124782.exe porndialer

Discussion in 'malware problems & news' started by aliwiseman, Oct 18, 2004.

Thread Status:
Not open for further replies.
  1. aliwiseman

    aliwiseman Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    19
    Location:
    Planet Wiseman currently Wolves Uk
    Hey there. Dont know if any of you have run into this file, which loves to self replicate.

    It places the above named file in about 18/24 different locations, and seems almost uncleanable at the mo!

    I run Adaware Se, SpyBot SnD, and Norton 2004, all of which detect the beastie but fail in removing it, Norton being the most honest about it tho. Trends online scan deletes the files, but they duely re-emerge, irrespective of if i've turned sys restore off or if im in Safe Mode. Panda missed it completely!

    It initiates its-self via a dos window, which must save and then exe the file which in turn contains a compressed version of same file etc etc etc, and the popup stoppers (google/msn) fail to stop it as it is a requested (via dos i assume) file rather than a pop up, much like it would not stop a CTRL N command.

    The information i have is that it comes from TIBs, but the normal tibs blocker is failing to stop it. Much like the Casino Palazzo problem it places an icon on your desktop, and then self executes!

    Having googled the file last week and only getting 2 results, 1 in portugese n 1 in Spainish i can only assume this is quite new.

    Any help would be greatfully recieved. Oh.. and my HJT log is fine!

    Alistair Wiseman :cool:
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. ninja_style

    ninja_style Registered Member

    Joined:
    Oct 12, 2004
    Posts:
    41
    Use SpySweeper, I had a similar trojan and just when I thought I got rid of it, I would see it appear again, until I installed SpySweeper and it was gone.
     
  4. aliwiseman

    aliwiseman Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    19
    Location:
    Planet Wiseman currently Wolves Uk
    Hi, thanks for the welcome ninja n snowbound.

    Yes i followed the instructions... lol. I've become quite adept at removal of spyware and trojans and considered my casino palazzo victory a good acomplishment hehe!

    Spysweeper doesnt remove the dialer fully, and it just re initialises after next boot, even with sys restore off. I've done a regedit scan thru for the various related files and deleted them, and as mentioned before, my HJT log is fine.

    I already mentioned that i knew it was TIBS, and all other TIBS stuff doesnt get thru.

    I've also used TDS-3 obviously and that too finds the problem, and removes it... until next log in.

    Infact... almost every program finds the dialer.. and none of them clear it! lol

    I've postd on a couple of other forums too, so hopefully with many heads attacking the problem, it'll get got! lol

    Alistair
     
  5. Chopsaw

    Chopsaw Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    10
    Location:
    New Glasgow, Nova Scotia
    look in the registry for entries in these locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce



    There may be an entry like this there:

    (path to executable) /rerun

    if you see ANYTHING there also get rid of that item
    It's a comman reson for a re-install.
     
Loading...
Thread Status:
Not open for further replies.