- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Is that not the same as the link you posted above, as i pasted it in there. 
Comodo users in here
- Thread starter LoadsaMoney
- Start date
Untill you sort this out dont use IE.LoadsaMoney said:Yeah ive virus scanned, ive used Adware SE, ran em in windows, safe mode, all updated, and nothing comes up, so thats the only place i can think off thats doing it, as i only clicked on these thumbnails about a week ago, then i got me login prob few days later, so formatted and that as said, was fine, then i forgot and clicked on em again, now login probs back.
Something is deleting or changing cookies to make you re enter usernames & passwords of sites your a member of it may even be collecting them every time you type them in.
Soldato
- Joined
- 7 Mar 2005
- Posts
- 19,653
- Location
- LU7
My original link was to the main site, this new one is to the /en version, so meh!LoadsaMoney said:Is that not the same as the link you posted above, as i pasted it in there.
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Yeah im not usiing IE at the moment im using Firefox2. 
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
MarcLister said:My original link was to the main site, this new one is to the /en version, so meh!
so has it been analyzed already, and thats why its got the big green tick saying safe.
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Right ive just been asked to let that checkdisk.exe thing use the net again, so this time i just clicked allow so i could see what it was, and it loaded up some like shopping search page with loads of categories on the left and that, so there is summit in there, and its called chdsk.exe i think can't remember.
Last edited:
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Yeah i know checkdisk is safe, its somehting called that i think, i can't remember now, was something like chdsk.exe or summit, then wehn i allowed it access this time, i got this big shopping search page fill my screen, so i had to task manager to close it down again, im doing a search at the mo for it on my drives, adn i just can't find the bugger, thought if i could find it i could try deleting it, but i spose ill ahve to wait till it pops up again on Comodo asking for access so i can deffo see what its actually called.
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Yeah i have, but there is something definately on here, as when i let Comodo allow whatever it is that keeps asking, i keep getting a big shopping search page open up, like a search directory page.
i never ticked dont ask me again so it will pop up again asking, so im gona write it down this time, then do a search and see if i can just delete it.
Now i do suspect its coming from that site i wa trying to view the thumbnails from, as it wasn't long after i tried to open em that i got this happening, then after a format and reinstall it was working fine again, then i tried some more of them thumbnails again as i forgot, and lo and behold my login prob and me chd.exe or whatever it is is asking again, and when i restart ive got to keep logging in everywhere again, so i think its those popup windows that keep trying to open when im trying to view them thumbnails as bigger pics.
i never ticked dont ask me again so it will pop up again asking, so im gona write it down this time, then do a search and see if i can just delete it.
Now i do suspect its coming from that site i wa trying to view the thumbnails from, as it wasn't long after i tried to open em that i got this happening, then after a format and reinstall it was working fine again, then i tried some more of them thumbnails again as i forgot, and lo and behold my login prob and me chd.exe or whatever it is is asking again, and when i restart ive got to keep logging in everywhere again, so i think its those popup windows that keep trying to open when im trying to view them thumbnails as bigger pics.
Last edited:
I went to the bath room & while i took care of matters the comments about thumbnail picture came back & i remembered reading about infected jpg...ect did a quick google for chkdsk.exe which is another safe file but look like what i found
http://www.f-secure.com/v-descs/fagot.shtml
Fagot worm works by sending messages via IRC chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com.
The britney.jpg file isn't actually a picture, but a html page that contains a script code. When the page is is opened with Internet Explorer, the script is executed. The first part of the script contain Visual Basic Script code that uses an exploit to replace the Windows Media Player with a file ("patch.exe") that is downloaded from another web location. Next the second part (written with JavaScript) of the script is executed, causing the replaced medial player to execute after five seconds.
The "patch.exe" file was taken offline already by the time we got reports on this worm on Sunday the 26th of October, therefore the worm doesn't work any more.
