Happened about an hour ago. Here I was, minding my own business surfing my favorite Forums (Wilders and....those other guys too). Upon closing the window I noticed a new Folder Shortcut on my Desktop. I did not put it there!!

The image was a FOLDER...with the words...TryMedia....printed just like that.

I DID NOT open it...instead sent it immediately to my Recycle Bin.

so far:
>An Ad-aware scan found no new objects!
>Spybot found nothing unusual
>HiJackThis did not find an suspicious items.
>a file search finds nothing with that name

Putting my cursor over the folder (without clicking of course) in Recycle Bin to show it's description shows a file of 444 Bytes and it also says "Folders: Active Mark"

A Google search found some links that includes the name "TryMedia" including this strange one:

http://www.sharewareorder.com/Worms-2-download-21602.htm

and this one indicating a company Active Mark:
http://www.trymedia.com/noflash.shtml

But, the big issue is how did that Shortcut magically appear on my Desktop? VERY SCARY STUFF!!!!!

Could be harmless.....also could have unleashed who knows what calamity had I opened it.

Anyone know anything about this??

Telstar

Did you search the Registry? If not I would just to see if it left anything.

Good idea beetlejuice.

I have Windows XP Home and I don't mess with the Registry too much...a little over my head. But, is there an easy way to do a Registry search for this intruder without mucking things up??

Thanks,
Telstar

Hi Telstar. I don't have any expereince with XP at all, but from what little I've seen of it, it doesn't work the same as 98SE. Better wait until someone with XP knowledge comes along. Wouldn't want to steer you the wrong way and do something we shouldn't.

Hi Telstar,

To search the registry:
Start > Run > type regedit > OK
When the registry editor opens select My Computer at the top. Then press Ctrl-F and type the expression you want to look for in the Find Window. If something is found, the F3 key will make it look for the next one.

Before making changes in the registry make a Manual Restore Point fro backup purposes.

Regards,

Pieter

BINGO!!!

Excellent instructions Pieter.....

Ok, found in (F3 Key): HKEY_LOCAL_MACHINE_SOFTWARE_TRYMEDIA SYSTEMS
attached to it is a Folder>Active Mark Software>with this series attached>A83796461D3E346E7A3E19954248E61D

and in the window area to the right is:
NAME: ab (Default)
DATE: (value not set)

So, there it is..I didn't change anything yet.

What would I do next??

I have a manual Restore Point I made yesterday, is this sufficient or should I make another one before making any changes you suggest?

Thanks,
Telstar

Hi Telstar,

If you are sure that Restore Point is from before the file turned up and you did not make any important changes afterwards, I'd use System Restore. I wonder if you could send me a copy of that file before you trash it for good. (Please use the email-address in my profile)

I'd like to have a closer look. I'll keep you posted if I unearth something worthwhile.

TIA,

Pieter

Pieter, as you've noticed I seem to find a question (call it a caution) in everything you ask me to do:

-{ Quote: "If you are sure that Restore Point is from before the file turned up and you did not make any important changes afterwards, I'd use System Restore." }-
Yes, the Shortcut only appeared on my Desktop around 4 p.m. today....Restore Point was made yesterday after I did all Ad-aware, AV, HJT, Spybot, Panda, Housecall, Norton scans and felt comfortable that I had nothing on my system. Then this TryMedia showed up today.

-{ Quote: "I'd use System Restore. I wonder if you could send me a copy of that file before you trash it for good. (Please use the email-address in my profile)" }-
I assume then that by using System Restore this would automatically "delete' the file??

-{ Quote: "I wonder if you could send me a copy of that file before you trash it for good." }-
What would be the machanics of this? Could I 'right click' and copy the file and then post it in the email? I just 'right clicked' and I see 'Export'.

Let me know exactly how to get a copy to you by email please. Yes, I can get your address.

Telstar

Did you ever go to windows update site for some security patches, as there are against others posting on your system?
Mind thast with a system restore they could be gone so a new visit is advised to check!


BTW: does your rightclick have a menu-option to zip the file? If so please use that before attaching it in the email.
Just extra security, as you might after sending have a copy in your email sent folder!

Hi Jooske,

Excellent Point! My last Windows Update was last week (KB828750 and KB828026) and my System Restore Point was yesterday....would I lose those Critical Updates?
It would be no problem to simply go back to Tools> Windows Update and let it tell me if Updates are required. As of this morning I have NO updates to download.

