Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about a file, as to what it is and where it came from.


  • Please log in to reply
6 replies to this topic

#1 Groffeaston

Groffeaston

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:11:00 AM

Posted 23 May 2009 - 10:49 PM

Hello everyone!

I had this file download onto my computer and I am not sure where it came from. I do not think it is a virus or other malware but want to be safe. So I thought I wouldrun it by you guys and gals.

Here is the file: md.php%3Fen%3Dcp1252,;ord=1243131366

I wish I could decifer it to figure where it came from. I think the ord at the end means order. But I am not 100% sure. Windows cannot open it. Which is good, but yet is bad.

When I check the properties it says: opens with: Windows Shell Common Dll

I did not know where to post this So I thought I would post it here, since I am unsure what it is.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:00 AM

Posted 24 May 2009 - 07:40 PM

I recommend you submit the file for a Jotti scan
http://virusscan.jotti.org/en
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:11:00 AM

Posted 25 May 2009 - 12:13 AM

Hello garmanma

I did the Jotti scan and it came up showing as nothing found. Here are the results.

Filename: md.php%3Fen%3Dcp1252,;ord=1243131366
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 25 May 2009 07:03:22 (CET) Permalink


File size: 4607 bytes
Filetype: ASCII text, with very long lines
MD5: f60f9ff1b13d80d40f87e17f668ff606
SHA1: 182ef3f658efd043a5034a82ae93dc1628026765

2009-05-23 Found nothing 2009-05-24 Found nothing
2009-05-25 Found nothing 2009-05-25 Found nothing
2009-05-24 Found nothing 2009-05-24 Found nothing
2009-05-24 Found nothing 2009-05-25 Found nothing
2009-05-24 Found nothing 2009-05-22 Found nothing
2009-05-25 Found nothing 2009-05-24 Found nothing
2009-05-24 Found nothing 2009-05-22 Found nothing
2009-05-25 Found nothing 2009-05-25 Found nothing
2009-05-24 Found nothing 2009-05-24 Found nothing
2009-05-24 Found nothing 2009-05-24 Found nothing
2009-05-25 Found nothing




I do not know what to do next.

Edited by Groffeaston, 25 May 2009 - 12:18 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:00 AM

Posted 25 May 2009 - 06:15 PM

It might have come from downloading something like a Linux distro or something from a torrent, but it's not important
Try renaming it and see what happens for a few days
If everything is fine move it to the Recycle Bin
After a couple more days, if nothing happens, empty the Recycle Bin
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:11:00 AM

Posted 25 May 2009 - 06:59 PM

Hello garmanma,

could it be an add on for a toolbar or something similar? I just remembered that when it popped up on my screen, The box that says "run or save" was there. I chose save to desk top, becuse I was not sure what it was or what it was for. THought i would check on here first. But I had added a new toolbar and it might be for that. It has a symbol in front of it in the shape of a bolt or screw. Which I presume is some sort of an application or add on.

Now if I can only find out: what it is, what it is for and where it came from, then I could figure how to open it and if it is safe to open.

#6 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:11:00 AM

Posted 25 May 2009 - 07:45 PM

Hello again garmanma and everyone,

I tried searching my computer to see if there was a program that opens it. But nothing shows up in any of my searches. Now when I did an internet search for: Windows Shell Common Dll, I got a lot of results that say I could either do a command prompt or download a program to open it or to see what it is and/or to fix Shell and Common Dll problems.

I would like to know if I should check any of them out. Some of them are free programs and some of the options that I found by doing the internet search say about the command prompt or DOS prompt.

#7 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:11:00 AM

Posted 26 May 2009 - 01:02 AM

Hello everyone!

I managed to open the file in WordPad and see the programing of it. It looks like some sort of a banner ad, is my guess. How I managed to get a hold of it and download it, I will never know.

If someone wants to take a look at it and decipher the programing to let me know what the heck it is. I will post it here for you to look at.


Here it is:

document.write('<!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://m1.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\n');