Worm's executable component
The PATCH.EXE file is the worm's component responsible for killing anti-virus and security software tasks and for sending links to the infected HTML file to IRC networks.
The file is a Windows PE executable compressed with UPX file compressor. The packed size is 156 kilybytes, the unpacked size is about 382 kilobytes.
When the PATCH.EXE file is run, it does the following:
* Kills processes with the following names:
Ad-watch.exe
regedit.exe
taskmgr.exe
* Copies the worm's file to Windows System folder with the following name:
C:\Windows\system32\userinit32.exe
* Creates a startup key for the copied file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\Windows\system32\userinit32.exe"
* Copies the worm's file to Windows System folder with the following name:
C:\Windows\system32\dllhost32.exe
* Creates a startup key for the copied file in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost32" = "C:\Windows\system32\dllhost32.exe"
* Kills the following processes:
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
FWENC.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
NAV Auto-Protect
NAVAPSVC.EXE
NMAIN.EXE
NORMIST.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NPSSVC.EXE
NSCHED32.EXE
NTVDM.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ccEvtMgr.exe
ccSetMgr.exe
FSAV32.exe
FSMA32.exe
FSMB32.exe
FSSM32.exe
AVNT.exe
AVP.exe
BLACKICE.exe
FPROT.exe
FP-WIN.exe
N32SCANW.EXE
NAVAPW32.EXE
PAVCL.EXE
PAVSCHED.EXE
WFINDV32.EXE
NAVW32.EXE
BlackICE.exe
* Changes the startup page of Internet Explorer to:
www.blacksnake.com
* Changes default Windows logon names to:
COCK_SUCKING_FAGGOT
* Deletes the following files if they are present:
C:\windows\regedit.exe
C:\windows\cmd.exe
C:\windows\system32\taskman.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\regedt32.exe
C:\windows\system32\regsvr32.exe
C:\windows\TASKMAN.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\chkdsk.exe
C:\windows\system32\shutdown.exe
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\regedit.exe
C:\windows\cmd.exe
C:\windows\system32\taskman.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\regedt32.exe
C:\windows\system32\regsvr32.exe
C:\windows\TASKMAN.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\chkdsk.exe
C:\windows\system32\shutdown.exe
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\system32\ntoskrnl.exe
C:\windows\system32\ntkrnlpa.exe
C:\windows\system32\alg.exe
C:\windows\system32\bootok.exe
C:\windows\system32\chcp.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\dumprep.exe
C:\windows\system32\recover.exe
C:\windows\system32\imapi.exe
C:\windows\system32\logon.exe
C:\windows\system32\MDM.exe
C:\windows\system32\services.exe
C:\windows\system32\systray.exe
C:\windows\system32\win.exe
C:\windows\system32\wowexec.exe
C:\windows\system32\wuauclt.exe
* Copies itself with different names:
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\regedit.exe
C:\windows\system32\ntoskrnl.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\shutdown.exe
C:\windows\system32\ntkrnlpa.exe
C:\windows\system32\alg.exe
C:\windows\system32\bootok.exe
C:\windows\system32\chcp.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\dumprep.exe
C:\windows\system32\imapi.exe
C:\windows\system32\logon.exe
C:\windows\system32\MDM.exe
C:\windows\system32\recover.exe
C:\windows\system32\services.exe
C:\windows\system32\systray.exe
C:\windows\system32\win.exe
C:\windows\system32\wowexec.exe
C:\windows\system32\wuauclt.exe
* Deletes the following Registry tree branches:
HKCR\
HKLM\HARDWARE
HKLM\SAM
HKLM\SECURITY
HKLM\SOFTWARE
HKLM\SYSTEM
HKCC\Software
HKCC\System
HKCU\Software\Microsoft\Internet Explorer\Desktop\SafeMode
HKCU\Printers
HKCU\SessionInformation
HKLM\SYSTEM\ControlSet001\Control\SafeBoot
HKLM\SYSTEM\\ControlSet003\\Control\\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\MountedDevices
HKLM\SYSTEM\LastKnownGoodRecovery
HKLM\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System
HKLM\SYSTEM\ControlSet001\Control\Biosinfo
* Shows a fake error messagebox:
Error
Error in memory block: #A5487F.
