something D/L'ed to my computer
DON'T go the the link until you read!!
A client of mine emailed me a link to add to his site. When I clicked on the link, I noticed that something downloaded really fast and was gone. I was unable to get the name of the download because it was so fast. Don't know what the heck it was. Anybody willing to help out on this one?? Here is the link. (i made it un-clickable on purpose)
trinitycommunicationsco.com
ihateangle posted this at 07:25 — 5th March 2003.
They have: 12 posts
Joined: Feb 2003
being that i dont have it set to automatically download files, i saw the download box (and click don't download of course )
the filename was README[1].TXT demo.exe and its from beech-info.com
and id say its most likely a virus/trojan
id recommend you get your virus scanner into gear ASAP
sincerely, Michael
Renegade posted this at 07:36 — 5th March 2003.
He has: 3,022 posts
Joined: Oct 2002
Don't come to the conclusion that it's a virus yet.
If your computer starts playing up then start to come to that conclusion most probably it's harmless
Mark Hensler posted this at 09:00 — 5th March 2003.
He has: 4,048 posts
Joined: Aug 2000
Considering the circumstances, I'd say ditto to ihateangle. Nothing bad can happen from being a little paranoid. But just imagine what could happen if you did nothing...
Mark Hensler
If there is no answer on Google, then there is no question.
The Webmistress posted this at 09:10 — 5th March 2003.
She has: 5,586 posts
Joined: Feb 2001
Whenever I download anything I always do a full virus scan just in case!
Renegade posted this at 09:19 — 5th March 2003.
He has: 3,022 posts
Joined: Oct 2002
lol and here i am not using one at all! lol
Busy posted this at 09:32 — 5th March 2003.
He has: 6,151 posts
Joined: May 2001
I tried the link but got nothing
download spybot (better than adaware) and run that as well as virus scan
mairving posted this at 11:29 — 5th March 2003.
They have: 2,256 posts
Joined: Feb 2001
One of my personal favorites is Spybot Search & Destroy. It does a good job of cleaning up things like trojans and spyware.
The fact that the file was named readme.txt.exe indicates that it is very suspicious. A lot a viruses are sent out this way because if you have the option to 'hide file extensions of known file types' turned on, the file looks like readme.txt so you click on it and activate the payload
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
disaster-master posted this at 14:06 — 5th March 2003.
She has: 2,154 posts
Joined: May 2001
Thanks for the info. I did a scan and nothing was detected. Downloading Spybot-S&D now. I am really considering contacting these people and letting them know what I think about their sneeky underhanded tricks. BAH!!
Will the spybot get rid of whatever this is from my computer?
What setting do I use to prevent the automatic download? Would it be
Tools >> Internet Options >> Advanced >> Enable Install On Demand (uncheck this?)
mairving posted this at 16:19 — 5th March 2003.
They have: 2,256 posts
Joined: Feb 2001
Spybot will get what a virus scanner won't.
Definitely uncheck the Install on Demand. There are two, one for IE and the other for Other. If you uncheck IE, Windows Update won't work but definitely uncheck Other.
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
Mark Hensler posted this at 17:51 — 5th March 2003.
He has: 4,048 posts
Joined: Aug 2000
*downloads spybot*
I've been using Adaware 6. I'll check this out too.
disaster-master posted this at 19:20 — 5th March 2003.
She has: 2,154 posts
Joined: May 2001
Thanks mairv, I will definately uncheck those.
I ran the spybot and it detected a bunch of stuff. I got sorta nervous about the ones that had something to do with the registry and didn't check those to be fixed. I try to steer clear of that part of my computer. Should I have let it fix everything?
I was unable to find anything on this file, README[1].TXT demo.exe or demo.exe, when I did a search for files or folders by this name before I installed the spybot. I didn't see in the list when I ran spybot either. How do I know for sure it is gone?
mairving posted this at 19:35 — 5th March 2003.
They have: 2,256 posts
Joined: Feb 2001
I have never had a problem with it deleting anything in the registry. If it is a running process, it will require a reboot so that it can load before the program delete it. Mostly what it picks up on mine is cookies. I have used to get rid of Gator, Bonzai Buddy, Tool Buddy, Comet Cursor, Xupiter and their ilk.
You should be safe if neither found anything. To be safe, you can try an online virus scan and/or dump your browser cache.
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
Busy posted this at 20:33 — 5th March 2003.
He has: 6,151 posts
Joined: May 2001
mairvings spybot is the same one as I mentioned.
disaster-master when you run spybot it will display a list of results, some checked, some unchecked, the unchecked ones are usually ok but you can remove them if you wish, if you remove something and wish you didnt click on "restore" (icon under search and destory) and you can restore them. if you have no bad stuff it will say at the very top "congrats no spy stuff found" or something
I've been using this for a while and havent had anything to clean in months, I use "cookiewall" as well (which asks me what cookies to accept or deny) so I never get any bad cookies. also use "startupmoniter" which asks me what files can add itself to the registry, so nothing installs itself without me knowing.
Now if only this thing would make coffee ....
disaster-master posted this at 01:54 — 6th March 2003.
She has: 2,154 posts
Joined: May 2001
busy, you explained exactly what I saw when I ran the program.
I never did find the "README.TXT demo.exe" file but I did a file files or folders search where you can use the date option and got the most recent which was the exact time that I accessed the site.
There were three files that were there with one copy each in:
C:\WINNT\System32 has two .dll files
C:\Documents and Settings\Sonia\Local Settings\Temp has two .dll files and two .exe files
I also called the people at trinity communications. They said that they had no knowledge of this and would get back with me when they found out what was going on. The guy honestly sounded like he didn't have a clue.
I know you guys think I may be overly cautious with this but I am stumped and don't want this to happen again.
It just seems to me that what ever this download is at trinitycommunications is not coming from their site per se but somehow the beech-info.com is making it do this. Reckon that could be possible?
Sorry for the long post. I am in detective mode.
Mark Hensler posted this at 02:45 — 6th March 2003.
He has: 4,048 posts
Joined: Aug 2000
Do they have adds? Some ads load more than an image. And perhaps there was a malicous ad.
disaster-master posted this at 04:20 — 6th March 2003.
She has: 2,154 posts
Joined: May 2001
No, doesn't look like they do. I even checked their code.
The man emailed me back and said that he didn't see it. I am gonna send him this screenshot.
Oh and it still downloads even though I have unchecked enable install on demand.
Busy posted this at 09:20 — 6th March 2003.
He has: 6,151 posts
Joined: May 2001
disaster-master are you using IE6 ?
if so update your patch/s if not don't worry about this
and as they say, better to be safe than sorry
disaster-master posted this at 14:25 — 6th March 2003.
She has: 2,154 posts
Joined: May 2001
Well crap! Yes, I am using IE6. I didn't think to check other browsers but Opera or Mozilla doesn't download anything. IE6 does.
What this does is it really makes me want to go to IE6 and hit the uninstall button intead of getting another freaking update.
Thanks busy. I will try that.
disaster-master posted this at 15:18 — 6th March 2003.
She has: 2,154 posts
Joined: May 2001
You were right busy. The patch fixed it. I can't belive that I spent hours on end yesterday trying to figure this out and that is all it was.
I still don't understand why/how the file was downloading from one site while I was on another. That one has me stumped.
Thanks for all the help.
Busy posted this at 20:29 — 6th March 2003.
He has: 6,151 posts
Joined: May 2001
The joys of Microsoft
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.