Autodialer present after TDS3 scan

Discussion in 'Trojan Defence Suite' started by foxfish, May 11, 2004.

Thread Status:
Not open for further replies.
  1. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    I have an autodialler which intermittently (attempts) to dial out when PC
    is in final stages of Windows shutting down.

    I am evaluating TDS-3 & after full system scan(with no reported trojans etc)
    the autodialer is still present.

    Any diagnostic advice please?


    I run:-
    AVG6
    ZoneAlarm Pro
    Spyware Blaster
    Spyware Guard
    Spybot
    Adaware
    HJThis

    Foxfish o_O o_O
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the meantime, if TDS did not alarm on the file and you are able to locate it, please send it (zipped if possible) to submit@diamondcs.com.au
    Did you after download and install your evaluation of TDS and reboot, go back to the site to get the latest radius update, put it in the directory and (re)load TDS, and all scanuptions in the scan console checked and a full system scan?

    If you do a full system scan please make sure you disable all other scanners, AVG for example with opening it's console and unchecking all scan options, so TDS can reach all files for scanning.

    On the contrary it is not necessary to closer TDS down when using other scanners, only don't run two scanners at a time.

    With all this, if you use Port Explorer ( www.diamondcs.com.au/portexplorer )you should be able to see which connections there are and which applications are connected to them, including possible malware.
     
  4. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Thanks Derek, Will do.Logfile of HijackThis v1.97.7
    Scan saved at 19:57:34, on 11/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\TREVOR\Desktop\HijackThis.exe
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.koichat.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.firenet.uk.net/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.firenet.uk.net/
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.5410300926
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7290251D-FAFD-4922-9CF5-700FD9C123DF}: NameServer = 62.55.96.40 62.55.109.11

    regards
    Foxfish
     
  5. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Jooske,Thanks for your reply.
    1.I have not found the bad file,I cannot find it.Full Scan TDS-3 Made.
    2.I will run TDS-3 with ZoneAlarm-pro & AVG6 switched off.
    3. I will try evaluation of of Diamond Port Explorer.

    Greetings
    Foxfish
     
    Last edited: May 11, 2004
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    there is no sign of any dialler in the hjt log

    best I can suggest at the moment is look in the zone alarm logs and see what is trying to connect or send at the time you are shutting down
     
  7. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Yes.Will do tomorrow,thank you.

    I have downloaded Diamonds Port Explorer but nothing seen yet.

    Foxfish
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    zone alarm together with port explorer?

    One more option: get from the DCS free tools the AutoStartViewer, everything checked and post that log too;
    did your AVG indicate anything?

    Did it start after a windows security patch recently?
    any auto-updates possible?
     
  9. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Jooske.
    Have downloaded autostart viewer but cannot copy/paste(zipped) log yet.

    Nothing bad shown when I ran AVG.

    Port explorer ran with ZoneAlarm switched on.

    Yes, I recently downloaded Windows critical updates but cannot be sure that autodialler emerged before or after that time.

    I am considering letting autodialler dial out & obtaining port explorer address.

    Appreciate excellent help.

    regards

    Foxfish
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again!
    the ASViewer : just unzip and press the exe to run it, have all options checked, and save the output to a logfile. That log either send or post it. As that is a TXT file, no need to zip it.

    If you are protected with your software and have Port Explorer up, you can look indeed, you can at the moment you see the connection rightclick and disable sending, so at least no data from your system is sent out; hope you are able to spy immediately and see the application/place responsible for it.
    As soon as you have that application also disable receiving data so a possible nasty can't update itself -- with all that you should have the IP address and all that and please let us know. To ease your findings, you might like to enable the logfile for Port Explorer (take the smallest size as it can grow fast!)
     