* Periodically sends the following message through mIRC chat client:
http://www.angelfire.com/celeb2/picsx/britney.jpg <- uuh, check it out !!
DONT CHECK IT OUT IF I WAS YOU
The above changes usually severely damage Windows operating system and it has to be reinstalled.
Back to the Top
Detection
Detection in F-Secure Anti-Virus is in October 27th, 2003 update:
[FSAV_Database_Version]
Version=2003-10-27_01
http://www.f-secure.com/v-descs/fagot.shtml
Fagot worm works by sending messages via IRC chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com.
The britney.jpg file isn't actually a picture, but a html page that contains a script code. When the page is is opened with Internet Explorer, the script is executed. The first part of the script contain Visual Basic Script code that uses an exploit to replace the Windows Media Player with a file ("patch.exe") that is downloaded from another web location. Next the second part (written with JavaScript) of the script is executed, causing the replaced medial player to execute after five seconds.
The "patch.exe" file was taken offline already by the time we got reports on this worm on Sunday the 26th of October, therefore the worm doesn't work any more.
Worm's executable component
The PATCH.EXE file is the worm's component responsible for killing anti-virus and security software tasks and for sending links to the infected HTML file to IRC networks.
The file is a Windows PE executable compressed with UPX file compressor. The packed size is 156 kilybytes, the unpacked size is about 382 kilobytes.
When the PATCH.EXE file is run, it does the following:
* Kills processes with the following names:
Ad-watch.exe
regedit.exe
taskmgr.exe
* Copies the worm's file to Windows System folder with the following name:
C:\Windows\system32\userinit32.exe
* Creates a startup key for the copied file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\Windows\system32\userinit32.exe"
* Copies the worm's file to Windows System folder with the following name:
C:\Windows\system32\dllhost32.exe
* Creates a startup key for the copied file in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost32" = "C:\Windows\system32\dllhost32.exe"
* Kills the following processes:
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
FWENC.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
NAV Auto-Protect
NAVAPSVC.EXE
NMAIN.EXE
NORMIST.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NPSSVC.EXE
NSCHED32.EXE
NTVDM.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ccEvtMgr.exe
ccSetMgr.exe
FSAV32.exe
FSMA32.exe
FSMB32.exe
FSSM32.exe
AVNT.exe
AVP.exe
BLACKICE.exe
FPROT.exe
FP-WIN.exe
N32SCANW.EXE
NAVAPW32.EXE
PAVCL.EXE
PAVSCHED.EXE
WFINDV32.EXE
NAVW32.EXE
BlackICE.exe
* Changes the startup page of Internet Explorer to:
www.blacksnake.com
* Changes default Windows logon names to:
COCK_SUCKING_FAGGOT
* Deletes the following files if they are present:
C:\windows\regedit.exe
C:\windows\cmd.exe
C:\windows\system32\taskman.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\regedt32.exe
C:\windows\system32\regsvr32.exe
C:\windows\TASKMAN.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\chkdsk.exe
C:\windows\system32\shutdown.exe
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\regedit.exe
C:\windows\cmd.exe
C:\windows\system32\taskman.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\regedt32.exe
C:\windows\system32\regsvr32.exe
C:\windows\TASKMAN.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\chkdsk.exe
C:\windows\system32\shutdown.exe
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\system32\ntoskrnl.exe
C:\windows\system32\ntkrnlpa.exe
C:\windows\system32\alg.exe
C:\windows\system32\bootok.exe
C:\windows\system32\chcp.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\dumprep.exe
C:\windows\system32\recover.exe
C:\windows\system32\imapi.exe
C:\windows\system32\logon.exe
C:\windows\system32\MDM.exe
C:\windows\system32\services.exe
C:\windows\system32\systray.exe
