• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

undetected virus

 
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm pretty sure that I have one or two virus programs running on my computer. I believe that one does initialize during startup as I have seen a mysterious program icon appear on the main taskbar and in the taskbar tray. I'm quite familiar with controlling what programs run at startup (through start menu, registry run entries, and ini files) but I cannot figure out how this program is able to run and what exactly it's doing. Norton AntiVirus 2002 cannot find a virus or malicious script.
The icon and title that appear (only briefly) on the taskbar claims to be the SETI Spy program, but I know that it is not this program as I do not have it installed. The icon that has appeared one time (and only for ten seconds) in the taskbar tray was an icon that looks like the old speaker control icon found on default installations of Windows 95 and 98. The program name associate with this icon claimed to be mIRC. I do not have mIRC or any IRC program installed. The graphics for both of these icons were not of the same quality as the actual program and system icons and I find them to be highly suspect.
Also, about five times during the past 3 days, internet explorer windows start appearing at an uncontrolled rate in what would seem to be uncontrolled numbers. The only way I've been able to stop the windows from popping is by pressing ctrl+alt+delete and terminating all internet explorer processes.
Looking at the processes list (when pressing ctrl+alt+delete) doesn't reveal any programs that seem suspect or out of the ordinary.
ZoneAlarm doesn't report any blocked or attempted internet access or service.
This would seem to have all started when I was browsing the web a few days ago looking for security information related to blocking port trojans and loser script bunnies. I happened upon a site that tried to run some quesionable scripts and install a plug-in. I refused the plug-in and scripts and when I closed my browser window I found a program installation file (and exe) sitting on my desktop and a shortcut to it in my start menu. I deleted both files and didn't think to remember their names. Shortly thereafter, this suspicious activity began.
Has anybody else experienced anything like this?
[ August 28, 2002: Message edited by: Dirk Schreckmann ]
 
Ranch Hand
Posts: 4716
9
Scala Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
all i can tell you is that many anti-virus programs cant find trojans. there is a free(or free trial) anti-trojan program i used once that found some that the anti-virus programs i tried had missed. i cant remember the name but a google search should turn it up(thats how i found it in the first place)
 
Ranch Hand
Posts: 144
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Some of the anti-trozan applications they them selves creates a trozan becareful while chosing a trozan
 
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dirk, set up ZoneAlarm to get every program that wants Internet access to ask for it. Refuse server access for everything too. Maybe you can trap it in that way.
Try a trial version of ZA Pro if there is one, maybe that can catch it.
I just noticed that Symantec list some very recently found backdoors on their web site.
Keep us informed, please.
-Good Luck
[ August 29, 2002: Message edited by: Barry Gaunt ]
 
Dirk Schreckmann
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've had zone alarm protecting me for years (thanks zone alarm) and I've not noticed any unusual attempts to access the net (which does sort of diminish the possibility that this is a trojan).
I did discover an ad-ware program (WURL) on my system that did have an icon in one of its files that looked a bit like the seti@home icon. I removed it with ad-aware. Pretty sneaky that it was trying to pretend to be seti-spy.
I've scanned my system with two different trojan scanners and found nothing.
Since removing the WURL I haven't had a recurrance of the unlimited browsers popping up.
Thanks for the ideas, everyone.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic