Can Anyone ID This Spy Ware?

[Guest]

I have an unknown type of Spy Ware running on my PC which is constantly
trying to access the Internet and I have been unable to find its source and
stop it. Does anyone know the source of this spy ware and how to eliminate it?

Each attempt starts with a new program with a unique numerical designation
and “exeâ€. The program numbers are not generated in sequence. So I have to
block each attempt. Here are a few examples:

284.exe, 28449.exe, 28382.exe, 27992.exe, 30123.exe, 489.exe, 4871.exe,
4873.exe. 5179.exe, 5485.exe, 7090.exe, 7188.exe, 7322.exe, 7354.exe,
995.exe, 9832.exe, 14521.exe, 1431.exe, 15727.exe, 156.exe, 15763.exe,
11976.exe, 1190.exe, 1084.exe, 10998.exe, 11122.exe, etc., etc., etc.

If you have had experience with this particular type of spy ware PLEASE let
me know how to shut it down.

I have run the most current version of CW Shredder, Spy Bot S & D, Spy
Blaster and Ad Ware several times in the safe mode on my PC but none of these
have been successful in finding or eliminating this spy ware.

The spy ware generates 15 to 20 new programs each 24 hours and these attempt
to access the Internet. To date I have had more than 200 of these attempted
Internet access. My firewall blocks them from the Internet but I have not
been able to stop them from attempting access.

 

[Chuck]

I have an unknown type of Spy Ware running on my PC which is constantly
trying to access the Internet and I have been unable to find its source and
stop it. Does anyone know the source of this spy ware and how to eliminate it?

Each attempt starts with a new program with a unique numerical designation
and “exe”. The program numbers are not generated in sequence. So I have to
block each attempt. Here are a few examples:

284.exe, 28449.exe, 28382.exe, 27992.exe, 30123.exe, 489.exe, 4871.exe,
4873.exe. 5179.exe, 5485.exe, 7090.exe, 7188.exe, 7322.exe, 7354.exe,
995.exe, 9832.exe, 14521.exe, 1431.exe, 15727.exe, 156.exe, 15763.exe,
11976.exe, 1190.exe, 1084.exe, 10998.exe, 11122.exe, etc., etc., etc.

If you have had experience with this particular type of spy ware PLEASE let
me know how to shut it down.

I have run the most current version of CW Shredder, Spy Bot S & D, Spy
Blaster and Ad Ware several times in the safe mode on my PC but none of these
have been successful in finding or eliminating this spy ware.

The spy ware generates 15 to 20 new programs each 24 hours and these attempt
to access the Internet. To date I have had more than 200 of these attempted
Internet access. My firewall blocks them from the Internet but I have not
been able to stop them from attempting access.

The one program which you have NOT run is HijackThis. The key to resolving this
is HijackThis, and expert advice.
HijackThis <http://www.tomcoyote.com/hjt/>

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<http://forums.spywareinfo.com/index.php?showtopic=227>

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Guest]

I have down loaded and run a HiJack This scan. I have registered on the SWI
Forum and posted a copy of this request for help and a copy of my logfile
from the HiJack This scan.

Let me know if you have any other advise.

Thanks for the help.

Xyzzz

 

[Chuck]

I have down loaded and run a HiJack This scan. I have registered on the SWI
Forum and posted a copy of this request for help and a copy of my logfile
from the HiJack This scan.

Let me know if you have any other advise.

Thanks for the help.

Xyzzz

I will be glad to advise, I would like to follow the HJT analysis. Can you post
a link here to your forum post?

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Guest]

Here is a link to my posting on SWI forum:

http://forums.spywareinfo.com/index.php?showtopic=43332&hl=

The logfile from my HiJack This scan is posted there.

If you can be of assistance I would greatly appreciate it. So far 9 people
have read my posting and I have recieved NO assistance yet.

Xyzzz

 

[Chuck]

Here is a link to my posting on SWI forum:

http://forums.spywareinfo.com/index.php?showtopic=43332&hl=

The logfile from my HiJack This scan is posted there.

If you can be of assistance I would greatly appreciate it. So far 9 people
have read my posting and I have recieved NO assistance yet.

Xyzzz

Yep, I see it. I gotta say, I don't see anything that looks interesting either.
Except for:
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min

SETI is a collaborative processing project. This would very likely spawn
processes that would generate internet traffic. You'd hope that it would name
it's processes something identifiable though.

Can you spot one of those mysterious processes?

Get Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home> to show you what
network connections your computer is actually opening, and what processes are
opening them.
And Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager. Also, Autoruns (also free, and also from
SysInternals) <http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml> will
show you specifically what process are started automatically.

If, on the slim chance these processes are not malevolent, Process Explorer +
Port Explorer might tell us a bit about them.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Guest]

Ihave been running SETI for more thyan 5 years without a problem. This
problem is relatively new so I doubt SETI is the problem.

I am in the process of checking into the other links you gave me.

I did do an update of my Windows XP software and there were several new
updates which I did not have. I have run another scan with HiJack This and
will post the results on the SWI Forum.

Please check this new scan for me.

It seems as though you are the only person with any ideas on how to deal
with the problem I have.

Xyzzz

Here is a link to my posting on SWI forum:

http://forums.spywareinfo.com/index.php?showtopic=43332&hl=

The logfile from my HiJack This scan is posted there.

If you can be of assistance I would greatly appreciate it. So far 9 people
have read my posting and I have recieved NO assistance yet.

Xyzzz

Yep, I see it. I gotta say, I don't see anything that looks interesting either.
Except for:
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min

SETI is a collaborative processing project. This would very likely spawn
processes that would generate internet traffic. You'd hope that it would name
it's processes something identifiable though.

Can you spot one of those mysterious processes?

Get Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home> to show you what
network connections your computer is actually opening, and what processes are
opening them.
And Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager. Also, Autoruns (also free, and also from
SysInternals) <http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml> will
show you specifically what process are started automatically.

If, on the slim chance these processes are not malevolent, Process Explorer +
Port Explorer might tell us a bit about them.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Chuck]

Ihave been running SETI for more thyan 5 years without a problem. This
problem is relatively new so I doubt SETI is the problem.

I am in the process of checking into the other links you gave me.

I did do an update of my Windows XP software and there were several new
updates which I did not have. I have run another scan with HiJack This and
will post the results on the SWI Forum.

Please check this new scan for me.

It seems as though you are the only person with any ideas on how to deal
with the problem I have.

Xyzzz

OK, I have an idea. But we need to do this thru email, or IM (MSN / Yahoo
Messenger). Your choice.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.

 

[Interrogative]

I have down loaded and run a HiJack This scan. I have registered on the SWI
Forum and posted a copy of this request for help and a copy of my logfile
from the HiJack This scan.

Let me know if you have any other advise.

Post the results here. I can look at it for you. I use it almost daily on a
lot of different machines.

You might also download Rootkitrevealer from www.sysinternals.com and check
it out.