On , <galt_57@hotmail.com> wrote:
>peter krom wrote:
>> [...] AdAware from Lavasoft cannot find any spyware on my laptop...
>> [...]
>
>You've only used Ad-Aware ? This is insufficient, as I recently
>discovered myself. Install Spybot S&D also. Also install Zonealarm.
ZoneAlarm is ok, but Sygate Personal Firewall is better, has much more ability to control outbound connections. also has user defined rules based processing.
In article <87mi51d9pspumsj3mpkoqcnnnuiqqtlu7u@4ax.com>, "d11
@anywhere.com" <> says...
here is the data you've asked, I am sorry but I can not format it so
that it is better readable....
Here is the saved data:
HKLM\System\CurrentControlSet\Services
+ aswUpdSv Verschaft het automatisch bijwerken van avast! antivirus.
c:\program files\alwil software\avast4\aswupdsv.exe
+ avast! Antivirus Behandelt en implementeert avast! antivirus diensten
voor deze computer. Dit bevat de interne bescherming, de viruskluis en
de planner. c:\program files\alwil software\avast4\ashserv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Sc ripts\Startup
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Sc ripts\Startup
HKCU\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe c:\winnt\system32\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ avast! avast! service GUI component c:\program files
\alwil software\avast4\ashdisp.exe
+ ButtonLed NEC Illumination Buttons Utility (Not verified) NEC
Corporation c:\winnt\btnled.exe
+ HP Component Manager HP Framework Component Manager Service (Not
verified) Hewlett-Packard Company c:\program files\hp\hpcoretech
\hpcmpmgr.exe
+ HPHmon05 HPHmon05 (Not verified) Hewlett-Packard c:\winnt
\system32\hphmon05.exe
+ HPHUPD05 HPHupd05 (Not verified) Hewlett-Packard c:\program
files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}
\hphupd05.exe
+ NeroCheck NeroCheck (Not verified) Ahead Software Gmbh c:\winnt
\system32\nerocheck.exe
+ Tweak UI User interface customization toy (Not verified) Microsoft
Corporation c:\winnt\system32\tweakui.cpl
+ WLANSTA.EXE WLAN network adaptor Status Tray Applet (Not verified)
IEEE 802.11b c:\winnt\system32\wlansta.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ CRLUpdate UPDCRL (Not verified) Microsoft Corporation c:\winnt
\system32\updcrl.exe
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
+ PGPtray.lnk PGP System Tray Application (Not verified) Network
Associates Technology, Inc. c:\program files\network associates\pgpnt
\pgptray.exe
+ WLAN network adaptor Wireless LAN Configuration.lnk WLAN network
adaptor Status Tray Applet (Not verified) IEEE 802.11b c:\winnt\system32
\wlansta.exe
C:\Documents and Settings\peter krom\Menu Start\Programma's\Opstarten
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer
\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ mscheck c:\winnt\system32\explorer.exe
+ PopUpStopperFreeEdition Pop-Up Stopper Free Edition (Not verified)
Panicware, Inc. c:\program files\panicware\pop-up stopper free
edition\psfree.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
Task Scheduler
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper
Objects
+ Google Toolbar Helper Google IE Client Toolbar (Not verified)
Google Inc. c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer
\ShellExecuteHooks
+ Eudora's Shell Extension File not found: C:\Program
Files\Qualcomm\Eudora\EuShlExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
+ avast avast! Shell Extension (Not verified) ALWIL Software
c:\program files\alwil software\avast4\ashshell.dll
+ Eudora's Shell Extension File not found: C:\Program
Files\Qualcomm\Eudora\EuShlExt.dll
+ IrfanView Extensions Krypter99 (Not verified) BAxBEx Software
c:\program files\irfanview\ivex.dll
+ QuickPar ContextMenu extension File not found: C:
\Program Files\QuickPar\QuickParShlExt.dll
+ Shell Extension PGP Shell Menu Extensions (Not verified) Network
Associates Technology, Inc. c:\winnt\system32\pgpmn.dll
+ Webmappen Microsoft Web Folders (Not verified) Microsoft
Corporation c:\program files\common files\microsoft shared\web folders
\msonsext.dll
+ WinRAR shell extension c:\program files\winrar
\rarext.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ googletoolbar2.dll Google IE Client Toolbar (Not verified) Google
Inc. c:\program files\google\googletoolbar2.dll
I see some parts of the googletoolbar still active but nothing else that
would bother me.....
-----
---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0514-3, 2005-04-10
Getest op: 11-4-2005 6:16:17
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com
In article <CF36LO3638453.1205671296@reece.net.au>,
thrasher@reece.net.au says...
