What is the set of files that were loaded from a web site I was
looking at last night while researching re-inking kits.
the files were xevsjgb.exe and xevsjb.dll.
My computer now tries to dial out when I start up .Zonealarm reports
windows explorer tring to access the internet.
forte agent wrote:
> What is the set of files that were loaded from a web site I was
> looking at last night while researching re-inking kits.
> the files were xevsjgb.exe and xevsjb.dll.
> My computer now tries to dial out when I start up .Zonealarm reports
> windows explorer tring to access the internet.
Hi "Forte Agent",
What is IS, I don't know, except it is a dialer... My suggestions are
those mostly suggested here:
1. Run AdAware (be sure to get build 181 and the most recent update)
2. Run Spybot Search and Destroy (also updated to the most recent
definitions)
3. Run HiJack this (just in case)
if all this comes to no result...
4. Run TDS3 (Trojan Defense Suite) to see whether you have a trojan
aboard.
Running SpywareBlaster occassionaly when your system has been cleaned
of whatever is trying to phone home isn't a bad idea either.
In the above I assumed that you have an active and updated AV-program
running on your system and that you already executed a system scan...
If not... then do so!
Adaware: www.lavasoft.de
Spybot Search and Destroy: http://security.kolla.de/
HiJack This: http://www.spywareinfo.com/~merijn/
TDS3: http://www.diamondcs.com.au/
SpywareBlaster: www.javacoolsoftware.com
Av-programs:
www.symantec.com
www.macafee.com
www.sophos.com
www.grisoft.com
And I am sure I forgot a few. Hope this helps getting you on the road
again!
Dick
"forte agent" <pgmeyer@gte.net> wrote in message
news:rpcaivsb22dqsl076s5iman9ies8e5etgp@4ax.com...
> What is the set of files that were loaded from a web site I was
> looking at last night while researching re-inking kits.
> the files were xevsjgb.exe and xevsjb.dll.
> My computer now tries to dial out when I start up .Zonealarm reports
> windows explorer tring to access the internet.
Google has no clue. Try Spybot Search and Destroy and AdAware - make sure
you update both after downloading before running them. (They are both free)
When you're done make sure you run the Immunize function in Spybot advanced
mode.
mto wrote:
>
> "forte agent" <pgmeyer@gte.net> wrote in message
> news:rpcaivsb22dqsl076s5iman9ies8e5etgp@4ax.com...
> > What is the set of files that were loaded from a web site I was
> > looking at last night while researching re-inking kits.
> > the files were xevsjgb.exe and xevsjb.dll.
> > My computer now tries to dial out when I start up .Zonealarm reports
> > windows explorer tring to access the internet.
>
> Google has no clue. Try Spybot Search and Destroy and AdAware - make
> sure you update both after downloading before running them. (They are
> both free) When you're done make sure you run the Immunize function
> in Spybot advanced mode.
Hi MTO and Forte Agent,
I did a bit of searching on "virus", "trojan" and "worm" in combination
with "random file name" and in all categories quite a number of these
critters that would match showed up, also one came up with the
description "dialer" attached to it.
Having said that, it seems to me that executing a system wide scan with
an up-to-date AV-product (I mentioned only a few in my first reply)
would be the first thing to do, to make sure that something of a
virus/trojan/backdoor is lurking on the system. After that I would
advise FA to run BOTH AA and SS&D. For immunizing I would advise both
SD&D's immunize option AND SpywareBlaster (Which is advised to be the
better one of the two, even by Patrick).
Regards
Dick
"Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
news:viatctsmsk36f5@corp.supernews.com...
> mto wrote:
>
> >
> > "forte agent" <pgmeyer@gte.net> wrote in message
> > news:rpcaivsb22dqsl076s5iman9ies8e5etgp@4ax.com...
> > > What is the set of files that were loaded from a web site I was
> > > looking at last night while researching re-inking kits.
> > > the files were xevsjgb.exe and xevsjb.dll.
