weird xp behaviour

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
anyone heard of something that can open start/run and auto pastes a url with
an .exe in the URL which
automatically downloads ? and tries to install ?

ive not seen anything like it before, all i can think of is an exploit
in opera, (im using v9) - ive ran nothing from emails, or used any bad files
that
i know of (im an experienced PC user)
ive killed the process and found the thing in RUN/and RUNONCE,
this happened once last week and i fixed it with a different URL to the one
i have
today

Ive also noticed it pasting the URL into open windows.




Re: weird xp behaviour

Quoted text here. Click to load it
with
files
one

What URL/file is it pointing to?

... and have you ran the file through Jotti's online scanner?

http://virusscan.jotti.org

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!



Re: weird xp behaviour

Quoted text here. Click to load it


today its http://65.98.57.2/~zuluzet/.../x.exe , it was a different url last
time with msconfig2.exe filename

online scan reveals the file is (quite an old one?)

AntiVir Found Worm/Rbot.193504
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot2.FWA
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found W32/RBot.BFA!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.bfa
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.Rbot.bfa



Re: weird xp behaviour

Quoted text here. Click to load it
last

Most likely a new variant rather than an old one.

Download yourself the trial copy of both of the following and allow them to
run full system scans (after updating the sig files of course).

Might want to see if you can identify the process thats causing it aswell.
HJT will help with this.

www.merijn.org

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!



Re: weird xp behaviour

Quoted text here. Click to load it
to

Helps if I mention the app's, lol.

1. Ewido - www.ewido.com
2. NOD32 - www.eset.com

Might also want to get WinPatrol if you don't already have it.

www.winpatrol.com

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!



Re: weird xp behaviour


Quoted text here. Click to load it
cheers steve

im on xp64 tho :), i seem to be clear at the mo, turfed out the offending
thing from my registry
, wondering if theres any more reports of similar behaviour in the wild,
no idea where this came from as i'm really damn careful with what i open.

mark



Re: weird xp behaviour

Quoted text here. Click to load it

Do you remember what the offending entry contained?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!



Re: weird xp behaviour

Quoted text here. Click to load it
usual lsa / start run and services stuff, and it was a 3 letter exe starting
with A,
too late now, a reboot trashed the machine :( , - lost the network
workgroup, tried to recreate
and ended up with a bluescreen on boot, no safe mode or anything, i wont try
a repair, i think
a new machine is due anyway!

mark
 



Re: weird xp behaviour

somewhere@in-time.invalid says...
Quoted text here. Click to load it

Steven, BugHunter can now pick this one up as well. It's compressed with
PECompact2...


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool
Version 1.9.2 Released August 15th, 2006
Last Pattern Update: August 15th, 2006
http://bughunter.it-mate.co.uk

Site Timeline