.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030627.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030630.exe -> Trojan.DNSChanger.q -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030638.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030639.exe -> Spyware.FindSpy -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030640.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{CA3A5DDA-9FAD-4DE8-8ADD-B1822A450FCF}\RP120\A0030648.exe -> Trojan.DNSChanger.q -> Cleaned with backup


::Report End

#22 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 15 June 2005 - 11:14 AM

Hi robinmuir. Let's clean out the Restore points now.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

What about the popups? Still getting those?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#23 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 June 2005 - 11:24 AM

Done. Still getting popups, and Ewido real time protection caught and deleted a couple of trojans

#24 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 15 June 2005 - 11:42 AM

Hi robinmuir. Since there are no signs of any malware here I am wondering if they are coming in through your messenger service. What exactly do the popups say? What is the title bar and the text in the message box?

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#25 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 June 2005 - 02:21 PM

One of the popups is a webpage. The title bar says TrustedPharmacy - Microsoft Internet Explorer. The address is: http://millenniumpills.com/search.php?q=Propecia

Another one is a dialogue box which warns "Windows XP Firewall has detected suspicious activity on your network. Do you want to learn how to protect your computer?" There is a "yes" or "no" button. Yes takes you to another webpage, No closes the box. (Bl**dy cheeky B*star*ds)

There are a couple of others for poker which I think come up as webpages.

If its coming in through messenger, is that able to add favourites to my list?

Just checked and messenger shows as "disabled"

Edited by robinmuir, 15 June 2005 - 02:26 PM.


#26 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 June 2005 - 04:26 PM

Ewido realtime just came up with:
File: rdsndin.exe
Path: C:\WINDOWS\System32
Infection: Spyware.FindSpy

File: ciswc.exe
Path: C:\WINDOWS\System32
Infection: Spyware.Hijacker.Generic

#27 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 15 June 2005 - 05:09 PM

Hi robinmuir. Since none of these files are showing in any scans or being picked up by and anit-virus/anti-malware apps let's look at IE BHO's.

Download ToolbarCop v3.3 and install and run it.

Click on the Main menu item and then Select All. Then click on the Main menu item and Copy to Clipboard. Post that information back here and I'll take a look at it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#28 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 June 2005 - 06:24 PM

Ok. Done that, here is the report:

ToolbarCop - Browser Add-on Report
--------------------------------------------------------------

Toolbar: &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\System32\browseui.dll - Enabled - Current User

Toolbar: (Empty) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (empty) - Enabled - Current User

Toolbar: &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll - Enabled - Current User

BHO: - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - Enabled - All Users

Run - Startup: AVG7_CC - - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP - Enabled - All Users

Run - Startup: NvCplDaemon - - RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup - Enabled - All Users

Run - Startup: nwiz - - nwiz.exe /install - Enabled - All Users

Run - Startup: NvMediaCenter - - RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit - Enabled - All Users

Run - Startup: Smapp - - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe - Enabled - All Users

Run - Startup: NeroFilterCheck - - C:\WINDOWS\system32\NeroCheck.exe - Enabled - All Users

Run - Startup: REGSHAVE - - C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN - Enabled - All Users

Run - Startup: QuickTime Task - - "C:\Program Files\QuickTime\qttask.exe" -atboottime - Enabled - All Users

Run - Startup: RegProt - - c:\documents and settings\robin\desktop\regprot\regprot.exe /start - Enabled - All Users

Run - Startup: ScriptSentry - - C:\Program Files\Script Sentry\ScriptSentry.exe /check - Enabled - All Users

Run - Startup: gcasServ - - "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" - Enabled - All Users

Run - Startup: Zone Labs Client - - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe - Enabled - All Users



List of running Processes
--------------------------------------------------------------
\SystemRoot\System32\smss.exe
\??\C:\WINDOWS\system32\csrss.exe
\??\C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robin\Desktop\Toolbarcop.exe


Operating System details
----------------------------------------------------------
Operating System: Windows XP 5.1
Build: 2600
Service Pack level: Service Pack 1

#29 robinmuir

robinmuir
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 16 June 2005 - 12:05 PM

Ewido realtime just came up with:
File: rdsndin.exe
Path: C:\WINDOWS\System32
Infection: Spyware.FindSpy

File: ciswc.exe
Path: C:\WINDOWS\System32
Infection: Spyware.Hijacker.Generic

These files keep coming back after Ewido deletes them:

#30 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:49 PM

Posted 16 June 2005 - 07:45 PM

Hey robinmuir. Since we don't know where these files are coming from let's try this.

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Search for these files:rdsndin.*
ciswc.*

Let's see if any other files with any other extensions are hiding in the system

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users