something D/L'ed to my computer

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

DON'T go the the link until you read!!

A client of mine emailed me a link to add to his site. When I clicked on the link, I noticed that something downloaded really fast and was gone. I was unable to get the name of the download because it was so fast. Don't know what the heck it was. Anybody willing to help out on this one?? Here is the link. (i made it un-clickable on purpose)

trinitycommunicationsco.com

They have: 12 posts

Joined: Feb 2003

being that i dont have it set to automatically download files, i saw the download box (and click don't download of course Wink)

the filename was README[1].TXT demo.exe and its from beech-info.com

and id say its most likely a virus/trojan

id recommend you get your virus scanner into gear ASAP

sincerely, Michael

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Don't come to the conclusion that it's a virus yet.

If your computer starts playing up then start to come to that conclusion Smiling most probably it's harmless Smiling

Mark Hensler's picture

He has: 4,048 posts

Joined: Aug 2000

Considering the circumstances, I'd say ditto to ihateangle. Nothing bad can happen from being a little paranoid. But just imagine what could happen if you did nothing...

Mark Hensler
If there is no answer on Google, then there is no question.

The Webmistress's picture

She has: 5,586 posts

Joined: Feb 2001

Whenever I download anything I always do a full virus scan just in case!

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Quote: Originally posted by The Webmistress
Whenever I download anything I always do a full virus scan just in case!

lol and here i am not using one at all! lol

Laughing out loud

Busy's picture

He has: 6,151 posts

Joined: May 2001

I tried the link but got nothing
download spybot (better than adaware) and run that as well as virus scan

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Quote: Originally posted by Busy
I tried the link but got nothing
download spybot (better than adaware) and run that as well as virus scan

One of my personal favorites is Spybot Search & Destroy. It does a good job of cleaning up things like trojans and spyware.

The fact that the file was named readme.txt.exe indicates that it is very suspicious. A lot a viruses are sent out this way because if you have the option to 'hide file extensions of known file types' turned on, the file looks like readme.txt so you click on it and activate the payload

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

Thanks for the info. I did a scan and nothing was detected. Downloading Spybot-S&D now. I am really considering contacting these people and letting them know what I think about their sneeky underhanded tricks. BAH!!

Will the spybot get rid of whatever this is from my computer?

What setting do I use to prevent the automatic download? Would it be
Tools >> Internet Options >> Advanced >> Enable Install On Demand (uncheck this?)

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Quote: Originally posted by disaster-master

Will the spybot get rid of whatever this is from my computer?

What setting do I use to prevent the automatic download? Would it be
Tools >> Internet Options >> Advanced >> Enable Install On Demand (uncheck this?)

Spybot will get what a virus scanner won't.

Definitely uncheck the Install on Demand. There are two, one for IE and the other for Other. If you uncheck IE, Windows Update won't work but definitely uncheck Other.

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

Mark Hensler's picture

He has: 4,048 posts

Joined: Aug 2000

*downloads spybot*

I've been using Adaware 6. I'll check this out too.

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

Thanks mairv, I will definately uncheck those.

I ran the spybot and it detected a bunch of stuff. I got sorta nervous about the ones that had something to do with the registry and didn't check those to be fixed. I try to steer clear of that part of my computer. Should I have let it fix everything?

I was unable to find anything on this file, README[1].TXT demo.exe or demo.exe, when I did a search for files or folders by this name before I installed the spybot. I didn't see in the list when I ran spybot either. How do I know for sure it is gone?

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

I have never had a problem with it deleting anything in the registry. If it is a running process, it will require a reboot so that it can load before the program delete it. Mostly what it picks up on mine is cookies. I have used to get rid of Gator, Bonzai Buddy, Tool Buddy, Comet Cursor, Xupiter and their ilk.

You should be safe if neither found anything. To be safe, you can try an online virus scan and/or dump your browser cache.

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

Busy's picture

He has: 6,151 posts

Joined: May 2001

mairvings spybot is the same one as I mentioned.

disaster-master when you run spybot it will display a list of results, some checked, some unchecked, the unchecked ones are usually ok but you can remove them if you wish, if you remove something and wish you didnt click on "restore" (icon under search and destory) and you can restore them. if you have no bad stuff it will say at the very top "congrats no spy stuff found" or something

I've been using this for a while and havent had anything to clean in months, I use "cookiewall" as well (which asks me what cookies to accept or deny) so I never get any bad cookies. also use "startupmoniter" which asks me what files can add itself to the registry, so nothing installs itself without me knowing.

Now if only this thing would make coffee ....

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

busy, you explained exactly what I saw when I ran the program.

I never did find the "README.TXT demo.exe" file but I did a file files or folders search where you can use the date option and got the most recent which was the exact time that I accessed the site.

There were three files that were there with one copy each in:
C:\WINNT\System32 has two .dll files
C:\Documents and Settings\Sonia\Local Settings\Temp has two .dll files and two .exe files

I also called the people at trinity communications. They said that they had no knowledge of this and would get back with me when they found out what was going on. The guy honestly sounded like he didn't have a clue.

I know you guys think I may be overly cautious with this but I am stumped and don't want this to happen again.

It just seems to me that what ever this download is at trinitycommunications is not coming from their site per se but somehow the beech-info.com is making it do this. Reckon that could be possible?

Sorry for the long post. I am in detective mode. Wink

Mark Hensler's picture

He has: 4,048 posts

Joined: Aug 2000

Do they have adds? Some ads load more than an image. And perhaps there was a malicous ad.

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

No, doesn't look like they do. I even checked their code.

The man emailed me back and said that he didn't see it. I am gonna send him this screenshot.

Oh and it still downloads even though I have unchecked enable install on demand.

Busy's picture

He has: 6,151 posts

Joined: May 2001

disaster-master are you using IE6 ?
if so update your patch/s if not don't worry Wink about this

and as they say, better to be safe than sorry

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

Well crap! Yes, I am using IE6. I didn't think to check other browsers but Opera or Mozilla doesn't download anything. IE6 does.

What this does is it really makes me want to go to IE6 and hit the uninstall button intead of getting another freaking update. Mad

Thanks busy. I will try that.

disaster-master's picture

She has: 2,154 posts

Joined: May 2001

You were right busy. The patch fixed it. I can't belive that I spent hours on end yesterday trying to figure this out and that is all it was.

I still don't understand why/how the file was downloading from one site while I was on another. That one has me stumped.

Thanks for all the help.

Busy's picture

He has: 6,151 posts

Joined: May 2001

The joys of Microsoft Laughing out loud

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.