> On , <galt_57@hotmail.com> wrote:
> >peter krom wrote:
> ZoneAlarm is ok, but Sygate Personal Firewall is better,
> has much more ability to control outbound connections.
> also has user defined rules based processing.
I'll take a look at it... perhaps Sygate finds this ...
Peter
---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0514-3, 2005-04-10
Getest op: 11-4-2005 6:17:58
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com
[Crossposted to <news.admin.net-abuse.email>, for obvious reasons]
On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
<jonhy@rook.com> wrote:
>
> Hello all,
>
> when running Netview I discovered that my Laptop sends a syn to a
> certain ip-address, which looked up to - kelcos5.dynu.com -
> at IP-address 81.215.160.197 every minute or so.
[snip]
DISCONNECT YOUR SYSTEM NOW!
The reason for this admonition (and its urgency) will become clear shortly.
The IP address in question is part of a (presumably DHCP-assigned) DSL pool in
Turkey:
<http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.160.197>
<http://www.dnsstuff.com/tools/whois.ch?ip=81.215.161.29>
Note also that the hostname in question is now (well, as of two minutes ago
when I checked) resolving to a different address within that same pool:
<http://samspade.org/t/lookat?a=kelcos5.dynu.com>
<http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.161.29>
And by the time you read this, it may well have shifted again.
This pattern strongly suggests -- no, scratch that; it is essentially certain
-- that your system has been compromised with a spammer's "zombie proxy"
trojan. It is S-O-P for them to "phone home" as soon as they take root and/or
find a live network connection, so as to alert their masters that they are
available for (ab)use and specifically where to find them/you. In all
probability, the host(s) it is attempting to "phone home" to are also zombies,
which the spammer(s) previously compromised. The dynamic DNS "service" is
being used to direct the droppers on where to report at any given moment.
Furthermore, the spammer in question is very probably one Kelly Joe Ellis, a
well-known low-life criminal scoundrel and all-around frothing loon:
<http://groups.google.co.uk/groups?q=kelco&group=news.admin.net-abuse.*&sa=G&scoring=d>
<http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK1867>
<http://spews.org/html/S1532.html>
Since you yourself are (apparently) on a consumer DSL line:
> NNTP-Posting-Host: 80.242.254.221 (80.242.254.221)
<http://www.dnsstuff.com/tools/ptr.ch?ip=80.242.254.221>
<http://www.dnsstuff.com/tools/whois.ch?ip=80.242.254.221>
....that means that you are at this moment part of the spammer's "Zombie Army".
Hence: DISCONNECT YOUR SYSTEM NOW!
As long as your system remains connected to the 'net, it *will* be used to
spew spam, and worse, far and wide.
Do *NOT* reconnect it to any other system (either via your local LAN or via
the internet) until you are _absolutely_certain_ that the trojan(s) has/have
been completely eradicated. If that means wiping the disk down to the LLF and
starting over, so be it; but the main thing is that you MUST stop propagating
the damage still further.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
In article <mnik5159ii94b9p693mh9m1k4ud366e5oa@news.speakeasy .net>,
not.deliverable+usenet02@appropriate-tech.net says...
> [Crossposted to <news.admin.net-abuse.email>, for obvious reasons]
>
> On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
> <jonhy@rook.com> wrote:
> >
After searching through my system I Uninstalled Mozilla Firefox, this
was aparantly the source of sending the syn to kelcos.. Now that firefox
is no longer installed, the Syn's aren't sent anymore. Furthermore All
registry-entries concerning Mozilla Firefox are deleted. Thanx for the
info...
Peter
---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 12-4-2005 13:26:12
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com
In article <MPG.1cc5cebdc961300f989688@news.quicknet.nl>
peter krom <jonhy@rook.com> wrote:
>
> In article <mnik5159ii94b9p693mh9m1k4ud366e5oa@news.speakeasy .net>,
> not.deliverable+usenet02@appropriate-tech.net says...
> > [Crossposted to <news.admin.net-abuse.email>, for obvious reasons]
> >
> > On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
> > <jonhy@rook.com> wrote:
> > >
>
> After searching through my system I Uninstalled Mozilla Firefox, this
> was aparantly the source of sending the syn to kelcos.. Now that firefox
> is no longer installed, the Syn's aren't sent anymore. Furthermore All
> registry-entries concerning Mozilla Firefox are deleted. Thanx for the
> info...
