Hi, i went to a site & a box popped up asing me to download a version of directX to be able to play video on the site, this has happened a few times whilst on other sites & the box was always the same & looked like an authentic windows message. So i downloaded the setup file & ran it. Then i realised it was a scam coz a box kept popping up from the task bar saying i had a trojan & asking me to buy a spyware blaster thingy. It popped up every 30 seconds i did a restart but it wouldn't go away. I succesfully did a 'system restore' to the previous day & the problem disappeared. However, everytime i click on the explorer 7.0 to bring up the browser for the homepage my 'BullGuard' antivirus/firewall tells me that "the application (Explorer.exe) has been modified since the last time i allowed it to use the network adding that it might have been infected by a virus and says "do you want to still allow it"? If i click "yes" then everything appears normal after that, until i try to bring up another explorer window & then it asks again each time. The firewall doesn't give me the usual option of ticking the box that says "remember my answer & don't ask again", which is strange, it's a different sort of question box, one that's sort of telling you NOT to go ahead, but if i tick "NO" or wait until the firewall timer runs out then the page cannot be displayed so then i've got no browsing at all! I've run spybot & a full virus scan & they found nothing, but i forgot to run them in safe mode. After the system restore, some files were automatically renamed, these were: advpack.dll url.dll urlmon.dll webcheck.dll winnet.dll inetcomm.dll (all in C:\WINDOWS\system32. I've checked on a couple of these & they are necessary systems files it seems.
The firewall tells me more information on the 'modifications' that have been inadvertently changed to windows explorer. It says the following:
APPLICATION: C:\Program Files\Internet Explorer\iexplore.exe
VERSION: 7.00.6000.16544 (vista_gdr.070814-1500)
PROVIDER: Microsoft Corporation
SIZE: 625152 bytes
MD5: 3AC2BC667DA0AF2C968E96E1630F5AB5
MODIFIED: Friday, August 17, 2007 11:21:21
PID: 3424
ETHERNET (IEEE 802.3) HEADER
* DST MAC: 00-0D-66-24-00-A8
* SRC MAC: 00-40-CA-60-85-B2
PROTO: 0x0800
INTERNET PROTOCOL (IP) HEADER
Ver: 4
IHL: 20 bytes
ToS: 0
Packet length: 48 bytes
Packet (unique) ID: 0x021E
Flags: 0x00
Fragment Offset: 2
TTL (Time To Live): 128
PROTO: TCP (Transmission Control Proocol) [6]
Checksum: 0x3A36
* SRC address: *CLASS A* [82.38.124.185]
* DST address: www.trafficswarm.com [66.132.173.16]
TRANSMISSION CONTROL PROTOCOL (TCP) HEADER
* SRC Port: 1066
* DST Port: HTTP [80]
Sequence No: 0x86058F5A
Acknowledgement No: 0x00000000
TCP Data Offset: 0
Flags: SYN
TCP Window (flow) control: 0xFFFF
TCP Checksum: 0xAAD104
Urgent: 0x0000
PACKET DUMP
0000: 00 0D 66 24 00 A8 00 40 CA 60 85 B2 08 00 45 00 ..f$...@.`....E.
0010: 00 30 02 1E 40 00 80 06 3A 36 52 26 7C B9 42 84 .0..@...:6R&|.B.
0020: AD 10 04 2A 00 50 86 05 8F 5A 00 00 00 00 70 02 ...*.P...Z....p.
0030: FF FF AA D1 00 00 02 04 05 B4 01 01 04 02 ..............
Wow! That's beyond me! What do you think has happened? The PC is fine but wouldn't like to have a really clever trojan hanging around. Cheers
Cozzy.