Autodialer present after TDS3 scan

I have an autodialler which intermittently (attempts) to dial out when PC
is in final stages of Windows shutting down.

I am evaluating TDS-3 & after full system scan(with no reported trojans etc)
the autodialer is still present.

Any diagnostic advice please?


I run:-
AVG6
ZoneAlarm Pro
Spyware Blaster
Spyware Guard
Spybot
Adaware
HJThis

Foxfish

 

In the meantime, if TDS did not alarm on the file and you are able to locate it, please send it (zipped if possible) to submit@diamondcs.com.au
Did you after download and install your evaluation of TDS and reboot, go back to the site to get the latest radius update, put it in the directory and (re)load TDS, and all scanuptions in the scan console checked and a full system scan?

If you do a full system scan please make sure you disable all other scanners, AVG for example with opening it's console and unchecking all scan options, so TDS can reach all files for scanning.

On the contrary it is not necessary to closer TDS down when using other scanners, only don't run two scanners at a time.

With all this, if you use Port Explorer ( www.diamondcs.com.au/portexplorer )you should be able to see which connections there are and which applications are connected to them, including possible malware.

 

Thanks Derek, Will do.Logfile of HijackThis v1.97.7
Scan saved at 19:57:34, on 11/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\TREVOR\Desktop\HijackThis.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.koichat.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.firenet.uk.net/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.firenet.uk.net/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.5410300926
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7290251D-FAFD-4922-9CF5-700FD9C123DF}: NameServer = 62.55.96.40 62.55.109.11

regards
Foxfish

 

Hi Jooske,Thanks for your reply.
1.I have not found the bad file,I cannot find it.Full Scan TDS-3 Made.
2.I will run TDS-3 with ZoneAlarm-pro & AVG6 switched off.
3. I will try evaluation of of Diamond Port Explorer.

Greetings
Foxfish

 

Yes.Will do tomorrow,thank you.

I have downloaded Diamonds Port Explorer but nothing seen yet.

Foxfish

 

zone alarm together with port explorer?

One more option: get from the DCS free tools the AutoStartViewer, everything checked and post that log too;
did your AVG indicate anything?

Did it start after a windows security patch recently?
any auto-updates possible?

 

Hi Jooske.
Have downloaded autostart viewer but cannot copy/paste(zipped) log yet.

Nothing bad shown when I ran AVG.

Port explorer ran with ZoneAlarm switched on.

Yes, I recently downloaded Windows critical updates but cannot be sure that autodialler emerged before or after that time.

I am considering letting autodialler dial out & obtaining port explorer address.

Appreciate excellent help.

regards

Foxfish

 

Hi again!
the ASViewer : just unzip and press the exe to run it, have all options checked, and save the output to a logfile. That log either send or post it. As that is a TXT file, no need to zip it.

If you are protected with your software and have Port Explorer up, you can look indeed, you can at the moment you see the connection rightclick and disable sending, so at least no data from your system is sent out; hope you are able to spy immediately and see the application/place responsible for it.
As soon as you have that application also disable receiving data so a possible nasty can't update itself -- with all that you should have the IP address and all that and please let us know. To ease your findings, you might like to enable the logfile for Port Explorer (take the smallest size as it can grow fast!)

 

Hi Jooske, Apologies, I had brain failure with AS viewer copy/paste yesterday but should be OK now:-

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for TREVOR@OLDSMITHY, 05-13-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\LOGON.SCR
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\LOGON.SCR
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
C:\WINDOWS\System32\igfxtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DVDSentry
C:\WINDOWS\System32\DSentry.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\PROGRA~1\avgcc32.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\CTFMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\ISP signup reminder 1.job
C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
C:\Documents and Settings\TREVOR\Start Menu\Programs\Startup\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
C:\Program Files\Digital Line Detect\DLG.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\avgfsh.sys
HKLM\System\CurrentControlSet\Services\AvgServ\
C:\PROGRA~1\avgserv.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\mdmxsdk\
C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Netlogon\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RasAuto\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs

I am impressed with As Viewer & Port Explorer,thank you

regards
Foxfish

 

I called on expert help for the autoStartviewer log; does Port Explorer show anything specific?
If you see anything suspicious, you can freeze the display a moment to save the table which you can post but be wise and edit your own IP out in such cases.
I have Port Explorer always running, like it very much!

 

Hi Foxfish, I am wondering if this entry could be causing a call..

C:\WINDOWS\Tasks\ISP signup reminder 1.job

I am thinking it may be an updater of some type trying to get out.

Just guessing - Pilli

 

Yep thats the one which looks out of place. I've never seen the OS itself leave a reminder for a dialup setup.. even when you have the preinstalled "connect to the internet" stuff Windows includes !

Can you send the .job file to me ? submit@diamondcs.com.au
You might want to open it with notepad and look if it clearly points to an EXE file, if you can work that out, find and send the EXE file too

 

Thanks Jooske, Pilli & Gavin,
I will do as you ask & will attend to it ASAP but am away for 24 hours.

I certainly appreciate your kind help.

regards
Foxfish

 

Hi Gavin,
I checked this file, it has an exe file C:\windows\system32\OOBE\OOBEBALN.exe/sys/i/n:1

I opened it & found that it was a once only application on 5 April 2003.

Around this time my ISP broke free from its peer provider & confusion reigned.

I ran AVG through the file & it said it was clean.

I will delete it when discover how to achieve it in AS Viewer.

I havent been able to view the autodialler in Port Explorer as it dials out in the last few seconds of Window shutting down.

regards
Foxfish

 

As Windows shuts down ?? that doesn't make much sense. Do you use a good, updated virus scanner ?