  11. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Jooske, Apologies, I had brain failure with AS viewer copy/paste yesterday but should be OK now:-

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for TREVOR@OLDSMITHY, 05-13-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\LOGON.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\LOGON.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DVDSentry
    C:\WINDOWS\System32\DSentry.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\PROGRA~1\avgcc32.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\ISP signup reminder 1.job
    C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
    C:\Documents and Settings\TREVOR\Start Menu\Programs\Startup\SpywareGuard.lnk
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    C:\Program Files\Digital Line Detect\DLG.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\avgserv.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\mdmxsdk\
    C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Netlogon\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RasAuto\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\vsdatant\
    \??\C:\WINDOWS\System32\vsdatant.sys
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    I am impressed with As Viewer & Port Explorer,thank you

    regards
    Foxfish
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I called on expert help for the autoStartviewer log; does Port Explorer show anything specific?
    If you see anything suspicious, you can freeze the display a moment to save the table which you can post but be wise and edit your own IP out in such cases.
    I have Port Explorer always running, like it very much!
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Foxfish, I am wondering if this entry could be causing a call..

    C:\WINDOWS\Tasks\ISP signup reminder 1.job

    I am thinking it may be an updater of some type trying to get out.

    Just guessing - Pilli
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep thats the one which looks out of place. I've never seen the OS itself leave a reminder for a dialup setup.. even when you have the preinstalled "connect to the internet" stuff Windows includes !

    Can you send the .job file to me ? submit@diamondcs.com.au :)
    You might want to open it with notepad and look if it clearly points to an EXE file, if you can work that out, find and send the EXE file too
     
  15. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Thanks Jooske, Pilli & Gavin,
    I will do as you ask & will attend to it ASAP but am away for 24 hours.

    I certainly appreciate your kind help.

    regards
    Foxfish
     
    Last edited: May 17, 2004
  16. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Gavin,
    I checked this file, it has an exe file C:\windows\system32\OOBE\OOBEBALN.exe/sys/i/n:1

    I opened it & found that it was a once only application on 5 April 2003.

    Around this time my ISP broke free from its peer provider & confusion reigned.

    I ran AVG through the file & it said it was clean.

    I will delete it when discover how to achieve it in AS Viewer.

    I havent been able to view the autodialler in Port Explorer as it dials out in the last few seconds of Window shutting down.

    regards
    Foxfish
     
  17. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    As Windows shuts down ?? that doesn't make much sense. Do you use a good, updated virus scanner ?

    ASViewer I dont think can remove the .job file automatically (right click, delete file). If it can't just find the file and delete it, the folder is listed there
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now you know the file you can send it in, look deeper at it, if you're connected to internet do you see the thing doing anything at all in Port Explorer?
    Kind of auto-reconnect if the connection breaks?
     
  19. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Gavin, Yes I see what you mean!

    I use Panda on line scanner.

    I will post file before deleting in Autostart.

    Grateful thanks to you.

    Foxfish
     
  20. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Jooske, No,havent seen anything abnormal in Port Explorer but havent fully mastered use of it yet.

    I am extremely grateful for your kind help & will continue learning from this forum

    regards
    Foxfish
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I would like to know if you see also something trying to connect immediately after reboot or something extra when you connect to internet, which should show up in Port Explorer too, make sure you have the logging on (smallest size is ok)

    Do you use the Panda online scan more often?
    Did you use your spyware scanners, Spybot S&D and Ad-aware?
    After using the panda online scanner i found myself infected with Gator GAIN from the advertisement stuff in their database uploader; i was really stunned, my Port Explorer log showed time and where it occurred so i can say with all certaintly it was from there, not allowing that service doesn't give you the scan update and scanning -- their support never replied back on my question about it.
    Anyway, that GAIN thing is a kind of detection advertisement thing; if you have such a thing SpybotS&D will see it immediately and remove it for you. Might be the end of your outgoing connection thing too. You should see it happen the moment you disconnect from internet even without closing windows.
    See some description here among others http://www.pcpitstop.com/gator/default.asp
    and a little googling will tell you more.

    Honestly said i don't remember if it would show up in HiJckthis or AutoStartViewer as i had it off my system just a few moments after that Panda scan (where it didn't show up of course) and as i didn't trust all the advertisements immediately fired up my spybot and found it to my big horror.
    Can you make sure your SpybotS&D and Ad-aware come up all clean (set them to the most advanced deep detection possible)
    And TDS fully updated and full system scan did come up all clear too, doesn't it?
     