Thanks,
Telstar

Jooske asks:
-{ Quote: "BTW: does your rightclick have a menu-option to zip the file? If so please use that before attaching it in the email.
Just extra security, as you might after sending have a copy in your email sent folder" }-
I just tried to right-click the file in the Registry and do not see WinZip capabilities in the pop-up.

Telstar

Hi Telstar,

System Restore never deletes any files. Windows may not be able to find certain things since the pointers in the registry are gone, but that is a different story.
Everything you did, installed etc. before making the Restore Point will be in working order.

To email a file in most email-clients you just write an email and then use the Attach (button, function, command) to send the file along.

Regards,

Pieter

-{ Quote: "To email a file in most email-clients you just write an email and then use the Attach (button, function, command) to send the file along" }-
Sorry to sound so naive but, in the e-mail, clicking Attach will not take me to Registry files. I could export it to My Documents though.
How do I get the File from Registry into the email?
A reminder that I moved the Folder - Trymedia - to my Recycle Bin.
Telstar

Hi Telstar,

I would need the folder. In order to attach it you would have to restore it from the Recycle bin.
If you think it is too dangerous, don't do it on my behalf.
In that case just use System Restore and consider the episode a happy ending.

Regards,

Pieter

I think it's important for you to examine the Folder Pieter in the hope it might help others if this turns out to be something harmful or malevolent.

The thing that bothers me the most is the way it suddenly appeared on my Desktop...this is what makes it suspicious. Whether it contains anything harmful is the question. So I just want to take all precautions and tread carefully.

How about I do this:
>Restore the Folder from Recycle...it should restore back to Desktop.
>Then attach it to the email to you
>Then return it back to Recycle
I should NOT need to open the Folder, correct?

After that I can do a System Restore.

What do you think?
Telstar

Exactly!!

I would appreciate it very much. :)

Regards,

Pieter

Ok, it's on it's way. I couldn't attach the File Folder but I did attach the four components contained inside.
Telstar

Another question please. How come I could not attach the "Folder" but could only attach individual files. From what you know, is there a way in Outlook Express to attach a Folder containing files?

Also, FYI I scanned the Folder with my NortonAV before restoring from Recycle and it came up clean.

Thanks,
Telstar

Thanks Telstar,

You're my hero of the day.

Not being able to attach folders is normal. That is probably why Jooske asked about WinZip. By zipping up a folder you can attach it completely.

Regards,

Pieter

Pieter,

Just to let you know. I just completed a System Restore to my setpoint on Monday.

TryMedia Folder is still in Registry but, who knows how long it's been there? Something triggered it however to place that Shortcut in Desktop but I don't think it's going to be a problem. I'll just leave it there. I would think that in the Registry window to the right where it says Name: ab (Default) and Data: (Value not set) this makes it an inactive file? I don't know, my guess.

I'd be curious if you found anything worthy of concern.

Thanks very much for all your time and patience. I find these exercises informative, instructional and even entertaining.

Sure am glad I found out about Wilders Forum the other day, wish I had known sooner

Best regards,
Telstar

Hi Telstar,

It could be a while before I can let you know about the files. I'm at work right now and rather not open any suspicious files. ;)

I'll do so as soon as possible though. That may also provide us with an answer about the registry key.

Regards,

Pieter

Ok, sounds good!

For now, over and out!

I have this thread set for notification so if you should ever make another reply I'll be informed.

Regards,
Telstar

Do you have any winzip or rar on your system or easyzip, anything which allows you zipping a file/folder?
With that you could zip a file or folder and send it as a whole in stead of the separate content files of it.
And the safety reason i mentioned, for yourself, as well as preventing destruction by Pieter's secyurity scanners for instance.
If a nasty is zipped, in most cases it can't run nor do harm. If there are cases it can, let me know to be extra warned!
I would speak of a sleeping trojan if it is inside a zip.

Alternative is also like Pieter says, just click attach and you send it away and might like to delete the message from your sent folder in case you do keep copies there (i do, that's why i zip attachments) if you don't keep sent copies don't make it a point and just do as Pieter says.
Sorry for the interruption.

You seemed uptodate with the windows update so now the idea how you got that thing on the desktop.
Back to Pieter's findings first.

