New hidden directory

[Jan Schejbal]

Hello!
I have found a hidden directory called "c-dilla" in C:\
It contains a subdirectory "SafeCast Product Licences", which contains
a file named "96740EDE.DAT". The file contains only "waste" (it could
be encrypted)
Does anyone here know what it is???
Jan

--
Use "FROM NG" in the subject of e-mail replies, please.
A filter deletes all mails without this string.
Bei e-Mail-Antworten bitte im Betreff "FROM NG" verwenden,
sonst wird die Mail ungelesen gelöscht!

[YK]

Jan Schejbal wrote:
> Hello!
> I have found a hidden directory called "c-dilla" in C:\
> It contains a subdirectory "SafeCast Product Licences", which contains
> a file named "96740EDE.DAT". The file contains only "waste" (it could
> be encrypted)
> Does anyone here know what it is???
> Jan

It is an application that is used to varify correct product licensing:
http://security.kolla.de/index.php?l...spybots-cdilla

Note: Lots of hits about this in Google.

Get SpyBot available from
http://tomcoyote.org/SPYBOT/ and update the reference files
through their Online update function. Run them and select all items and
remove.
You may have to reboot and rerun a couple of times to completely remove
them.
Also run the Immunize function to
prevent these nasties from installing again.

SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html
Update the reference file through the online update function.

Install a good HOSTS file to help stop these nasties from installing.
http://asp.flaaten.dk/proxo/topic.asp?TOPIC_ID=1311
http://asp.flaaten.dk/proxo/hosts.zip

[BxP9]

Here is how to remove C-Dilla spyware it if you used Quicken product
including TurboTax
http://www1.turbotaxsupport.com/defa...rm=1&docid=836


"Jan Schejbal" <me@privacy.net> wrote in message
news:bfjic9$et8hq$2@ID-180386.news.uni-berlin.de...
> Hello!
> I have found a hidden directory called "c-dilla" in C:\
> It contains a subdirectory "SafeCast Product Licences", which contains
> a file named "96740EDE.DAT". The file contains only "waste" (it could
> be encrypted)
> Does anyone here know what it is???
> Jan
>
> --
> Use "FROM NG" in the subject of e-mail replies, please.
> A filter deletes all mails without this string.
> Bei e-Mail-Antworten bitte im Betreff "FROM NG" verwenden,
> sonst wird die Mail ungelesen gelöscht!
>

[Jay T. Blocksom]

On Tue, 22 Jul 2003 16:40:02 +0200, in <alt.privacy.spyware>, "Jan Schejbal"
<me@privacy.net> wrote:
>
> Hello!
> I have found a hidden directory called "c-dilla" in C:\
> It contains a subdirectory "SafeCast Product Licences", which contains
> a file named "96740EDE.DAT". The file contains only "waste" (it could
> be encrypted)
[snip]

You have a major problem:

<http://www.extremetech.com/print_article/0,3998,a=36813,00.asp>

See particularly the sub-section entitled "We Uncover Low-Level Monkey
Business".

The only really effective cure for this is to LLF the hard disk. This will
require a dedicated utility from the manufacturer; then you'll need to
reformat and reload all software (except whichever one bundled the C-Dilla
trojan, of course) and data files from scratch. Obviously, you'll want to
make at least two (remember Murphy's Law!) verified-good full-system backups
before you start this process.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -