IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Watch it as it runs
Under Linux/Unix we have strace.
You should be able to track something down from sys-internals that does the same from Windows.

Or, watch the network traffic it generates.
Ethereal / Wireshark is good for that.

Either way, you SHOULD be able to figure it out without asking a group of people who could not possible know.
New tcpdump is your friend, works under winders
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep

reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
New remind me of that the next time you get root kitted :-)
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep

reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
New There's NOTHING that can be done once root kitted
Format from known media.

Well, maybe boot from CD, walk the dir tree, comparing checksums, yadda yadda.

But I really don't trust a rebuild at that point.
New Don't agree
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
New You're wrong.
The security community is agreed on this.

A rooted box can never be trusted again.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
[link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator]
[image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
New So you can be helpful after all
That's what I was looking for, some good advice

I don't why you say I was asking a group of people who couldn't possibly know

Certainly I am not the only person to encounter spyware

btw, I googled tick~th.exe the program that ran IE but found nothing
so I thought I'd ask here

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://westcottradio.org|Tune In]
New The reason you fond nothing on that .exe....
is that they randomize the name on install.

Also, the random name also keeps track of the other random names it installs and runs.

2-6 exes typically run to be watchdogs so they can be "kept running".

Assuming 6 versions running hidden...

1 watches to make sure 2,3,4,5,6 are running.
2 watches to make sure 1,3,4,5,6 are running.
3 watches to make sure 1,2,4,5,6 are running.
4 watches to make sure 1,2,3,5,6 are running.
5 watches to make sure 1,2,3,4,6 are running.
6 watches to make sure 1,2,3,4,5 are running.

You have to kill all of them at once.

Good luck. I'll bet there are some latent ones that will start up at a later date. Lobbed in on some CLSID.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
     Spyware running IE - (andread) - (18)
         Re: Spyware running IE - (pwhysall)
         Creating dummy accounts on message boards and spamming. -NT - (inthane-chan)
         perhaps a click thru trojan to generate ad revenue -NT - (boxley)
         Hehehe - (crazy) - (9)
             Wrong - (andread) - (8)
                 Watch it as it runs - (crazy) - (7)
                     tcpdump is your friend, works under winders -NT - (boxley)
                     remind me of that the next time you get root kitted :-) -NT - (boxley) - (3)
                         There's NOTHING that can be done once root kitted - (crazy) - (2)
                             Don't agree -NT - (andread) - (1)
                                 You're wrong. - (pwhysall)
                     So you can be helpful after all - (andread) - (1)
                         The reason you fond nothing on that .exe.... - (folkert)
         Do you know the actual spyware? - (static) - (3)
             Re: Do you know the actual spyware? - (andread) - (2)
                 I like their eula - (boxley)
                 WinZix is clearly the problem. - (static)
         another link to your issue - (boxley)

Skulduggery!
101 ms