Very, Very, Very Suspicous...

Discussion in 'Trojan Defence Suite' started by Snook, May 15, 2004.

Thread Status:
Not open for further replies.
  1. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    While connecting to the World-Wide-Internet via broadband, I notice a program being loaded in the backgroud. This is detectable only via the monitor just before my homepage loads with IE6.

    This program (trogan, worm, nasty...) can be seen for just a fraction of a second on the monitor screen (I don't believe the monitor is lying, it's an IBM P97 driven by an ATI 9800XT - with the latest Catalyst drivers all set to high res).

    TDS3/PG/WG all report nothing out of the ordinary being executed.

    Comment/solution?
     
  2. FanJ

    FanJ Guest

    Hi,

    I don't know what has been going on, but maybe it is time to run AutostartViewer from DCS and/or HijackThis and post their logs; just only a thought...
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Most certainly would like to see immediately a TDS (fully updated) full system scan scandump.txt and an AutostartViewer log and a HijackThis log.
    So we know what's going on.
    And have Port Explorer at hand.
    Does it happen also when you're not connected to internet yet but only open Internet Explorer?
    Does it also happen when you have Internet Explorer still closed and only start your connection with Internet doing nothing else yet?
    Test those two situations please.
    Then after your reboot first open Port Explorer. Keep it on top and open and make sure you enabled the file logging and log window so you can keep seeing exactly what happens, in case there is something trying to connect to internet.
    Now you open Internet Explorer and enable packet spying on the socket.
    Watch it, as that data can grow rather big!

    You might have: your firewall in autostart trying to find out if there is an update waiting,
    your anti-virus scanner doing the same,
    other life updates or auto-updates
    more legal reasons you see happening
    or something nasty and that we hope to see if it's there in your logs we asked.
    Looking forward to your posting.
     
  4. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    snook
    Another possible answer may be that some legitimate program (i.e. IE6) is starting in a small form window and expanding to large a moment later.

    We know this definitely happens here when we start MyIE2 many times. The window starts at about 35mmX35mm (1 inch X 1 inch) for less than one second but immediately expands to full size.

    The programs Jooske mentioned can surely get to the bottom of the mystery, though.

    Hope this helps!

    Be seeing you
     
  5. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    All taken into consideration. Will need more time to run tests. Thanks.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looking forward to your reportages ! So we can find ways to help you further.
     
  7. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    I ran PestPatrol and it found a CWS related adware. That explains why TDS3 found nothing. Thanks for the customer support.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not quite, as TDS does detect several adwares and spywaers but leaves detection in many cases to the specific programs for that.
    I expected already something like that by the looks of your story and this is why i sounded all alarms.
    Now i REALLY advice you to IMMEDIATELY hurry to the hijackthis forum and post your hijackthis log overthere for the experts review, no matter what pestpatrol might have found or not, there can be more the matter and certainly with those current CWS kinds.
    Please don't take this light, just get there, and let's see what the experts find for you!
    https://www.wilderssecurity.com/showthread.php?t=15913
     
  9. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
Thread Status:
Not open for further replies.