> > > My computer now tries to dial out when I start up .Zonealarm reports
> > > windows explorer tring to access the internet.
> >
> > Google has no clue. Try Spybot Search and Destroy and AdAware - make
> > sure you update both after downloading before running them. (They are
> > both free) When you're done make sure you run the Immunize function
> > in Spybot advanced mode.
>
>
> Hi MTO and Forte Agent,
>
> I did a bit of searching on "virus", "trojan" and "worm" in combination
> with "random file name" and in all categories quite a number of these
> critters that would match showed up, also one came up with the
> description "dialer" attached to it.
>
> Having said that, it seems to me that executing a system wide scan with
> an up-to-date AV-product (I mentioned only a few in my first reply)
> would be the first thing to do, to make sure that something of a
> virus/trojan/backdoor is lurking on the system. After that I would
> advise FA to run BOTH AA and SS&D. For immunizing I would advise both
> SD&D's immunize option AND SpywareBlaster (Which is advised to be the
> better one of the two, even by Patrick).
>
> Regards
> Dick
In general I have found Google to be pretty efficient at hunting up a
specific exe or dll name - which is what I meant when I said that Google had
no clue. I agree that this is either a random name virus/trojan/etc. or
something new that just hasn't been posted about anywhere yet.
"Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
news:vib0fit6966341@corp.supernews.com...
> mto wrote:
>
> >
> > "Dick Hazeleger" <Dick@post_it_in_the_newsgroup.com> wrote in message
> > news:viatctsmsk36f5@corp.supernews.com...
> > > mto wrote:
> > >
> > > >
> > > > "forte agent" <pgmeyer@gte.net> wrote in message
> > > > news:rpcaivsb22dqsl076s5iman9ies8e5etgp@4ax.com...
> > > > > What is the set of files that were loaded from a web site I was
> > > > > looking at last night while researching re-inking kits.
> > > > > the files were xevsjgb.exe and xevsjb.dll.
> > > > > My computer now tries to dial out when I start up .Zonealarm
> > > > > reports windows explorer tring to access the internet.
> > > >
> > > > Google has no clue. Try Spybot Search and Destroy and AdAware -
> > > > make sure you update both after downloading before running them.
> > > > (They are both free) When you're done make sure you run the
> > > > Immunize function in Spybot advanced mode.
> > >
> > >
> > > Hi MTO and Forte Agent,
> > >
> > > I did a bit of searching on "virus", "trojan" and "worm" in
> > > combination with "random file name" and in all categories quite a
> > > number of these critters that would match showed up, also one came
> > > up with the description "dialer" attached to it.
> > >
> > > Having said that, it seems to me that executing a system wide scan
> > > with an up-to-date AV-product (I mentioned only a few in my first
> > > reply) would be the first thing to do, to make sure that something
> > > of a virus/trojan/backdoor is lurking on the system. After that I
> > > would advise FA to run BOTH AA and SS&D. For immunizing I would
> > > advise both SD&D's immunize option AND SpywareBlaster (Which is
> > > advised to be the better one of the two, even by Patrick).
> > >
> > > Regards
> > > Dick
> >
> > In general I have found Google to be pretty efficient at hunting up a
> > specific exe or dll name - which is what I meant when I said that
> > Google had no clue. I agree that this is either a random name
> > virus/trojan/etc. or something new that just hasn't been posted about
> > anywhere yet.
>
> Errrr... *if* the file name is really _random_, then there is little to
> report. I'd love to have those two files mailed to me for analysis (and
> I think so would the AA developer's team and Patrick Kolla).
>
> Dick
Yeah - that is my point. A random file name will likely never show up in
Google. Known file names for most spyware sooner or later do.
"forte agent" <pgmeyer@gte.net> wrote in message
news:kjtbiv0erlkqvd7gcqq1g6bf2b9pmcdhk8@4ax.com...
