This would be the newest version of LOP, a nice piece of spyware that present Spybot S&D signature files don't recognize. You probably got it (like a few others at my workplace) by installing Messenger Plus! 3 and agreeing to the EULA that it presents. Here's a hint -- that EULA isn't for Messenger Plus!, but rather for C2Media's "sponsor program". As soon as I'm done the draft for a quick dissection I just completed earlier this afternoon, I'll post it in reply to this thread.
On Wed, 29 Sep 2004 10:39:31 -0700 (PDT), Harlan Carvey <[EMAIL PROTECTED]> wrote: > Wow. English aside, I have no idea where to > start...there are so many questions that need to be > asked for clarification on this that I don't know > whether to sh*t or go blind! > > > I found something VERY VERY STRANGE on my computer > > last evening... > > Yeah, so did I...the user! ;-) > > Okay, here's an excerpt from the email... > > > While writing this lines I found two another shit > > directories :'( > > > > C:\PROGRA~1\Corn Internet Soft > > > > Filename Size CRC-32 > > C5EDFC35 1060 92EE5B2C [set as system > > files] > > cemaylou.exe 272966 70370FFB (other name > > it has taken : > > nxkkxpjy.exe, greyend.exe, metapoll.exe) > > HOLE NAME.exe 240663 A2325E7C > > logduperoad.exe 9970 25C7A91D > > seek barb regs win.exe 47616 D41BE72E (other > > name it has taken : > > batbodypokeextra.exe) > > > > > > C:\PROGRA~1\upload admin bind > > > > Filename Size CRC-32 > > DELETE PLAY.exe 15526 95665A33 > > > > And I'm unable to delete any of these files !! They > > are not displayed in > > taskmgr, and : > > > > -- > > PsKill v1.03 - local and remote process killer > > Copyright (C) 2000 Mark Russinovich > > http://www.sysinternals.com > > > > Unable to kill process cemaylou.exe: > > Process does not exist. > > -- > > Okay, so you found cemaylou.exe in a directory...what > made you think that it was a process? Just b/c you > can't delete them, what makes you think that they > *would* appear in TaskManager? > > > I've tried to sniff all these exe names using tools > > from SysInternals > > but I can't find any of these o_o !! > > Are you referring to FileMon and RegMon? Again...just > b/c you can't delete the files, why do you think they > are running? > > > What the hell is going on on my computer ?? Is Big > > Brother watching me ? =) > > Yes, I am. Feel free to disconnect the power to your > computer, disconnect all other cables, and throw the > system in the trash. After watching you for a while, > I've had enough fun...that thing you did the other > night was funnier than "America's Funniest Home > Videos" and "COPs" put together. > > > Thank you very much indeed for your help.. and sorry > > for my really bad english. > > It isn't your English that's the problem, dude...it's > all the Jolt cola you've been drinking, and that other > thing you did that time in that place... > > ===== > ------------------------------------------------------------------------ > Harlan Carvey, CISSP > "Windows Forensics and Incident Recovery" > http://www.windows-ir.com > http://groups.yahoo.com/group/windowsir/ > ------------------------------------------------------------------------ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