Are you sure you never downloaded/ installed anything from that gameing site from that URL in the first messages?

Hi Jooske,

If successful, I was able to send Pieter, with a cc to you, a WinZip of the TryMedia Folder. Check your email.

-{ Quote: "Are you sure you never downloaded/ installed anything from that gameing site from that URL in the first messages?" }-
There is ONE possibility.....I installed a small Chess Game the other day called....PAWN...308K. The download site for this game however is.....Download.com

Could this then be the culprit??

I frequently watch TechTV's "Call for Help" and they mentioned about this free chess game download. See here:

http://www.techtv.com/callforhelp/freefile/story/0,24330,3538250,00.html

http://download.com.com/3000-2119-10198876.html

I downloaded the file to my Desktop I believe it was last Friday or Saturday (the mysterious Desktop Shortcut appeared after that).

In checking the TryMedia site where their games are listed I do not see "Pawn" in their catalogue of games but could there be a connection??

http://www.trygames.com/

I'll let you absorb this information for now. I'm checking Google to see if there is some connection.

I'll be watching for replies at this thread if you have anything.

Thanks,
Telstar


Added URL tags

Hi Jooske,

I wanted to respond to a couple of other questions you asked.

-{ Quote: "delete the message from your sent folder in case you do keep copies there" }-
Jooske, by the time I read your most recent reply I had already deleted them from my OE Sent Folder however, as I indicated, I found the TryMedia Folder in my Programs which is the one I WinZipped to you and Pieter.

-{ Quote: "You seemed uptodate with the windows update so now the idea how you got that thing on the desktop." }-
Yes, right after I did the System Restore I went to my Tools>Windows Update and a scan found NO Critical Updates needed. All the ones up to last weeks KB828750 (MS IE Cum Patch) and KB828026 (Windows Media Security Update) were still there.

-{ Quote: "Are you sure you never downloaded/ installed anything from that gameing site from that URL in the first messages?" }-
Seems to be a strong "Game" connection here. Between the TryMedia/ActiveMarkSoftware and the "Pawn" Download.com game I installed. hmmmmm...the plot thickens.

Telstar

Pieter and Jooske,

I received this in my Inbox:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

mailto:pieter@NOSPAMwilderssecurity.org
mailto:jooske@NOSPAMpilliwinks.net

I tried to send you both the WinZip of the TryMedia Folder but, as you can see, it failed.

Maybe it's because I had you both on the same email (cc: Jooske).

I'll try and send individual email and see if that works.

Telstar



Edited addies

Nice notification, i'm very grateful for that as it will frustrate email harvesters with their spam!

I got it though and just checked it at the KAV site
http://www.avp.ru/remoteviruschk.html
Current object: TryMedia.zip
TryMedia.zip Archive: ZIP
Statistics:
--------------------------------------------------------------------------------
Known viruses: 75227 Updated: 8.10.2003
File size (Kb): 1 Scan time: 00:00:01
Speed (Kb/sec): 1 Virus bodies: 0
Archives: 1 Packed: 0
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0

nor did TDS alarm so it seems clean.
You might like in future cases to use that quick online scan too so keep that URL at hand! I must admit KAV does miss sometimes a nasty, but ok, most cases it does find if there is anything wrong.


EDIT:
I just looked another time at your zip:
It says it is 505KB but it is together with the email only 2KB so you sent an empty zip; so of course there were no alarms on that zip. Maybe you can have another look at it? Thanks!

Thank you again Pieter and Jooske for your valuable time helping me resolve this problem with TryMedia.

I've deleted everything I can find related to it and as you say Jooske it was clean of virus or suspicious items. I've scanned my system with everything I have available and for time present all is ok.

-{ Quote: "You might like in future cases to use that quick online scan too so keep that URL at hand!" }-
I put it in my Favorites for quick access. Thanks.

I will now await the "next crisis"...lol The way things have been going it won't belong before something else invades my computer and when it does I hope you folks will be available if I need any help.

Best regards,
Telstar :)

Hi Telstar: It's my experience with XP that system restore does roll-back MS updates to the restore point, so be sure to re-scan for updates and reinstall. BTW, there's an IE 6 cumulative patch and a patch for WMP ready for download today Oct 8.

