SexNow dialer

[Dick]

Add me to the list of people who have had my Dell computer only one day
and all I ever did yesterday was do Windows and Norton antivirus
updates. I did not go to any risky web site and had the Windows XP
firewall up from the very first time I got on the internet yesterday.
Now I do not know what to do. Should I let Ad-aware delete these
entries and let it go at that or should I also uninstall and reinstall
WordPerfect Office 11?

Ad-aware 6.0 reported the following:

Vendor:S-e-xNow Dialer
Category:Malware
Object Type:RegKey
Size:-
Location:CdrPDF.PDFEngine\
Last Activity:2-11-2004
Risk LevelLow
Comment{A2524FF1-50C1-11d3-8EA3-0090271BECDD})
Description:No Detail Information Available


Vendor:S-e-xNow Dialer
Category:Malware
Object Type:RegKey
Size:-
Location:CdrPDF.PDFEngine.2\
Last Activity:2-11-2004
Risk LevelLow
Comment{A2524FF1-50C1-11d3-8EA3-0090271BECDD})
Description:No Detail Information Available



Thanks Dick

 

[Lanwench [MVP - Exchange]]

Remove whatever AdAware wants you to. It quarantines by default anyway if
you were to need anything back (unlikely).

 

[purplehaz]

Sounds like spyware or a home page hijacker.

Run these tools weekly
spybot -- http://www.safer-networking.org/
ad-aware -- http://www.lavasoftusa.com/
HiJackThis - http://mjc1.com/mirror/hjt/



I know you say you didn't goto any risky websites, but you must have or you
installed suspect software like kazaa or something. I have never had one of
these dialers install on any of my machines in 8 years of computing. You had
to have gone somewhere or installed something you shouldn't have. Be careful
out there.

 

[Dick]

I am very careful, I always have my firewall up and I always have my
virus definitions up to date and my Windows updates current. If I end
up on a porn site by mistake I get out of there as fast as I can, but I
can guarantee you I was not on any the first day I had my computer and I
was busy all day setting it up.

Thanks for taking the time to try and be helpful and replying to my message.

Dick

 

[purplehaz]

You're welcome. (don't you just hate those spyware creating scumbags)

 

[Steve Nielsen]

Dick,

It is widely misconceived that you have to visit a porn site to get hit
by drive-by downloads of sex-dialers and website-redirectors. People are
spoofing websites and links out there and I know of at least two cases
where something like this has happend quite recently. One by merely
viewing a tech oriented website resulted in a drive-by download and
install of a nasty trojan and another where a web search and clicking on
a search hit resulted in a mini-dailer being installed, both without
knowledge or consent of the users.

I believe these get in due to inherent vulnerabilities of un-patched IE
and the OS iteslf, so it makes sense that a new, yet to be updated &
patched PC would be vulnerable. We've bought a lot of Dells and the
majority arrive without a current service pack and none arrive with any
vulnerability patches installed. Dell is not the only company not
keeping up, I've seen other brands this way as well.

I realize this may be next to impossible to do in a home setting, but
what we do is keep up-to date service packs and security patches on CD,
then when we get a new machine out of the box (from anywhere) we apply
the current SP and most important security patches before ever
connecting the network.

Steve

 

[Bruce Chambers]

Greetings --

When visiting porn sites, always be careful not to
download/install their "free" viewers. You'll get more than expected,
every time. To repair the current situation, uninstall the
"viewer(s)" provided and then use Ad-Aware from www.lavasoft.de and
SpyBot Search and Destroy from www.safer-networking.org/ to clean up
any residue. Both have free versions for personal use.

You should also try using MSConfig to see if something is being
started each time you reboot.

Additionally, Look in the C:\Documents and Settings\All
Users\Start Menu\Programs\Start Up and C:\Documents and
Settings\username\Start Menu\Programs\Start Up folders, and in the
system registry, primarily in the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys.

How to Troubleshoot By Using the Msconfig Utility in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310560


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Hernan R. Silva]

If you read the subsequent reply to my post in alt.privacy.spyware from
Aaron Hulett, Chief Research Officer, Research & Development, Nicolas Stark
Computing AB (Lavasoft), he stated:

The items referenced in the log are not present in detection. In other
words, the scanning engine is locating these registry subkeys on its own.
However, there's nothing else in the scan log (or the portions that were
posted) that would cause the engine to do so.


SexNow Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CdrPDF.PDFEngine

SexNow Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CdrPDF.PDFEngine.2

<<<<

What is the content of these subkeys? Does it reference any files?

These two keys do not reference any files, at least in my system. In fact,
there is no C:\WINDOWS\sexnow.exe, nor does the file exist anywhere in my
system.

From what I could find in the post "WPWin10: PDF UI error in SP2 version" at
news://cnews.corel.com/corel.wpoffice.wordperfect-faq, upon inspection of
the attachment cdrpdf.reg, these two keys appear to be valid WordPerfect
Office 11 keys, differing from their WordPerfect 10 counterparts only
slightly in the value of CLSID, as had been noted in my post below. I expect
that if you were to delete these keys and then uninstall and reinstall
WordPerfect Office 11, they would return. These two keys and the
corresponding CdrPDF DLL's appear to have nothing to do with the SexNow
Dialer and everything to do with WordPerfect's Publish to PDF feature.

HTH,

Hernan