WOTP F@##@$ing spyware!!!

ulthar · March 28, 2004, 10:46:09 AM

Ash, a few quick points.

(1) You said it looks like a normal Windows download box. That's because the program is using the Windows code to generate it. That's easy to do, and is quite common (even for legit programs). Just because it looks 'normal' in that sense, does not mean the program CALLING the download box is legit.

(2) If it is a true trojan, Adaware, et al, probably won't catch it. Here's where your antivirus software comes in, and you will need your definitions up to date. If you are running NAV or McAfee, you should be able to find it.

(3) If your antivirus software doesn't catch it with updated definitions, send THEM an email. If this is really new, or undocumented, you will probably do a LOT of people a BIG favor by reporting it.

(4) Which version of Windows are you running? If you are running 2000 or XP, you should be able to pull up all running processes on your computer in Task Manager. Go through the list one by one and verify that each is a legit process (if you are not familiar with the 'normal' windows processes, you can do a google search for the name of the process, like systray.exe for example, and you will be able to find info about legit ones). I *HAVE* heard of a virus running that managed to hide itself from the process list, but this is relatively rare. Once you know the actual name of the process (like xyz.exe), you may be able to find more information on it, or at least kill it. Also, once you have the name of the running file, you will have the information you need to find it (on disk and in registry) and clean your system.

Hope this helps, some. Good Luck.

ulthar · March 28, 2004, 10:59:14 AM

I just thought of two more things to mention:

(1) Do you have a port scanner on your computer? If not, get one and scan your box for open ports. micronet utilities has a free one that works pretty good. If you box is backdoored, this may help you find it. Port scans can take a very, very long time, so set it up to run when you won't be using your computer for several hours.

(2) If the code doing what you describe is a true virus, it will not show up in the task manager as it's own process. A virus attaches itself to another process and runs from there. If that's the case, a file-file compare between your files and known good ones will the only way to catch it if your av software does not catch it. Most versions of Windows have a way to do this for important system files, but again, it will take a while.

Good Luck.

Ash · March 28, 2004, 07:23:51 PM

I ran an online virus scan (because I have no virus prevention software on my p.c.) and here's what it came up with which seems to be the culprit.
I don't think it is a trojan at all but a newer type of spyware that neither Spybot S&D or Ad-Aware can detect yet.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_RULEDOR.C

I found this ClrSrch crap in several different places on my p.c. and deleted it all.
The problem seems to be solved now.

Post Edited (03-28-04 19:09)

ulthar · March 28, 2004, 08:57:59 PM

ASHTHECAT wrote:

> I found this ClrSrch crap in several different places on my
> p.c. and deleted it all.
> The problem seems to be solved now.
>

Good Deal. Glad to hear youg got it fixed.

JohnL · March 29, 2004, 06:37:25 PM

>I'm sorry...compatibility with what? I've been using Mozilla Firebird for a while
>now and I have only seen ONE web site that had some java script buttons that
>did not render properly. Moz is faster and TONS more secure. If there is some

Well, I looked at Mozilla/Firebird just the other day and they say that they don't handle ActiveX at all. Most of the time I don't let IE run ActiveX anyway, but on sites with any kind of streaming files in RM format, it seems to be required. At least if I deny it in Explorer, the player window just comes up with the graphic place-holder and the video never plays. Note that I don't actually view streaming files, I simply start them so that URL Snooper can grab the URL, then I download them with Net Transport.

To those of you having a problem with adware/spyware, or who just want some tips on making your system more secure, you might want to check out the discussion forums at Freedom List. It's primarily a site devoted to helping people find a cheap ISP, but the discussion boards (link in the top right of the front page) cover a variety of topics, and adware/spyware removal is a favorite of the regulars. In fact, some of the people behind AdAware read the forums and will help people diagnose and remove adware/spyware. Actually, sometimes I think they emphasize programs like AdAware a little too much as they're often recommended as the first step in diagnosing pretty much every problem. Also, in either the help or computer protection forums, there is a post at the top for freeware programs like antivirus and such.

ulthar · March 29, 2004, 07:27:04 PM

JohnL wrote:

>
> Well, I looked at Mozilla/Firebird just the other day and they
> say that they don't handle ActiveX at all. Most of the time I
> don't let IE run ActiveX anyway, but on sites with any kind of
> streaming files in RM format, it seems to be required.

That's right, Moz is not ActiveX capable (for good reason). Real Media 8 did NOT recognize Mozilla, but RealOne does. Here's a Mozilla Plug-In faq with more details:

http://plugindoc.mozdev.org/faqs/firefox-windows.html

You could always do most of you general browsing with Mozilla, and if a site really did need IE, use IE for THAT site. That would be a far more secure approach than using IE for everything.

JohnL · March 29, 2004, 07:53:26 PM

>Real Media 8 did NOT recognize Mozilla, but RealOne does.

I refuse to install RealOne.

>You could always do most of you general browsing with Mozilla, and if a site
>really did need IE, use IE for THAT site. That would be a far more secure
>approach than using IE for everything.

True.

ulthar · March 29, 2004, 11:21:31 PM

JohnL wrote:

>
> I refuse to install RealOne.
>

Fair enough. As I read a bit more in that faq page (after I posted, sorry), I did see that RealPlayer 10 beta is supposed to be compatible with Firebird. If you want to use beta software (some folks have a problem with that..being into Open Source, I personally don't mind using beta software).

Good luck, in any case.

Dirtcreature · March 29, 2004, 11:35:01 PM

Sorry if I'm saying something thathas already been said, but I got halfway though the posts before feeling the need to post my own ideas here!

Whatever you do, DO NOT attempt to download any spyware killer programs from Kazaa like a friend of mine did. He told me that everytime he did so (he tried 3 times), his virus killer intercepted and stopped each download, reporting that the program had 2 or three viruses (1 worm and one trojan horse) in each, at least. Also, the spykiller programs were originally acceptible programs that had been doctored then put out for download by possible virus spreaders.

Keep on your toes...

JohnL · March 31, 2004, 08:29:35 PM

>I did see that RealPlayer 10 beta is supposed to be compatible with Firebird. If

If I'm not mistaken, Real Player 10 is basically the same as RealOne, just renamed.

I know that Real Player 8 isn't exactly perfect, but I've seen several people say that RealOne is a huge piece of spyware that tries to connect to the Real servers at every opportunity, even when you just load the program.

>you want to use beta software (some folks have a problem with that..being into
>Open Source, I personally don't mind using beta software).

I don't mind beta software as long it's stable and does what it's supposed to. For example, I've tried about 10 different versions of ffdshow, which is supposed to play DivX and a bunch of other formats, and I never found a version that worked properly. Some just crashed, some crashed my system, some didn't play the formats they were supposed to, etc.

zealot · April 21, 2004, 06:06:30 PM

I have a one word answer.
proximitron

WOTP F@##@$ing spyware!!!

Dirtcreature

zealot