Trojan Swind Virus

Discussion in 'Trojan Defence Suite' started by squidette, May 16, 2003.

Thread Status:
Not open for further replies.
  1. squidette

    squidette Guest

    Can anyone here tell me what a Swind virus is/does? I had dowloaded it with a game file but AVG healed it..I can't find anything online that actually describes what it's supposed to do if not found and removed or healed. help?? o_O
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Squidette,
    I see it named a virus, a trojan, a spyware, AVP names it a TrojanClicker.W32.Swind so i'm not sure what it is actually. Could not find a proper description in the known databases, only that it is added to their dection.
    Did TDS find it on your system?
    If you have the infection, please be so kind to zip the file and send it in to support@diamondcs.com.au where they'll advice you further what to do with it, and tell what it actually is. In the meantime i try to find more info about it.
    As you say AVG cleaned it, it might still be in your original software or you can give the download place.
    Maybe it does excist under different names for which are known descriptions.
    And maybe it is a form which is better blocked with WormGuard, in case of spyware there re the JavaCool tools in the other forums here at Wilders, and SpybotS&D and Ad-aware 6 to arm yourself even more.

    If you still have the original download, and AVG might not ve cleaned that, only from the installed version (?) than it's most certainly advisable to use TDS, download the latest radius updates, in the scanning part check every option possible and on highest sensitivity, scanning everything and tell us about your TDS alerts.
    The easiest way is after scanning rightclick one of the alerts, choose "save as text" which will save to a file Scandump.txt in the TDS directory; this can be copied easy in a posting here to look with you what to do next.
    Please keep us informed how it goes with TDS detection and whjat the TDS lab tells you about your file.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Squidette,
    Can I also suggest that you disable AVG temporally & install Avast free. It has an excellent "in the wild" record & is as easy to use as AVG:
    http://www.avast.com/avast4/index.html & scores 100% on the virusbin tests
    Also there are rumours that AVG will not be free in the next year if you are not a paid subscriber.

    Also download AdAware from Lavasoft to check for other malware (basic is also free).

    Jooske I hope you get a notification on this one :D
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Had not clicked the "notify" button yet (why don't we have an ability to have notifications on all TDS form messages standard anyway like i created for myself in all subjects in the DCS forums at their site?)
    Have checked it now so guess i will now get them.

    Squidette:
    Pilli's advice to get that software sounds good, as it is very advisable to add to the layered protection with an AV/AT product besides the special top notch tools like TDS for trojans and WormGuard for worms, scripts and more, and Port Explorer to see in one blink if there are any suspicious connections of possible trojans or other spyware, backdoors, whatever calling home.
    I see connections al time trying to call home when deleting spam email (the images, other advertisement parts, banners in newsgroup postings, etc) and block them nicely with PE. Lots of times those are not blocked by popup killers etc.
    So besides your av/at scanner, --if you ever look for a top notch special AV scanner even covering most trojans and worms too most people will agree with advising NOD32 besides what you have already and the advised trio TDS/WG/PE.


    In the meantime see NOD32 and AVP have lots of those TrojanClickers in their databases, but i still didn't see a description of this thing. I guess it's known under different names too.
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    AVG decided to go after some spyware we all call showbehind. they came up with that name and others call it TrojanClicker.W32.Swind like KAV ect.

    In any case, most people are picking it up from...downloading South Park/ Mario Bros. game or downloading the free pc game:Critters 2

    You will find it at C:\windows\sbnet\showbehind.exe

    I notice that the only people with Swind problems use AVG.

    If you find it active on your PC then it will be located in a path like C:\windows\sbnet\showbehind.exe.


    Push Crl+Alt+Del then go to processes. You will find showbehind active. Disable it. Then delete the map sbnet. Now it will be deleted.

    If you had it healed with your AVG one time in the past..Subsequent AVG scans will say 'no viruses' mentioned files are locked by Windows and can't be even infected.'

    But you could pick it up again by downloading other games since ShoWbeHIND..or as they call it swind..is a popular spyware package to be found out there.


    All of your Antispyware Programs will also take care of it.
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Now the caution that I will give you is that if you are already runnning Sypbot S&D...and if it has already cleaned off the showbehind.exe and has it in the recovery folder..this is what you will get...

    http://www.dslreports.com/forum/remark,6072953~root=security,1~mode=flat



    so now we have Antivirus Programs like RAV..AVG..etc finding this swind when it has already been taken care of by another program..and they might also find it in your system restore folders if you are running WinXP or ME. In that case it is not active and can not give you a problem..but it would be a good idea to clean out those folders and start a new restore point on your PC.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot Primrose for this further explanation, as i saw that name showbehind but could not yet connect it to this one. Now you explain it all. Saw on several messageboards spoken about it and how people also got infected by installing Windows XP Themes among others and it would ship with several IE updates. More info about it at www.showbehind.com where they explain the advertisement site, what they do, and a removal tool for it from their site adremove.exe .
    I saw users comments about keystrokes and calling home connections, requests to firewalls for outbound connections, etc. so trying Port Explorer to keep an eye on outbound connections is not a bad idea at all and i do hope there will be/become detection or this kind of nasties in TDS/WG.
    Good you give a good instruction to get rid of the nasty, location and from the restore, without using a tool from the same company who delivers the infection in the first place.
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Jooske,
    I have also seen people try to use that removal tool and process from the showbehind site..and it does not work for them..but Sypbot S&D does remove it completey and all of its entries...except of course the system restore .
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, reading that advertisement site and the victims comments said enough. Have not seen comments of changes in the system except for the file stored in that location you wrote; i have the feeling beside show under advertisements people are just surfed to those advertisements sites like with RATs -- wondering if the file will come in more ways then the games and XP themes: if it is so very lucrative (and expensive) people who spent on it will like more customers so it could come with spam and other ways, maybe a link in a spam mail to a download site, anything like that.

    Good, so SpybotS&D and/or Ad-aware , clean out the mess, disable system restore, reboot, check again, make a new restore point manually and enable system restore from there, right?
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    well gal if you have time to infect one of your systems with it and then try their removal let us know if it works for you..but I have not done so yet. Can not seem to find the time. :(

    But I am sure you are correct in that last Paragraph. Seem to be working for everyone so far.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm not looking for it either, it's just that i saw the file is around 178kb, so too big for sending with an email to infect people, just wondering what it could look like if people indeed would send it with spam to have advertisements displayed.
    Will look with new interest in some sources of spam if there might be anything like that included.

    For the moment i rather keep on the clean side and thus as little risk as possible to infect others. I leave sucht tests rather for the lab guys and believe them immediately if they post their observations!
     
  12. SmackDown

    SmackDown Guest

    Hi, yes I can give you link to McAfee site here http://vil.mcafee.com/dispVirus.asp?virus_k=100276

    I can also write you a a batch file to remove the Spyware, I have ran the Spyware many times, just to see what it does.

    It makes one registry entry in run, so it can start with windows. First thing to do is kill the running process, ALT+CTRL+Delete, then find and kill ShowBehind.exe.

    Then, copy and paste below in notepad, save as remove.bat, place it here "WINDOWS\sbnet" run the .bat, it will ask you if you wan to delete ShowBehind click y and that's it.

    Here is .bat file

    @ECHO OFF
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ShowBehind

    del ShowBehind.exe
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot for all this additional info SmackDown.
    I'm a bit frustrated google did not come with those pages, what's wrong with them these last couple of months?
    Anyway, i think your info is really helpful!

    I see in the Mcafee description it runs all time with the pop-under advertisements, so one can expect more infection methods then a voluntary d/l of a game or XP themes.
     
Thread Status:
Not open for further replies.