In news:
[email protected] (Active8):
Thanks, I wouldn't doubt it if there is a thread already. I hope so
anyways, because another .EXE file just downloaded and executed itself!
ouch!! That's worse than those friggin' pages that change your
start up or home page for you. Some of the craftier one's write the
registry to change it back on OS load.
I
have no idea what can possibly be allowing these seemingly random
executable files to be (apparently downloaded) and ran - there are no
unusual processes, scheduled tasks, registry "run" keys, nothing. I
just checked spyware again, 37 new spyware components... "NCase",
NCase... that's weird. Encase is the forensic software the FBI uses
to try to recover deleted and supposedly wiped files. I like to use
it to test my wipe utils.
"Hijacker.nCase",
"tribalfusion", "bluestreak", etc... all new.
Shit. I'd be backing up and reformatting at this point. It could
take a while for the new AdAware defs to catch up if this is new,
but GRC is usually on top of this crap.
How in the bloody hell? It's almost as if I've been "hacked," as
impossible as that sounds. Very devious, whatever is going on. I've
searched and there are no new anti-virus updates or spyware updates
and no new threats listed. I'm uber-careful about this sort of thing
and always clean up all spyware after installing anything... perhaps a
legitimate program has been hijacked, and keeps re-infecting the
system? Wish I knew more about what was going on. Thanks for the link,
I'll let us know if this is just an isolated incident or if someone
has found yet another nasty backdoor in M$ winblows.
Please do. I'd be grateful.
P.S. I did find a nifty website for info on this sort of thing...
check out this amazing site:
http://www.pestpatrol.com
Regards,
Mark
ok. as soon as I put my lead suit on
[/QUOTE]
Hehe
I do have some news, with a lot of tweaking and an oogle of reboots I've
gotten the "lead" out.
What happened is the "nCase" trojan/malware was silently installed when
(most likely Nero Burning ROM) was upgraded. This malware took over the
default browser search and homepage functions and installed a flurry of
"nCase" protection files and registry entries, specifically designed to make
it nearly impossible to remove. The nCase bug is designed to FORWARD all
surfing to the ncase website, which I denied when ZoneAlarm said a new file
wanted access to the net. (The site would have recorded potentially all web
surfing and reported it to them, email addresses, passwords, credit card
numbers, etc...)
When I originally tried removing some of the nCase components, as a
self-defense mechanism or perhaps normal action it started downloading and
installing other malware. This is where these EXE files kept popping up
from. I removed one yet unknown mailware and an XXX dialer, which could have
racked up hundreds of dollars in phone bills had it tried to actually dial
some 900 number without me even knowing about it...
The interesting thing was that it kept spawning new malware and there were
zero unusual running processes. What this means is that somewhere in one of
the existing running tasks, it had imbedded itself and was occasionally
executing. A simple reboot (and making sure there were no bad "run" keys or
shortcuts) cleared the memory and presto, no more spawning malware or xxx
dialers. Using the PestPatrol scanner I was then able to find the remnants
of the infections and nullify them. Norton Anti-Virus found nothing of this
at all. :\
Whew! There's some really bad software out there folks, being installed
silently by some pretty mainstream vendors... be careful!
Regards,
Mark