ASViewer I dont think can remove the .job file automatically (right click, delete file). If it can't just find the file and delete it, the folder is listed there

 

Now you know the file you can send it in, look deeper at it, if you're connected to internet do you see the thing doing anything at all in Port Explorer?
Kind of auto-reconnect if the connection breaks?

 

Gavin, Yes I see what you mean!

I use Panda on line scanner.

I will post file before deleting in Autostart.

Grateful thanks to you.

Foxfish

 

Hi Jooske, No,havent seen anything abnormal in Port Explorer but havent fully mastered use of it yet.

I am extremely grateful for your kind help & will continue learning from this forum

regards
Foxfish

 

I would like to know if you see also something trying to connect immediately after reboot or something extra when you connect to internet, which should show up in Port Explorer too, make sure you have the logging on (smallest size is ok)

Do you use the Panda online scan more often?
Did you use your spyware scanners, Spybot S&D and Ad-aware?
After using the panda online scanner i found myself infected with Gator GAIN from the advertisement stuff in their database uploader; i was really stunned, my Port Explorer log showed time and where it occurred so i can say with all certaintly it was from there, not allowing that service doesn't give you the scan update and scanning -- their support never replied back on my question about it.
Anyway, that GAIN thing is a kind of detection advertisement thing; if you have such a thing SpybotS&D will see it immediately and remove it for you. Might be the end of your outgoing connection thing too. You should see it happen the moment you disconnect from internet even without closing windows.
See some description here among others http://www.pcpitstop.com/gator/default.asp
and a little googling will tell you more.

Honestly said i don't remember if it would show up in HiJckthis or AutoStartViewer as i had it off my system just a few moments after that Panda scan (where it didn't show up of course) and as i didn't trust all the advertisements immediately fired up my spybot and found it to my big horror.
Can you make sure your SpybotS&D and Ad-aware come up all clean (set them to the most advanced deep detection possible)
And TDS fully updated and full system scan did come up all clear too, doesn't it?

 

Jooske - Just out of curiousity, didn't the detections that resulted from your use of the Panda Active Scan come from the fact that they use a lot of plain-text strings?

IOW, you didn't really get "infected" with anything from using PAS, right? You just got a bunch of "hits" due to the plain-text strings they use? Pete

 

Hi Jooske, Thank you for the surprising information on Pandascan,I have read the details on Pitstop.I have deleted all pandascan files & will use only Nod32 or Stinger in future.
I use updated Spybot &Adaware almost daily, scans come up almost clean nowadays & I rarely get pop ups(I use SpywareGuard/Blaster) now.
I have deleted the "ISP reminder job file" from Autostart successfully & posted the OOBE/OOBEBALN.exe file as requested.
Currently, the autodialler is not operating & I cannot see anything of it on Port Explorer
which certainly pleases me.
TDS scans all clean & Custom settings on Spybot/Adaware are optimised.
Still learning on Port Explorer, must read up more.
Grateful thanks
Foxfish

 

Hi Pete,
i could not update the panda and thus not get scanned, so i did not have the database nor their plain TXT, as i first allowed what i thought was the update which must have been the GAIN thing, and as i saw AFTER that first allowance the thing going for the update which was waiting far too long for even starting with the update, i stopped it and noticed after a little surfing my system was misbehaving somehow, so fired up Spybot, updated that and scanned, where that gator/GAIN thing was found, the real positive identification on a file, which i uploaded at KAV online scanner too; i checked the time and could check in the Port Explorer log it was all the same time i was at the panda site etc.
At this moment i don't quite remember what Ad-Aware said about it which i'm 95% sure i did run after that as it was cleansed with SB already but it might have alarmed on the backupfiles.
What i do remember is that my system was lots faster and behaving well again after that removal.
During their update for the free online scan at Panda there is that advertisement stuff, if you block it you don't get an update nor scan, which i did not really mind as i guess they need some income for the service; bannerclicks on a security site i can accept, but no illegal software installs on my system when i am confident a detection database would be installed to help me to detect or getting rid of possible malware like that kind.
What made me really disappointed and furious of Panda not reacting in any way on my question/warning about it. This is several months ago now and i tried another time and saw the same thing happening so did not allow it of course and was just out of there.
I should go there another time and check carefully with Port Explorer to which IP/sites exactly i get connected there, as there are online scanners on internet to check first if the site has been infected (maybe even without the webmaster knowing) with the gator/GAIN or other parasites.
With some googling this morning saw such test pages where you type in the server name or URL to get that info.
Such a test should be able to be made in a TDS SS3 script too, i guess so we can test before actually visiting the site and avoid infections.
I don't post the test site i just found as it's last updated 2003, and it's most probably different now.
But you might find this site with possible filenames very informative:
http://www.scanspyware.net/info/Gator-GAIN.htm
I'm not familiar with the site and the online scan results, so i can't recommend nor warn for that, but the files list seems impressive.

 

Foxfish, glad you have a more peaceful system now, only we don't know which of your actions solved it for now. I thing that ISP thing which sounded really strange.
Do you have in your IE settings for the connections to "always connect with..." ? I have that on "never connect" as i like to manually connect with internet when i want/need it, and not immediately after reboot etc.
Also the email client is set to collect only when i am online and several times an hour, so no autodialing from those two.
Not sure if the kind of "online detect awareness" agents like in ICQ, RealOne player and the kind do such things too, life updates are possible, etc.

For the Spybot and Ad-aware at times set it to the deepest detection which is possible.
Hope you stay clean now and happy surfing with all your new protection tools!