Hmm, what is this and how to get rid of it?

[Theo]

Hi all

Last couple days Ive been trying to rid a relatives computers of the
nasties in them. Sometimes I succeed sometimes not.

Let me describe the one that doesnt want to go away: It has a little popup
window inviting people to ask more about 'me' (me of course being a woman).
The program name is always some 5 digits and .exe. Ive done the usual
(adware/spybot, system restore off, norton/housecall, hijackthis) yet it
keeps coming back. Any suggestions on what this might be?

Thx

 

[kurt wismer]

Hi all

Last couple days Ive been trying to rid a relatives computers of the
nasties in them. Sometimes I succeed sometimes not.

Let me describe the one that doesnt want to go away: It has a little popup
window inviting people to ask more about 'me' (me of course being a woman).
The program name is always some 5 digits and .exe. Ive done the usual
(adware/spybot, system restore off, norton/housecall, hijackthis) yet it
keeps coming back. Any suggestions on what this might be?

it's generally not possible to diagnose a virus by symptoms alone... if
you think you have a virus, scan your drive... if you think you have a
virus your scanner can't detect, try a different scanner or send a
sample of a file you suspect as being affected to your anti-virus
developer for analysis...

 

[Theo]

it's generally not possible to diagnose a virus by symptoms alone... if
you think you have a virus, scan your drive... if you think you have a
virus your scanner can't detect, try a different scanner or send a
sample of a file you suspect as being affected to your anti-virus
developer for analysis...

The thing is, NAV recognises the end process but it is not able to do
anything about it (saying its locked or wahtever). Those are easy enough to
find and get rid of manually. But something else keeps bringing it back
under a new 5 digit number. Another strange thing, the firewall isnt
preventing these processes from starting, as its supposed to whenever
something new tries to start.

Im hoping the names (similar to 84726.exe) might provide a clue.

Around the same time the computer got hit with a porn dialer... and
hopefully that one is gone now (crossing my fingers).

 

[Gabriele Neukam]

On that special day, Theo, ([email protected]) said...

The thing is, NAV recognises the end process but it is not able to do
anything about it (saying its locked or wahtever). Those are easy enough to
find and get rid of manually. But something else keeps bringing it back
under a new 5 digit number. Another strange thing, the firewall isnt
preventing these processes from starting, as its supposed to whenever
something new tries to start.

Obviously, there is a parent process which is creating these dialers (I
assume it is dialer software), and that this specific one isn't found
itself by NAV.

Maybe you can find it manually with a Process Viewer, which shows more
than a few entries in the task manager.

http://www.blumentals.net/products/procview.php
http://www.ltn.lv/~kblums/download/pview.exe

or another one

http://www.majorgeeks.com/download4246.html

Check if there are things running in the background which shouldn't be
there; one of them might be surveying the system for the existance of
the dialer and, if it isn't there, write it anew.

Do all this in Safe Node, to get rid of it. And purge the system
restoration.


Gabriele Neukam

(e-mail address removed)

 

[Theo]

On that special day, Theo, ([email protected]) said...


Obviously, there is a parent process which is creating these dialers
(I assume it is dialer software), and that this specific one isn't
found itself by NAV.

Maybe you can find it manually with a Process Viewer, which shows more
than a few entries in the task manager.

http://www.blumentals.net/products/procview.php
http://www.ltn.lv/~kblums/download/pview.exe

or another one

http://www.majorgeeks.com/download4246.html

Check if there are things running in the background which shouldn't be
there; one of them might be surveying the system for the existance of
the dialer and, if it isn't there, write it anew.

Do all this in Safe Node, to get rid of it. And purge the system
restoration.


Gabriele Neukam

(e-mail address removed)

Thank you. I happened upon Process Viewer about an hour ago and will add it
to my tools disk. Tomorrow I will see what it shows when I go do my
housecall. One thing, Im not sure the parent would still be running after
the popup is displayed since I dont think it reappears once the popup
process is ended... but I might get lucky. If not, is there way to see what
process started another even when its not running? Or another program that
keeps a log during startup on which processes started what?

Thanks

 

[john smith]

i dont know about the process viewers the other guy posted about but i use
this one http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

the processes are displayed in tree's, 1st branch is the process that
spawned the others on it.. and if you double click a process or right click
and select properties, it displays the parent process

 

[Theo]

the processes are displayed in tree's, 1st branch is the process that
spawned the others on it.. and if you double click a process or right
click and select properties, it displays the parent process

Yes thats the one. I tried it out by having my newsreader open explorer,
and it shows the newsreader as the parent. But once it is closed, explorer
is still there but the parent is not. It may not work this way at all. Its
possible also that the other program looks for the trojan, finds its not
there, so puts it back in... only to be seen on the next reboot. More trial
and error.

 

[Theo]

but once it is closed, the newsreader isnt in the process list anymore
since it isnt running, did you double click the new explorer to view
its parent from the properties window? it *should* still show the
parent in the properties window of the new process, it did in the test
i tried

I didnt see that before. Very convenient.

Another thing for me to check is if maybe the other xp computer on the home
network is sending them out. But it isnt displaying anything on its own
screen.

Thanks )

 

[john smith]

but once it is closed, the newsreader isnt in the process list anymore since
it isnt running, did you double click the new explorer to view its parent
from the properties window? it *should* still show the parent in the
properties window of the new process, it did in the test i tried

you could always get filemon from that same site, sysinternals.com, then you
could view real-time what process creates the file with the random 5 digits,
have it load at boot time, and use the find option for the exe name? :d