WARNING!! Shortcut on my Desktop!!!

Discussion in 'other security issues & news' started by Telstar, Oct 7, 2003.

Thread Status:
Not open for further replies.
  1. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Happened about an hour ago. Here I was, minding my own business surfing my favorite Forums (Wilders and....those other guys too). Upon closing the window I noticed a new Folder Shortcut on my Desktop. I did not put it there!!

    The image was a FOLDER...with the words...TryMedia....printed just like that.

    I DID NOT open it...instead sent it immediately to my Recycle Bin.

    so far:
    >An Ad-aware scan found no new objects!
    >Spybot found nothing unusual
    >HiJackThis did not find an suspicious items.
    >a file search finds nothing with that name

    Putting my cursor over the folder (without clicking of course) in Recycle Bin to show it's description shows a file of 444 Bytes and it also says "Folders: Active Mark"

    A Google search found some links that includes the name "TryMedia" including this strange one:

    http://www.sharewareorder.com/Worms-2-download-21602.htm

    and this one indicating a company Active Mark:
    http://www.trymedia.com/noflash.shtml

    But, the big issue is how did that Shortcut magically appear on my Desktop? VERY SCARY STUFF!!!!!

    Could be harmless.....also could have unleashed who knows what calamity had I opened it.

    Anyone know anything about this??

    Telstar
     
  2. beetlejuice

    beetlejuice Registered Member

    Joined:
    Oct 12, 2002
    Posts:
    8,523
    Did you search the Registry? If not I would just to see if it left anything.
     
  3. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Good idea beetlejuice.

    I have Windows XP Home and I don't mess with the Registry too much...a little over my head. But, is there an easy way to do a Registry search for this intruder without mucking things up??

    Thanks,
    Telstar
     
  4. beetlejuice

    beetlejuice Registered Member

    Joined:
    Oct 12, 2002
    Posts:
    8,523
    Hi Telstar. I don't have any expereince with XP at all, but from what little I've seen of it, it doesn't work the same as 98SE. Better wait until someone with XP knowledge comes along. Wouldn't want to steer you the wrong way and do something we shouldn't.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    To search the registry:
    Start > Run > type regedit > OK
    When the registry editor opens select My Computer at the top. Then press Ctrl-F and type the expression you want to look for in the Find Window. If something is found, the F3 key will make it look for the next one.

    Before making changes in the registry make a Manual Restore Point fro backup purposes.

    Regards,

    Pieter
     
  6. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    BINGO!!!

    Excellent instructions Pieter.....

    Ok, found in (F3 Key): HKEY_LOCAL_MACHINE_SOFTWARE_TRYMEDIA SYSTEMS
    attached to it is a Folder>Active Mark Software>with this series attached>A83796461D3E346E7A3E19954248E61D

    and in the window area to the right is:
    NAME: ab (Default)
    DATE: (value not set)

    So, there it is..I didn't change anything yet.

    What would I do next??

    I have a manual Restore Point I made yesterday, is this sufficient or should I make another one before making any changes you suggest?

    Thanks,
    Telstar
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    If you are sure that Restore Point is from before the file turned up and you did not make any important changes afterwards, I'd use System Restore. I wonder if you could send me a copy of that file before you trash it for good. (Please use the email-address in my profile)

    I'd like to have a closer look. I'll keep you posted if I unearth something worthwhile.

    TIA,

    Pieter
     
  8. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Pieter, as you've noticed I seem to find a question (call it a caution) in everything you ask me to do:

    Yes, the Shortcut only appeared on my Desktop around 4 p.m. today....Restore Point was made yesterday after I did all Ad-aware, AV, HJT, Spybot, Panda, Housecall, Norton scans and felt comfortable that I had nothing on my system. Then this TryMedia showed up today.

    I assume then that by using System Restore this would automatically "delete' the file??

    What would be the machanics of this? Could I 'right click' and copy the file and then post it in the email? I just 'right clicked' and I see 'Export'.

    Let me know exactly how to get a copy to you by email please. Yes, I can get your address.

    Telstar
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you ever go to windows update site for some security patches, as there are against others posting on your system?
    Mind thast with a system restore they could be gone so a new visit is advised to check!


    BTW: does your rightclick have a menu-option to zip the file? If so please use that before attaching it in the email.
    Just extra security, as you might after sending have a copy in your email sent folder!
     
  10. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Jooske,

    Excellent Point! My last Windows Update was last week (KB828750 and KB828026) and my System Restore Point was yesterday....would I lose those Critical Updates?
    It would be no problem to simply go back to Tools> Windows Update and let it tell me if Updates are required. As of this morning I have NO updates to download.

    Thanks,
    Telstar
     
  11. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Jooske asks:
    I just tried to right-click the file in the Registry and do not see WinZip capabilities in the pop-up.

    Telstar
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    System Restore never deletes any files. Windows may not be able to find certain things since the pointers in the registry are gone, but that is a different story.
    Everything you did, installed etc. before making the Restore Point will be in working order.

    To email a file in most email-clients you just write an email and then use the Attach (button, function, command) to send the file along.

