 |  |  |  |  |  |  |  |
application has been modified
Thread Solved |
Hi, i went to a site & a box popped up asing me to download a version of directX to be able to play video on the site, this has happened a few times whilst on other sites & the box was always the same & looked like an authentic windows message. So i downloaded the setup file & ran it. Then i realised it was a scam coz a box kept popping up from the task bar saying i had a trojan & asking me to buy a spyware blaster thingy. It popped up every 30 seconds i did a restart but it wouldn't go away. I succesfully did a 'system restore' to the previous day & the problem disappeared. However, everytime i click on the explorer 7.0 to bring up the browser for the homepage my 'BullGuard' antivirus/firewall tells me that "the application (Explorer.exe) has been modified since the last time i allowed it to use the network adding that it might have been infected by a virus and says "do you want to still allow it"? If i click "yes" then everything appears normal after that, until i try to bring up another explorer window & then it asks again each time. The firewall doesn't give me the usual option of ticking the box that says "remember my answer & don't ask again", which is strange, it's a different sort of question box, one that's sort of telling you NOT to go ahead, but if i tick "NO" or wait until the firewall timer runs out then the page cannot be displayed so then i've got no browsing at all! I've run spybot & a full virus scan & they found nothing, but i forgot to run them in safe mode. After the system restore, some files were automatically renamed, these were: advpack.dll url.dll urlmon.dll webcheck.dll winnet.dll inetcomm.dll (all in C:\WINDOWS\system32. I've checked on a couple of these & they are necessary systems files it seems.
The firewall tells me more information on the 'modifications' that have been inadvertently changed to windows explorer. It says the following:
APPLICATION: C:\Program Files\Internet Explorer\iexplore.exe
VERSION: 7.00.6000.16544 (vista_gdr.070814-1500)
PROVIDER: Microsoft Corporation
SIZE: 625152 bytes
MD5: 3AC2BC667DA0AF2C968E96E1630F5AB5
MODIFIED: Friday, August 17, 2007 11:21:21
PID: 3424
ETHERNET (IEEE 802.3) HEADER
* DST MAC: 00-0D-66-24-00-A8
* SRC MAC: 00-40-CA-60-85-B2
PROTO: 0x0800
INTERNET PROTOCOL (IP) HEADER
Ver: 4
IHL: 20 bytes
ToS: 0
Packet length: 48 bytes
Packet (unique) ID: 0x021E
Flags: 0x00
Fragment Offset: 2
TTL (Time To Live): 128
PROTO: TCP (Transmission Control Proocol) [6]
Checksum: 0x3A36
* SRC address: *CLASS A* [82.38.124.185]
* DST address: www.trafficswarm.com [66.132.173.16]
TRANSMISSION CONTROL PROTOCOL (TCP) HEADER
* SRC Port: 1066
* DST Port: HTTP [80]
Sequence No: 0x86058F5A
Acknowledgement No: 0x00000000
TCP Data Offset: 0
Flags: SYN
TCP Window (flow) control: 0xFFFF
TCP Checksum: 0xAAD104
Urgent: 0x0000
PACKET DUMP
0000: 00 0D 66 24 00 A8 00 40 CA 60 85 B2 08 00 45 00 ..f$...@.`....E.
0010: 00 30 02 1E 40 00 80 06 3A 36 52 26 7C B9 42 84 .0..@...:6R&|.B.
0020: AD 10 04 2A 00 50 86 05 8F 5A 00 00 00 00 70 02 ...*.P...Z....p.
0030: FF FF AA D1 00 00 02 04 05 B4 01 01 04 02 ..............
Wow! That's beyond me! What do you think has happened? The PC is fine but wouldn't like to have a really clever trojan hanging around. Cheers
Cozzy.
The firewall tells me more information on the 'modifications' that have been inadvertently changed to windows explorer. It says the following:
APPLICATION: C:\Program Files\Internet Explorer\iexplore.exe
VERSION: 7.00.6000.16544 (vista_gdr.070814-1500)
PROVIDER: Microsoft Corporation
SIZE: 625152 bytes
MD5: 3AC2BC667DA0AF2C968E96E1630F5AB5
MODIFIED: Friday, August 17, 2007 11:21:21
PID: 3424
ETHERNET (IEEE 802.3) HEADER
* DST MAC: 00-0D-66-24-00-A8
* SRC MAC: 00-40-CA-60-85-B2
PROTO: 0x0800
INTERNET PROTOCOL (IP) HEADER
Ver: 4
IHL: 20 bytes
ToS: 0
Packet length: 48 bytes
Packet (unique) ID: 0x021E
Flags: 0x00
Fragment Offset: 2
TTL (Time To Live): 128
PROTO: TCP (Transmission Control Proocol) [6]
Checksum: 0x3A36
* SRC address: *CLASS A* [82.38.124.185]
* DST address: www.trafficswarm.com [66.132.173.16]
TRANSMISSION CONTROL PROTOCOL (TCP) HEADER
* SRC Port: 1066
* DST Port: HTTP [80]
Sequence No: 0x86058F5A
Acknowledgement No: 0x00000000
TCP Data Offset: 0
Flags: SYN
TCP Window (flow) control: 0xFFFF
TCP Checksum: 0xAAD104
Urgent: 0x0000
PACKET DUMP
0000: 00 0D 66 24 00 A8 00 40 CA 60 85 B2 08 00 45 00 ..f$...@.`....E.
0010: 00 30 02 1E 40 00 80 06 3A 36 52 26 7C B9 42 84 .0..@...:6R&|.B.
0020: AD 10 04 2A 00 50 86 05 8F 5A 00 00 00 00 70 02 ...*.P...Z....p.
0030: FF FF AA D1 00 00 02 04 05 B4 01 01 04 02 ..............
Wow! That's beyond me! What do you think has happened? The PC is fine but wouldn't like to have a really clever trojan hanging around. Cheers
Cozzy.
Last edited by cozzy; Oct 11th, 2007 at 11:45 am.
if windows system files have been replaced restore them like so:
1) find your XP cd
2) close all running applications
2) go to run and type sfc /scannow
4)wait (its a silent process, reboot afetrwards)
5) see if that helps
1) find your XP cd
2) close all running applications
2) go to run and type sfc /scannow
4)wait (its a silent process, reboot afetrwards)
5) see if that helps
If i am helpful, please give me reputation points.
Well thanks a lot JB, i did what you suggested & it appears to have done the trick. The firewall warnings no longer appear teling me internet explorer has been modified & the PC is running fine as it was.
Thanks a lot
Thanks a lot
Yeah. SFC is a useful tool. In case system files have been replaced by bad ones or have been damaged (a common one is a fake windows login screen which steals your password) it can replace them with the correct ones from the windows cd (or a backup it keeps on the disk but its better to use the cd as some malware programs are crafty and alter the backup too)
After running SFC you should run windows update as sometimes it may un-apply hotfixes/patches
After running SFC you should run windows update as sometimes it may un-apply hotfixes/patches
If i am helpful, please give me reputation points.
 |
Similar Threads
- Application error (Windows NT / 2000 / XP)
- Help on Emu8086 calculating Sum (Assembly)
- How to Get Last Accessed/Created/Modified File Date and Time (C)
- Can't get multimedia keys to work on mac keyboard (Apple Hardware)
- Updater Application (Windows 95 / 98 / Me)
- Applet or Application? (Java)
- 2 ASP Questions (ASP.NET)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Critical System Errors please help
- Next Thread: unable to access my control pannel can someone help
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