C:\windows\system32\win.exe
C:\windows\system32\wowexec.exe
C:\windows\system32\wuauclt.exe
* Copies itself with different names:
C:\windows\NOTEPAD.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\system32\progman.exe
C:\windows\regedit.exe
C:\windows\system32\ntoskrnl.exe
C:\windows\system32\autochk.exe
C:\windows\system32\chkntfs.exe
C:\windows\system32\shutdown.exe
C:\windows\system32\ntkrnlpa.exe
C:\windows\system32\alg.exe
C:\windows\system32\bootok.exe
C:\windows\system32\chcp.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\dumprep.exe
C:\windows\system32\imapi.exe
C:\windows\system32\logon.exe
C:\windows\system32\MDM.exe
C:\windows\system32\recover.exe
C:\windows\system32\services.exe
C:\windows\system32\systray.exe
C:\windows\system32\win.exe
C:\windows\system32\wowexec.exe
C:\windows\system32\wuauclt.exe
* Deletes the following Registry tree branches:
HKCR\
HKLM\HARDWARE
HKLM\SAM
HKLM\SECURITY
HKLM\SOFTWARE
HKLM\SYSTEM
HKCC\Software
HKCC\System
HKCU\Software\Microsoft\Internet Explorer\Desktop\SafeMode
HKCU\Printers
HKCU\SessionInformation
HKLM\SYSTEM\ControlSet001\Control\SafeBoot
HKLM\SYSTEM\\ControlSet003\\Control\\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\MountedDevices
HKLM\SYSTEM\LastKnownGoodRecovery
HKLM\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System
HKLM\SYSTEM\ControlSet001\Control\Biosinfo
* Shows a fake error messagebox:
Error
Error in memory block: #A5487F.
* Periodically sends the following message through mIRC chat client:
http://www.angelfire.com/celeb2/picsx/britney.jpg <- uuh, check it out !!
DONT CHECK IT OUT IF I WAS YOU
The above changes usually severely damage Windows operating system and it has to be reinstalled.
Back to the Top
Detection
Detection in F-Secure Anti-Virus is in October 27th, 2003 update:
[FSAV_Database_Version]
Version=2003-10-27_01
Last edited:
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Hmm so it could be those thumbnails then, strange as they aint britney or nowt, but that link there you gave says summit about the page i was looking for has packed its bags and gone, and is now like directory page, and thats sort of like the directory page im getting, but its called shopping and has different categories down the left, and opens full screen.
Ive never had any of that stuff going on above, least i don't think anyway.
Thanks for that.
so it could be in one of those thumbnails ive been clicking on, like i suspected.
Spose i better do another format/reinstall and remember those thumbs.
Ive never had any of that stuff going on above, least i don't think anyway.
Thanks for that.
so it could be in one of those thumbnails ive been clicking on, like i suspected.
Spose i better do another format/reinstall and remember those thumbs.
Last edited:
I will be doing a reinstall myself tonight as all the overclocking attemps have taken its thole on the OS.
Oh you may already know this but after you have done the activation over the phone you can then do another unspecified amount of reinstalls and activate over the net again.
Oh you may already know this but after you have done the activation over the phone you can then do another unspecified amount of reinstalls and activate over the net again.
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Final8y said:
Ahh cool thanks for that aswell, i must remember 'NOT THOSE THUMBS'.
Thanks again.
- Joined
- 8 Jul 2003
- Posts
- 30,063
- Location
- In a house
Well thats me done, tried a couple of restarts and im still logged in, mind you ive only tried here for now, but it must have been something as that chkdsk.exe or whatever it was (i do suspect it was that) was openening one of them stupid search directory pages when i allowed it access, so there was definately something in there.
I just wonder why nothing picked it up, no virus scan, no adware etc... scan, nothing.
I just wonder why nothing picked it up, no virus scan, no adware etc... scan, nothing.