I'd guess the security forums aren't the culprit for getting that folder, but might have got it when clicking on a link someone in a forum provided. If you disable File Downloads in your IE security settings until you're sure you want to download something, you'll prevent this and other tricky links from downloading to your system in the future.

I'd also recommend using RegProt from:

http://www.diamondcs.com.au

A free app and will prevent changes to your registry without your permission in the future.

Best Regards, Rick

Hi Rickster,

Thanks for your reply!

Very good point about File Downloads :). I did indeed have mine Enabled....Disabled it now. Chances are good you may be correct....I do click on many links as I peruse the different Forums and as you may have read, I was in the process of visiting various Forums when that TryMedia Folder Shortcut magically appeared. An astute observation on your part.

Regardig RegProt, I see it's a DiamondCS product so it's obviously completely reliable. I will install it.
"realtime registry monitor and protector, that adds another dimension to Windows security and intrusion detection."
Yep, I can use that!

-{ Quote: "BTW, there's an IE 6 cumulative patch and a patch for WMP ready for download today" }-
You are referring to KB828750 and KB828026. I had installed them last Friday and my Restore Point was created on Monday when I did complete AV, Spyware, Trojan, Worm, and other scans and was confident my system was clean. I did check after System Restore and these were still the latest ones, so I'm up-to-date.

Thanks again Rick for your excellent advice,
Telstar ;)

Re RegProt: keep visiting those pages, there is a lot more, also in the free tools sections. Have the AutostartViewer so you can see what is autostarting or able to do so and you can delete them from the autostart or walk by them to check if they are really not set for autostarting/connections/updating and all that.
In near future there will come a new autostart guard to replace RegProt, working nicely together with that viewer, and so much more in the build.......!
You might like to create a folder C:\Console and put that in the autoexec.bat in the path, and put all that kind of tools in that folder, so they work from all over wherever you are in windows or opening an MSDOS window for the commanline items, it all works fine that way.

Hello again Jooske,

(Already installed RegProt.....it's busy at work.)

-{ Quote: "(DiamondCS) Have the AutostartViewer so you can see what is autostarting" }-
LOL...a psychic experience :D? I was just looking over that one. Another helpful tool I can use.

-{ Quote: "You might like to create a folder C:\Console and put that in the autoexec.bat" }-
Another good suggestion. I've simply been downloading to Programs or Desktop depending on the application. I do not see autoexec.bat anywhere. A file search or Run command fails to find it. Is this a (Windows XP) pre-installed file or one that I would create myself?

Thanks,
Telstar ;)

Question about Autostart Viewer:

I just installed AS Viewer:

1) I do not see a Help menu anywhere so...

2) Right clicking gives me certain choices but without a Help menu I'm not exactly sure what I can do...are there any detailed instructions that I do not see? Clicking on "Main" does not show a Help menu

3) A Shortcut was not created with execute so I went to where the Program was installed and created the Shortcut manually

additionally:

>what does "Jump to with RegEdit" do?
>if I see a Program that I DO NOT want to Autostart, how do I stop it? is it "Delete Autostart Reference"?
>what happens if I "Delete File" do I remove/delete the entire Program from my Computer?

I can see some Programs that are Autostarting that I want to keep but not as an Autostart.....what do I do?

Thanks,
Telstar

It can be in win XP there is no autoexec -- heard that before. Not sure how / where you can add files to a path to be used in whole windows everywhere? There must be something? Maybe put that folder in c:\windows c:\winnt wherever you have windows for the same effect i guess.

For the discussions about the freetools on the DCS forum is a special area, see the DCS link in my sig here and register as a member in the forum to look around and discuss those parts there.
The ASViewer in fact needs no help: it is just allow every option to be shown and look what it shows you, you can add that in a log.txt and post if you like for help/suggestions.

I opened each program shown there and made sure they are treally not autostarted in any way.
I think Wayne c.s. are able to give all detailed info and advice!
Removing them from autostart does not delete the program itself, just a possible autostarting!


I would grab the whole lot as each tool is very valuable! And check back often, many more to come soon!


PS: you are allowed to look in my crystal ball, that's what it's here for :)

Jooske,

Excellent! ....Just what the doctor ordered

I am now registered in the DiamondCS Forum. I'll spend some time reading through the various topics there and if I still have any questions regarding my new downloads I"ll post them in there.

Thank you,
Telstar :)