    Regards,

    Pieter
     
  13. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Sorry to sound so naive but, in the e-mail, clicking Attach will not take me to Registry files. I could export it to My Documents though.
    How do I get the File from Registry into the email?
    A reminder that I moved the Folder - Trymedia - to my Recycle Bin.
    Telstar
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    I would need the folder. In order to attach it you would have to restore it from the Recycle bin.
    If you think it is too dangerous, don't do it on my behalf.
    In that case just use System Restore and consider the episode a happy ending.

    Regards,

    Pieter
     
  15. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    I think it's important for you to examine the Folder Pieter in the hope it might help others if this turns out to be something harmful or malevolent.

    The thing that bothers me the most is the way it suddenly appeared on my Desktop...this is what makes it suspicious. Whether it contains anything harmful is the question. So I just want to take all precautions and tread carefully.

    How about I do this:
    >Restore the Folder from Recycle...it should restore back to Desktop.
    >Then attach it to the email to you
    >Then return it back to Recycle
    I should NOT need to open the Folder, correct?

    After that I can do a System Restore.

    What do you think?
    Telstar
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Exactly!!

    I would appreciate it very much. :)

    Regards,

    Pieter
     
  17. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Ok, it's on it's way. I couldn't attach the File Folder but I did attach the four components contained inside.
    Telstar
     
  18. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Another question please. How come I could not attach the "Folder" but could only attach individual files. From what you know, is there a way in Outlook Express to attach a Folder containing files?

    Also, FYI I scanned the Folder with my NortonAV before restoring from Recycle and it came up clean.

    Thanks,
    Telstar
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Thanks Telstar,

    You're my hero of the day.

    Not being able to attach folders is normal. That is probably why Jooske asked about WinZip. By zipping up a folder you can attach it completely.

    Regards,

    Pieter
     
  20. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Pieter,

    Just to let you know. I just completed a System Restore to my setpoint on Monday.

    TryMedia Folder is still in Registry but, who knows how long it's been there? Something triggered it however to place that Shortcut in Desktop but I don't think it's going to be a problem. I'll just leave it there. I would think that in the Registry window to the right where it says Name: ab (Default) and Data: (Value not set) this makes it an inactive file? I don't know, my guess.

    I'd be curious if you found anything worthy of concern.

    Thanks very much for all your time and patience. I find these exercises informative, instructional and even entertaining.

    Sure am glad I found out about Wilders Forum the other day, wish I had known sooner

    Best regards,
    Telstar
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    It could be a while before I can let you know about the files. I'm at work right now and rather not open any suspicious files. ;)

    I'll do so as soon as possible though. That may also provide us with an answer about the registry key.

    Regards,

    Pieter
     
  22. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Ok, sounds good!

    For now, over and out!

    I have this thread set for notification so if you should ever make another reply I'll be informed.

    Regards,
    Telstar
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you have any winzip or rar on your system or easyzip, anything which allows you zipping a file/folder?
    With that you could zip a file or folder and send it as a whole in stead of the separate content files of it.
    And the safety reason i mentioned, for yourself, as well as preventing destruction by Pieter's secyurity scanners for instance.
    If a nasty is zipped, in most cases it can't run nor do harm. If there are cases it can, let me know to be extra warned!
    I would speak of a sleeping trojan if it is inside a zip.

    Alternative is also like Pieter says, just click attach and you send it away and might like to delete the message from your sent folder in case you do keep copies there (i do, that's why i zip attachments) if you don't keep sent copies don't make it a point and just do as Pieter says.
    Sorry for the interruption.

    You seemed uptodate with the windows update so now the idea how you got that thing on the desktop.
    Back to Pieter's findings first.

    Are you sure you never downloaded/ installed anything from that gameing site from that URL in the first messages?
     
  24. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Jooske,

    If successful, I was able to send Pieter, with a cc to you, a WinZip of the TryMedia Folder. Check your email.

    There is ONE possibility.....I installed a small Chess Game the other day called....PAWN...308K. The download site for this game however is.....Download.com

    Could this then be the culprit??

    I frequently watch TechTV's "Call for Help" and they mentioned about this free chess game download. See here:

    http://www.techtv.com/callforhelp/freefile/story/0,24330,3538250,00.html

    http://download.com.com/3000-2119-10198876.html

    I downloaded the file to my Desktop I believe it was last Friday or Saturday (the mysterious Desktop Shortcut appeared after that).

    In checking the TryMedia site where their games are listed I do not see "Pawn" in their catalogue of games but could there be a connection??

    http://www.trygames.com/

    I'll let you absorb this information for now. I'm checking Google to see if there is some connection.

    I'll be watching for replies at this thread if you have anything.

    Thanks,
    Telstar


    Added URL tags
     
  25. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Jooske,

    I wanted to respond to a couple of other questions you asked.

    Jooske, by the time I read your most recent reply I had already deleted them from my OE Sent Folder however, as I indicated, I found the TryMedia Folder in my Programs which is the one I WinZipped to you and Pieter.

    Yes, right after I did the System Restore I went to my Tools>Windows Update and a scan found NO Critical Updates needed. All the ones up to last weeks KB828750 (MS IE Cum Patch) and KB828026 (Windows Media Security Update) were still there.

    Seems to be a strong "Game" connection here. Between the TryMedia/ActiveMarkSoftware and the "Pawn" Download.com game I installed. hmmmmm...the plot thickens.

    Telstar
     
Loading...
Thread Status:
Not open for further replies.