>
> Peter
Duh! Maybe you should just have changed your *Home* *Page* from
Kelcos, cos there is nothing wrong with Firefox, and all
browsers work by sending syn packets.
"peter krom" <jonhy [at]_ rook.com> wrote in message
news:MPG.1cc5cebdc961300f989688@news.quicknet.nl.. .
> After searching through my system I Uninstalled Mozilla Firefox, this
> was aparantly the source of sending the syn to kelcos.. Now that
> firefox is no longer installed, the Syn's aren't sent anymore.
> Furthermore All registry-entries concerning Mozilla Firefox are
> deleted. Thanx for the info...
What plugins and extensions did you have installed for Firefox? It might
have been one of them... if it's a commonly used one, people need to
know about this. Or did you find that it was something else within
Firefox?
SuN Tsu, giving instructions on morphing:
http://groups-beta.google.com/group/...a612b6799dc064
"...model morphs on characters that you are familiar with,
RL/Tele/cart00n, mimicking the vocabulary and sentence construction of
the character used as the model."
Kooks morph, it's a fact of life...
--
When will the stalker kook SuN Tsu / BananaNanae / Joe / Joe Banana / JB
/ AOL Spam Trap / LobbyFerret1 / Damien65 [at] aol.com / ATIU 33 /
Banana Rama / Sightings / nanasreport [at] aol.com apologize for his
false accusations and spam-friendly behavior?
http://groups-beta.google.com/group/...2b7339da47e17a
http://groups-beta.google.com/group/...e92facdc555f81
http://groups-beta.google.com/group/...d3010beed38ae8
http://groups-beta.google.com/group/...440a2e400ee0fe
NANAE newbies: For your own protection you should kill-file Sun Tsu.
(You'll have to kill-file him four times, he's posting with four email
accounts).
In article <DcU6e.1362$t85.3@newssvr21.news.prodigy.com>, "Spam
Reporting" <FROM:@hillscapital.com> says...
> "peter krom" <jonhy [at]_ rook.com> wrote in message
> news:MPG.1cc5cebdc961300f989688@news.quicknet.nl.. .
> What plugins and extensions did you have installed for Firefox? It might
> have been one of them... if it's a commonly used one, people need to
> know about this. Or did you find that it was something else within
> Firefox?
I used 2 plug-ins in Firefox, the first one is Autocopy and the second
one was Wizz RSS reader, both downloaded from the mozilla site btw. The
file itself which was resident was called firefox.exe and was 4.96 kB in
size. The original firefox 1.0 was updated twice, with 1.01 and 1.02....
I am sure that the attempts to connect kelcos5.dynu.com are gone because
i have netview running all the time and the log-file doesn't show
anything regarding the ip-pool discussed.
Peter
---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 1:04:51
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com
In article <a8f1741b3562f31066716fc0aab31198@melontraffickers .com>,
juicy@melontraffickers.com says...
> In article <MPG.1cc5cebdc961300f989688@news.quicknet.nl>
> peter krom <jonhy@rook.com> wrote:
> Duh! Maybe you should just have changed your *Home* *Page* from
> Kelcos, cos there is nothing wrong with Firefox, and all
> browsers work by sending syn packets.
This has nothing to do with the fact that I have a startpage at kelcos
which in fact I have not. Yes you are right that all browsers work with
sending syn packets however a reoccurring syn-packet every 2 seconds to
the same ip-address or to an ip-address which traces back to the ip-pool
discussed is not a normal syn-packet... Perhaps you are right and there
is nothing wrong with firefox, but to be on the safe side I removed it.
I don't wanna have anything to do with SPAM, SPEW or anything of that
kind. and if you think that is wrong, well then so be it....
P
---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 1:14:11
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com
Arrrrggghh... I screwed up the cut&paste on a couple of those URLs. The
corrected version is:
On Mon, 11 Apr 2005 14:18:46 -0400, in <alt.privacy.spyware>, Jay T. Blocksom
<not.deliverable+usenet02@appropriate-tech.net> wrote:
>
> The IP address in question is part of a (presumably DHCP-assigned) DSL pool
> in Turkey:
>
> <http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.160.197>
> <http://www.dnsstuff.com/tools/whois.ch?ip=81.215.160.197>
>
> Note also that the hostname in question is now (well, as of two minutes ago
> when I checked) resolving to a different address within that same pool:
>
> <http://samspade.org/t/lookat?a=kelcos5.dynu.com>
> <http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.161.29>
> <http://www.dnsstuff.com/tools/whois.ch?ip=81.215.161.29>
>
> And by the time you read this, it may well have shifted again.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote