Post #284,134
5/7/07 12:11:42 PM
5/7/07 3:48:55 PM
|
Spyware running IE
I've found some computers that are running an 'invisible' copy of IE because of spyware
this copy can use quite a bit of RAM and always restarts unless the underlying program is eleiminated
My question is: what is that IE doing
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
Edited by andread
May 7, 2007, 03:48:55 PM EDT
|
Post #284,135
5/7/07 12:14:48 PM
|
Re: Spyware running IE
[link|http://www.apple.com/macosx/tiger/|http://www.apple.com/macosx/tiger/]
[link|http://www.ubuntu.com/|http://www.ubuntu.com/]
[link|http://www.freebsd.org/|http://www.freebsd.org/]
Securing Windows is like trying to knit fog.
Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
[link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator]
[image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
|
Post #284,136
5/7/07 12:24:05 PM
|
Creating dummy accounts on message boards and spamming.
|
Post #284,138
5/7/07 12:41:34 PM
|
perhaps a click thru trojan to generate ad revenue
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #284,165
5/7/07 8:28:53 PM
|
Hehehe
Taking advantage of foolish windows people.
Jesus wept man. WTF is wrong with you?
Oh, that's right - you bet your career on this crap.
And now you have a process running on your box you can't explain.
And tomorrow you'll come back and tell us how wonderful it is.
|
Post #284,171
5/7/07 9:35:20 PM
|
Wrong
the process was easily eliminated
the program that started the IE was easily eliminated
my question was to the motive
what was the IE doing that the spyware went to so much trouble to run
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
|
Post #284,173
5/7/07 10:00:01 PM
|
Watch it as it runs
Under Linux/Unix we have strace.
You should be able to track something down from sys-internals that does the same from Windows.
Or, watch the network traffic it generates.
Ethereal / Wireshark is good for that.
Either way, you SHOULD be able to figure it out without asking a group of people who could not possible know.
|
Post #284,178
5/7/07 11:29:38 PM
|
tcpdump is your friend, works under winders
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #284,179
5/7/07 11:30:23 PM
|
remind me of that the next time you get root kitted :-)
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #284,182
5/7/07 11:48:53 PM
|
There's NOTHING that can be done once root kitted
Format from known media.
Well, maybe boot from CD, walk the dir tree, comparing checksums, yadda yadda.
But I really don't trust a rebuild at that point.
|
Post #284,199
5/8/07 10:22:15 AM
|
Don't agree
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
|
Post #284,214
5/8/07 12:44:09 PM
|
You're wrong.
The security community is agreed on this.
A rooted box can never be trusted again.
Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
[link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator]
[image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
|
Post #284,198
5/8/07 10:21:37 AM
|
So you can be helpful after all
That's what I was looking for, some good advice
I don't why you say I was asking a group of people who couldn't possibly know
Certainly I am not the only person to encounter spyware
btw, I googled tick~th.exe the program that ran IE but found nothing
so I thought I'd ask here
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
|
Post #284,210
5/8/07 12:26:55 PM
|
The reason you fond nothing on that .exe....
is that they randomize the name on install.
Also, the random name also keeps track of the other random names it installs and runs.
2-6 exes typically run to be watchdogs so they can be "kept running".
Assuming 6 versions running hidden...
1 watches to make sure 2,3,4,5,6 are running.
2 watches to make sure 1,3,4,5,6 are running.
3 watches to make sure 1,2,4,5,6 are running.
4 watches to make sure 1,2,3,5,6 are running.
5 watches to make sure 1,2,3,4,6 are running.
6 watches to make sure 1,2,3,4,5 are running.
You have to kill all of them at once.
Good luck. I'll bet there are some latent ones that will start up at a later date. Lobbed in on some CLSID.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0
|
Post #284,293
5/9/07 2:03:06 AM
|
Do you know the actual spyware?
We work on anti-spyware detection and removal et al, so I can ask someone here, but they'll want to know which spyware you had.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
|
-- "Anything but Ordinary" by Avril Lavigne. | · my ·
· [link|http://staticsan.livejournal.com/|blog] ·
· [link|http://yceran.org/|website] · |
|
Post #284,376
5/10/07 9:38:48 AM
|
Re: Do you know the actual spyware?
I think it went like this:
the user downloaded a program called WinZix which claimed to be a program that could decompress his pre-theatrical release of some movie
this created a WinZix folder in Program Files
I killed that dll with killbox
I saw that tick~th.exe (showed as tick third.exe in My Computer) would launch IE whenver IE was stopped
this file was in a folder under the users Application Data that has a long name starting with boo that I don't recall
don't know if this enough info
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
|
Post #284,381
5/10/07 9:50:49 AM
|
I like their eula
[link|http://forums.whirlpool.net.au/forum-replies-archive.cfm/727567.html|http://forums.whirlp...e.cfm/727567.html]
1) By accepting these terms and conditions, the Software will be installed on your computer. The search page for your web browsers auto search option and default error page are set to a web page determined by the Software. The software does not transmit the URL of any valid website that you or any user visits to a 3rd party server. The software may however transmit DNS errors or "non resolving / invalid domain names only" back to the server in order to diagnose communication issues. The Software will deliver popup advertisements on your computer on a regular basis. Installation of the Software may also add bookmarks to your computer and web browser, and shortcuts to the desktop and various menus. The added bookmarks and shortcuts may be removed manually or via un-installation of the Software. If incorrect host-file entries are detected for this Software's related domain names, those entries will be removed in order for this software to function properly.
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #284,431
5/10/07 9:58:40 PM
|
WinZix is clearly the problem.
As Box has no-doubt already found, it comes with trojan software; that is it modus operandi. Google for 'WinZix problems' and you will find lots of links about cleaning up after it.
As for the hidden IE session: I spoke to one of the MRC guys here and he said such a thing happens when a program loads an IE component. The EULA says it serves advertising - I imagine that it would use the HTML rendering component to display the ads. Nothing sinister in and of itself, until you look at the whole package, as it were. :-)
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
|
-- "Anything but Ordinary" by Avril Lavigne. | · my ·
· [link|http://staticsan.livejournal.com/|blog] ·
· [link|http://yceran.org/|website] · |
|
Post #284,404
5/10/07 1:32:44 PM
|
another link to your issue
[link|http://forums.techguy.org/security/567228-hijack-log-posted-installed-winzix.html|http://forums.techgu...alled-winzix.html]
thanx,
bill
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