  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Jooske - Just out of curiousity, didn't the detections that resulted from your use of the Panda Active Scan come from the fact that they use a lot of plain-text strings?

    IOW, you didn't really get "infected" with anything from using PAS, right? You just got a bunch of "hits" due to the plain-text strings they use? Pete
     
  23. foxfish

    foxfish Registered Member

    Joined:
    May 11, 2004
    Posts:
    20
    Location:
    UK midlands
    Hi Jooske, Thank you for the surprising information on Pandascan,I have read the details on Pitstop.I have deleted all pandascan files & will use only Nod32 or Stinger in future.
    I use updated Spybot &Adaware almost daily, scans come up almost clean nowadays & I rarely get pop ups(I use SpywareGuard/Blaster) now.
    I have deleted the "ISP reminder job file" from Autostart successfully & posted the OOBE/OOBEBALN.exe file as requested.
    Currently, the autodialler is not operating & I cannot see anything of it on Port Explorer
    which certainly pleases me.
    TDS scans all clean & Custom settings on Spybot/Adaware are optimised.
    Still learning on Port Explorer, must read up more.
    Grateful thanks
    Foxfish
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Pete,
    i could not update the panda and thus not get scanned, so i did not have the database nor their plain TXT, as i first allowed what i thought was the update which must have been the GAIN thing, and as i saw AFTER that first allowance the thing going for the update which was waiting far too long for even starting with the update, i stopped it and noticed after a little surfing my system was misbehaving somehow, so fired up Spybot, updated that and scanned, where that gator/GAIN thing was found, the real positive identification on a file, which i uploaded at KAV online scanner too; i checked the time and could check in the Port Explorer log it was all the same time i was at the panda site etc.
    At this moment i don't quite remember what Ad-Aware said about it which i'm 95% sure i did run after that as it was cleansed with SB already but it might have alarmed on the backupfiles.
    What i do remember is that my system was lots faster and behaving well again after that removal.
    During their update for the free online scan at Panda there is that advertisement stuff, if you block it you don't get an update nor scan, which i did not really mind as i guess they need some income for the service; bannerclicks on a security site i can accept, but no illegal software installs on my system when i am confident a detection database would be installed to help me to detect or getting rid of possible malware like that kind.
    What made me really disappointed and furious of Panda not reacting in any way on my question/warning about it. This is several months ago now and i tried another time and saw the same thing happening so did not allow it of course and was just out of there.
    I should go there another time and check carefully with Port Explorer to which IP/sites exactly i get connected there, as there are online scanners on internet to check first if the site has been infected (maybe even without the webmaster knowing) with the gator/GAIN or other parasites.
    With some googling this morning saw such test pages where you type in the server name or URL to get that info.
    Such a test should be able to be made in a TDS SS3 script too, i guess so we can test before actually visiting the site and avoid infections.
    I don't post the test site i just found as it's last updated 2003, and it's most probably different now.
    But you might find this site with possible filenames very informative:
    http://www.scanspyware.net/info/Gator-GAIN.htm
    I'm not familiar with the site and the online scan results, so i can't recommend nor warn for that, but the files list seems impressive.
     
    Last edited: May 20, 2004
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Foxfish, glad you have a more peaceful system now, only we don't know which of your actions solved it for now. I thing that ISP thing which sounded really strange.
    Do you have in your IE settings for the connections to "always connect with..." ? I have that on "never connect" as i like to manually connect with internet when i want/need it, and not immediately after reboot etc.
    Also the email client is set to collect only when i am online and several times an hour, so no autodialing from those two.
    Not sure if the kind of "online detect awareness" agents like in ICQ, RealOne player and the kind do such things too, life updates are possible, etc.

    For the Spybot and Ad-aware at times set it to the deepest detection which is possible.
    Hope you stay clean now and happy surfing with all your new protection tools!
     
Thread Status:
Not open for further replies.