Resistance is futile

Discussion in 'malware problems & news' started by maestro, Dec 30, 2002.

Thread Status:
Not open for further replies.
  1. maestro

    maestro Guest

    I found in my temp folder that there is a temp file there with an .exe extension....I tried deleting it many times before and it struck me as unusual when I couldnt delete it- "access denied". Later, I was checking out my ZA allowed programs list and noticed a program I did not recognise called deld192.exe. I checked it's path to learn more about it and it's path was c:\windows\temp.
    Since this discovery, I've downloaded a HEX editor to open up the temp file to get a better look. But it's never the same, it's on some kind of random modulation, constantly changing file name and content, but obviously whatever objective it has, that never changes. I've also downloaded a sniffer to learn more about it. I'm currently tracking it's connections to see where it's communicating to and it's origin. In the ZA program list I blocked it's internet connections and unbelievably, the temp file has somehow created another .exe program that was connecting to the net. As a precaution (advice from a friend) I uninstalled ZA, rebooted, reinstalled and rebooted again and it was really to no avail. It has made no difference to the femp file. But it makes interesting study! It's not doing harm so far and I'm tracking it's communication when I let it communicate :D At the end of an internet session, the temp file seems to have duplicated itself into slightly different file names, but when i opened these, there was a heck lot more activity in these deleteable versions of the original temp file (which still remains). It appears to have very trojan-like behaviour. If anyone's got something similar, let me know.;)

    BTW- i tried to post this message when i was logged in and i wasnt remainning logged in. So here i am. Whats up with that?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    hi maestro,

    First up, we need to separate your trojan issue from the problem you are having logging into the Wilders Security forum. Those really need to be addressed separately.

    Please start a thread in the "General Topics" board (see URL below for the forum section I'm talking about) regarding your login problem. But, you need to describe in more detail what you are seeing. State your OS version, the browser you are using and its version, whether or not you have www.wilderssecurity.com in the browsers trusted zone, and if you are allowing cookies for it, as required to login here.

    The General Topics forum section:
    http://www.wilderssecurity.com/index.php?board=11

    As for the Trojan issue. Hmm, very interesting!! Yes, any time you find a file in a \temp\ folder connecting out to the Internet, you need to be really concerned. You probably couldn't delete it because it is open and running all the time. Windows never let's you deleted files that are "in use" like that. Therefore, you need to stop it from running first, in order to delete it.

    If it is a real trojan, then a good anti-trojan product like TDS-3 or Trojan Hunter should find and kill it for you. You can find information on these two products along with links to download evaluation versions of them on our Anti-Trojan page:

    http://www.wilders.org/anti_trojans.htm

    Or, another way to approach this is for you to download and execute a program called StartupList v1.5 from the site linked below. This program will create a full list of all programs being started up by your PC when it boots. It will let you copy that information easily and paste it into a post here, and people can then help you find and remove any offending programs.

    http://www.lurkhere.com/~nicefiles/index.html

    This should be a good start to getting this resolved. Many people will be able to advise you once you post more information.

    Best Wishes,
    LowWaterMark
     
  3. maestro

    maestro Guest

    Wow, thank you very much LowWaterMark for your speedy reply :) it's much appreciated. Thank you. ;)
     
Thread Status:
Not open for further replies.