> FYI I did run Norton AV ,Spybot 1.2 ,Latest AdAware build,.I ran noton
> win doctor and found xevvsjgb.exe refernced as being in start and
> Windows\system.and missing.Ran a search and found the exe in
> windows/temp and the dll in two locations. I deleted the
> files.xevsjgb.exe and xevsjgb.dll edited the registry to remove the
> reference to the executable but can not find where my dialer program
> is getting the call to start up as soon as windoww is finished loading
> .I even tried the boot logging option to see if it recorded it. no
> luck so far.
Did you check under Tools in Spybot advanced mode? You'll find a couple of
tabs there of particular interest - lists all your BHO's, start programs,
ActiveX, start & search pages, etc. etc.
On Tue, 29 Jul 2003 04:33:17 GMT, in <alt.privacy.spyware>, forte agent
<pgmeyer@gte.net> wrote:
>
[snip]
Please don't top-post. Please *DO* trim out unnecessary/irrelevant parts of
the posts you're quoting.
> FYI I did run Norton AV ,Spybot 1.2 ,Latest AdAware build,.I ran noton
> win doctor and found xevvsjgb.exe refernced as being in start and
> Windows\system.and missing.Ran a search and found the exe in
> windows/temp and the dll in two locations. I deleted the
> files.xevsjgb.exe and xevsjgb.dll edited the registry to remove the
> reference to the executable but can not find where my dialer program
> is getting the call to start up as soon as windoww is finished loading
> .I even tried the boot logging option to see if it recorded it. no
> luck so far.
[snip]
Offhand, it sounds like your system is pretty well hosed. It's clear that
you picked up rather nasty parasite; but inasmuch as it is as yet
unidentified, a "surgical" excision is probably not feasible/reliable.
Hence, your best bet is to wipe the disk and restore from your most recent
(but pre-infection, of course) known-good full-system backup.
Then improve your system setup and operating habits so that something like
this won't happen again.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Tue, 29 Jul 2003 05:55:38 -0400, "mto" <nobody@nowhere.com> wrote:
Unfortunatly I didn't. it appears to be a "drive by install" that some
one put in every page I accssed on the web site.Using norton utilities
to remove references to the 4 versions (it turned out) that were
installed,I then had to shut down and go into dos mode to delete the
set that was running under windows (98se).Thank god for dos and and
old dos version of laplink pro.Who ever wrote the scripting definitly
made some mistakes and assumptions for loading it .FYI the web site is
www.stratitec.com. they do make a decent ink refill kit.this may have
been hacked from the outside or by whoever hosts the web site.
>
>"forte agent" <pgmeyer@gte.net> wrote in message
>news:kjtbiv0erlkqvd7gcqq1g6bf2b9pmcdhk8@4ax.com.. .
>> FYI I did run Norton AV ,Spybot 1.2 ,Latest AdAware build,.I ran noton
>> win doctor and found xevvsjgb.exe refernced as being in start and
>> Windows\system.and missing.Ran a search and found the exe in
>> windows/temp and the dll in two locations. I deleted the
>> files.xevsjgb.exe and xevsjgb.dll edited the registry to remove the
>> reference to the executable but can not find where my dialer program
>> is getting the call to start up as soon as windoww is finished loading
>> .I even tried the boot logging option to see if it recorded it. no
>> luck so far.
>
>Did you check under Tools in Spybot advanced mode? You'll find a couple of
>tabs there of particular interest - lists all your BHO's, start programs,
>ActiveX, start & search pages, etc. etc.
>
On Wed, 30 Jul 2003 01:08:27 -0400, Jay T. Blocksom
<usenet01+SPAMBLOCK@appropriate-tech.net> wrote:
>
>Then improve your system setup and operating habits so that something like
>this won't happen again.
This is something that the programs(I have) have not encountered in
this formor there a setting I missed.It's relativly simple
,small,crudely done,loads fast ( a486dx2 might be slow enough to be
able to stop it from loading) or I would not have been able to remove
the parts I found.It appears to be dependant on inserting a run
reference in the reg.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote