Wrong

1,095 registered users | 1 active user | 1 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #284,171 by andread 5/7/07 9:35:20 PM Reply	Wrong the process was easily eliminated the program that started the IE was easily eliminated my question was to the motive what was the IE doing that the spyware went to so much trouble to run A Play I Some Music w/ Papa Andy Saturday 8 PM - 11 PM ET All Night Rewind 11 PM - 5 PM Reggae, African and Caribbean Music [link\|http://westcottradio.org\|Tune In]
Post #284,173 by crazy 5/7/07 10:00:01 PM Reply	Watch it as it runs Under Linux/Unix we have strace. You should be able to track something down from sys-internals that does the same from Windows. Or, watch the network traffic it generates. Ethereal / Wireshark is good for that. Either way, you SHOULD be able to figure it out without asking a group of people who could not possible know.
Post #284,178 by boxley 5/7/07 11:29:38 PM Reply	tcpdump is your friend, works under winders Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep reach me at [link\|mailto:bill.oxley@cox.net\|mailto:bill.oxley@cox.net]
Post #284,179 by boxley 5/7/07 11:30:23 PM Reply	remind me of that the next time you get root kitted :-) Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep reach me at [link\|mailto:bill.oxley@cox.net\|mailto:bill.oxley@cox.net]
Post #284,182 by crazy 5/7/07 11:48:53 PM Reply	There's NOTHING that can be done once root kitted Format from known media. Well, maybe boot from CD, walk the dir tree, comparing checksums, yadda yadda. But I really don't trust a rebuild at that point.
Post #284,199 by andread 5/8/07 10:22:15 AM Reply	Don't agree Play I Some Music w/ Papa Andy Saturday 8 PM - 11 PM ET All Night Rewind 11 PM - 5 PM Reggae, African and Caribbean Music [link\|http://westcottradio.org\|Tune In]
Post #284,214 by pwhysall 5/8/07 12:44:09 PM Reply	You're wrong. The security community is agreed on this. A rooted box can never be trusted again. Peter [link\|http://www.no2id.net/\|Don't Let The Terrorists Win] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Home] Use P2P for legitimate purposes! [link\|http://kevan.org/brain.cgi?pwhysall\|A better terminal emulator] [image\|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png\|0\|Darwinia\|\|]
Post #284,198 by andread 5/8/07 10:21:37 AM Reply	So you can be helpful after all That's what I was looking for, some good advice I don't why you say I was asking a group of people who couldn't possibly know Certainly I am not the only person to encounter spyware btw, I googled tick~th.exe the program that ran IE but found nothing so I thought I'd ask here A Play I Some Music w/ Papa Andy Saturday 8 PM - 11 PM ET All Night Rewind 11 PM - 5 PM Reggae, African and Caribbean Music [link\|http://westcottradio.org\|Tune In]
Post #284,210 by folkert 5/8/07 12:26:55 PM Reply	The reason you fond nothing on that .exe.... is that they randomize the name on install. Also, the random name also keeps track of the other random names it installs and runs. 2-6 exes typically run to be watchdogs so they can be "kept running". Assuming 6 versions running hidden... 1 watches to make sure 2,3,4,5,6 are running. 2 watches to make sure 1,3,4,5,6 are running. 3 watches to make sure 1,2,4,5,6 are running. 4 watches to make sure 1,2,3,5,6 are running. 5 watches to make sure 1,2,3,4,6 are running. 6 watches to make sure 1,2,3,4,5 are running. You have to kill all of them at once. Good luck. I'll bet there are some latent ones that will start up at a later date. Lobbed in on some CLSID. -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* `PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0`

Spyware running IE - (andread) - (18) - May 7, 2007, 03:48:55 PM EDT

Re: Spyware running IE - (pwhysall) - May 7, 2007, 12:14:48 PM EDT

Creating dummy accounts on message boards and spamming. -NT - (inthane-chan) - May 7, 2007, 12:24:05 PM EDT

perhaps a click thru trojan to generate ad revenue -NT - (boxley) - May 7, 2007, 12:41:34 PM EDT

Hehehe - (crazy) - (9) - May 7, 2007, 08:28:53 PM EDT

Wrong - (andread) - (8) - May 7, 2007, 09:35:20 PM EDT

Watch it as it runs - (crazy) - (7) - May 7, 2007, 10:00:01 PM EDT

tcpdump is your friend, works under winders -NT - (boxley) - May 7, 2007, 11:29:38 PM EDT

remind me of that the next time you get root kitted :-) -NT - (boxley) - (3) - May 7, 2007, 11:30:23 PM EDT

There's NOTHING that can be done once root kitted - (crazy) - (2) - May 7, 2007, 11:48:53 PM EDT

Don't agree -NT - (andread) - (1) - May 8, 2007, 10:22:15 AM EDT

You're wrong. - (pwhysall) - May 8, 2007, 12:44:09 PM EDT

So you can be helpful after all - (andread) - (1) - May 8, 2007, 10:21:37 AM EDT

The reason you fond nothing on that .exe.... - (folkert) - May 8, 2007, 12:26:55 PM EDT

Do you know the actual spyware? - (static) - (3) - May 9, 2007, 02:03:06 AM EDT

Re: Do you know the actual spyware? - (andread) - (2) - May 10, 2007, 09:38:48 AM EDT

I like their eula - (boxley) - May 10, 2007, 09:50:49 AM EDT

WinZix is clearly the problem. - (static) - May 10, 2007, 09:58:40 PM EDT

another link to your issue - (boxley) - May 10, 2007, 01:32:44 PM EDT

iwethey.org