function DCFlash(id,pVM){
var swf = "http://m1.2mdn.net/1881123/truecredit_728x90.swf";
var gif = "http://m1.2mdn.net/1881123/truecredit_728x90.gif";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://ads.bluelithium.com/click,VaUDALD7BwDP0x4AmrEJAAAACVQAAAwACgAAAAIABgKMrgEAjtsNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOatGEoAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15mj3fa00%2FM%3D715481.13174647.13345351.10748025%2FD%3Dmail%2FS%3D398301014%3AN%2FY%3DYAHOO%2FEXP%3D1243136613%2FL%3DkQQTF0WTZmPE8bi5Shb3XwjbRUg0d0oYpkUACQpN%2FB%3DcJsOAtgnMtc-%2FJ%3D1243129413793091%2FK%3D261mKYpm6icSEQluA_EdXQ%2FA%3D5404709%2FR%3D0%2F%2A%24,http%3A%2F%2Fus.mc571.mail.yahoo.com%2Fdarla%2Fmd.php%3Fen%3Dcp1252,http://ad.doubleclick.net/click%3Bh=v8/3837/f/1a5/%2a/v%3B213541798%3B2-0%3B0%3B34816758%3B3454-728/90%3B29842460/29860337/1%3B%3B%7Esscs%3D%3fhttp%3a%2f%2fwww.truecredit.com/%3Fam%3D2029");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

if(typeof(encodeURIComponent)=="function"){url=encodeURIComponent(unescape(url));}
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'"';
var bgo=(bg=="")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="")?"":' bgcolor="#'+bg+'"';
function FSWin(){if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.');if((openWindow=="center")&&window.screen){winL=Math.floor((screen.availWidth-winW)/2);winT=Math.floor((screen.availHeight-winH)/2);}window.open(unescape(url),id,"width="+winW+",height="+winH+",top="+winT+",left="+winL+",status=no,toolbar=no,menubar=no,location=no");}this.FSWin = FSWin;
ua=navigator.userAgent;
if(minV<=pVM&&(openWindow=="false"||(ua.indexOf("Mac")<0&&ua.indexOf("Opera")<0))){
var adcode='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="'+id+'"'+FWH+'>'+
'<param name="movie" value="'+swf+'"><param name="flashvars" value='+fv+'><param name="quality" value="high"><param name="wmode" value="'+wmode+'"><param name="base" value="'+swf.substring(0,swf.lastIndexOf("/"))+'"><PARAM NAME="AllowScriptAccess" VALUE="'+dcallowscriptaccess+'">'+bgo+
'<embed src="'+swf+'" flashvars='+fv+bge+FWH+' type="application/x-shockwave-flash" quality="high" swliveconnect="true" wmode="'+wmode+'" name="'+id+'" base="'+swf.substring(0,swf.lastIndexOf("/"))+'" AllowScriptAccess="'+dcallowscriptaccess+'"></embed></object>';
if(('j'!="j")&&(typeof dclkFlashWrite!="undefined")){dclkFlashWrite(adcode);}else{document.write(adcode);}
}else{
document.write('<a target="_blank" href="'+unescape(url)+'"><img src="'+gif+'"'+FWH+'border="0" alt="" galleryimg="no"></a>');
}}
var pVM=0;var DCid=(isNaN("213541798"))?"DCF0":"DCF213541798";
if(navigator.plugins && navigator.mimeTypes.length){
var x=navigator.plugins["Shockwave Flash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal args)\nCall '+DCid+'_DoFSCommand(command, args)\nEnd Sub\n',"VBScript");}
eval("function "+DCid+"_DoFSCommand(c,a){if(c=='openWindow')o"+DCid+".FSWin();}o"+DCid+"=new DCFlash('"+DCid+"',pVM);");
//-->

document.write('\n<noscript><a target=\"_blank\" href=\"http://ads.bluelithium.com/click,VaUDALD7BwDP0x4AmrEJAAAACVQAAAwACgAAAAIABgKMrgEAjtsNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOatGEoAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15mj3fa00%2FM%3D715481.13174647.13345351.10748025%2FD%3Dmail%2FS%3D398301014%3AN%2FY%3DYAHOO%2FEXP%3D1243136613%2FL%3DkQQTF0WTZmPE8bi5Shb3XwjbRUg0d0oYpkUACQpN%2FB%3DcJsOAtgnMtc-%2FJ%3D1243129413793091%2FK%3D261mKYpm6icSEQluA_EdXQ%2FA%3D5404709%2FR%3D0%2F%2A%24,http%3A%2F%2Fus.mc571.mail.yahoo.com%2Fdarla%2Fmd.php%3Fen%3Dcp1252,http://ad.doubleclick.net/click%3Bh=v8/3837/f/1a5/%2a/v%3B213541798%3B2-0%3B0%3B34816758%3B3454-728/90%3B29842460/29860337/1%3B%3B%7Esscs%3D%3fhttp%3a%2f%2fwww.truecredit.com/%3Fam%3D2029\"><img src=\"http://m1.2mdn.net/1881123/truecredit_728x90.gif\" width=\"728\" height=\"90\" border=\"0\" alt=\"\" galleryimg=\"no\"></a></noscript>');


I hope this helps!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users