0

Hi, i went to a site & a box popped up asing me to download a version of directX to be able to play video on the site, this has happened a few times whilst on other sites & the box was always the same & looked like an authentic windows message. So i downloaded the setup file & ran it. Then i realised it was a scam coz a box kept popping up from the task bar saying i had a trojan & asking me to buy a spyware blaster thingy. It popped up every 30 seconds i did a restart but it wouldn't go away. I succesfully did a 'system restore' to the previous day & the problem disappeared. However, everytime i click on the explorer 7.0 to bring up the browser for the homepage my 'BullGuard' antivirus/firewall tells me that "the application (Explorer.exe) has been modified since the last time i allowed it to use the network adding that it might have been infected by a virus and says "do you want to still allow it"? If i click "yes" then everything appears normal after that, until i try to bring up another explorer window & then it asks again each time. The firewall doesn't give me the usual option of ticking the box that says "remember my answer & don't ask again", which is strange, it's a different sort of question box, one that's sort of telling you NOT to go ahead, but if i tick "NO" or wait until the firewall timer runs out then the page cannot be displayed so then i've got no browsing at all! I've run spybot & a full virus scan & they found nothing, but i forgot to run them in safe mode. After the system restore, some files were automatically renamed, these were: advpack.dll url.dll urlmon.dll webcheck.dll winnet.dll inetcomm.dll (all in C:\WINDOWS\system32. I've checked on a couple of these & they are necessary systems files it seems.

The firewall tells me more information on the 'modifications' that have been inadvertently changed to windows explorer. It says the following:
APPLICATION: C:\Program Files\Internet Explorer\iexplore.exe
VERSION: 7.00.6000.16544 (vista_gdr.070814-1500)
PROVIDER: Microsoft Corporation
SIZE: 625152 bytes
MD5: 3AC2BC667DA0AF2C968E96E1630F5AB5
MODIFIED: Friday, August 17, 2007 11:21:21
PID: 3424


ETHERNET (IEEE 802.3) HEADER
* DST MAC: 00-0D-66-24-00-A8
* SRC MAC: 00-40-CA-60-85-B2
PROTO: 0x0800


INTERNET PROTOCOL (IP) HEADER
Ver: 4
IHL: 20 bytes
ToS: 0
Packet length: 48 bytes
Packet (unique) ID: 0x021E
Flags: 0x00
Fragment Offset: 2
TTL (Time To Live): 128
PROTO: TCP (Transmission Control Proocol) [6]
Checksum: 0x3A36
* SRC address: *CLASS A* [82.38.124.185]
* DST address: www.trafficswarm.com [66.132.173.16]


TRANSMISSION CONTROL PROTOCOL (TCP) HEADER
* SRC Port: 1066
* DST Port: HTTP [80]
Sequence No: 0x86058F5A
Acknowledgement No: 0x00000000
TCP Data Offset: 0
Flags: SYN
TCP Window (flow) control: 0xFFFF
TCP Checksum: 0xAAD104
Urgent: 0x0000


PACKET DUMP
0000: 00 0D 66 24 00 A8 00 40 CA 60 85 B2 08 00 45 00 ..f$...@.`....E.
0010: 00 30 02 1E 40 00 80 06 3A 36 52 26 7C B9 42 84 .0..@...:6R&|.B.
0020: AD 10 04 2A 00 50 86 05 8F 5A 00 00 00 00 70 02 ...*.P...Z....p.
0030: FF FF AA D1 00 00 02 04 05 B4 01 01 04 02 ..............

Wow! That's beyond me! What do you think has happened? The PC is fine but wouldn't like to have a really clever trojan hanging around. Cheers
Cozzy.

2
Contributors
4
Replies
5
Views
9 Years
Discussion Span
Last Post by cozzy
0

if windows system files have been replaced restore them like so:

1) find your XP cd
2) close all running applications
2) go to run and type sfc /scannow
4)wait (its a silent process, reboot afetrwards)
5) see if that helps

0

Well thanks a lot JB, i did what you suggested & it appears to have done the trick. The firewall warnings no longer appear teling me internet explorer has been modified & the PC is running fine as it was.
Thanks a lot

0

Yeah. SFC is a useful tool. In case system files have been replaced by bad ones or have been damaged (a common one is a fake windows login screen which steals your password) it can replace them with the correct ones from the windows cd (or a backup it keeps on the disk but its better to use the cd as some malware programs are crafty and alter the backup too)

After running SFC you should run windows update as sometimes it may un-apply hotfixes/patches

0

JB, you are correct again! Because after doing what you said, the windows update kicked in on its own automatically, so how do you know all these things? Are you a fortune teller? Lol.
Cheers

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.