Dodgy Limewire

[yumyumcookie]

Hi,

 

I got home several days ago to find a note on my desk from my girlfriend saying she found stuff on my limewire that made her physically ill, i asked her what it was she found and she said 63 dodgy porn videos. The problem is, i havn't used limewire in months, even years, and all i ever did use it for was mp3 downloads for the first couple of days as i found it quite a good tool before all the viruses i found come with it, so my question is, how did these videos get there? I couldnt check when they were downloaded as they were deleted as she said she was in such shock tht she got rid of them.

 

I asked my friend if he knew anything about these videos as this was a serious issue and it was him who downloaded limewire on my pc to begin with and has also used my pc many many times. He told me that he did download a porno as a joke a long time ago as he knew my family used it so was playing a practical joke but after a couple of days realised i hadnt noticed (as i never use the bloody program) so he deleted it.

 

IS there a link between any of this tht could of happened by downloading previous stuff on limewire or anything at all that could of done this?

 

Im not sure if this is worth notting but i have also have a trojan on my computer at current but havn't got round to formatting my pc yet so not sure if that has anything to do with it.

[maynardvdm]

Hi

 

I am sure our malware expert can help you, but first it will be a good idea to get rid of limewire for good.

 

Go to Add/Remove Programs and remove it from there.

 

After that you will recieve further instructions on removing any malware it has caused.

[yumyumcookie]

i will do but that really doesn't help my initial reason of how they got there, could it be linked to a virus or a link tht came from other downloads i used it for?

[yumyumcookie]

also after i hve removed what should i do next?

[Starbuck]

Hi yumyumcookie,

 

I've never heard of Limewire downloading things by it'self. Neither have i heard of a trojan downloading from Limewire on it's own before.

Malware doesn't normally give you something for free, it's normally there to take something from you.

It's common for some malware to give you popups to porn sites and try to get you to click on these links.

This is a puzzling situation.

If you want me to check your system for malware, i'd be happy to.

Just follow the steps below and let me have the reports:

 

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.

 

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
    

   

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
    

   

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

 

Step 2

 

• Download OTL to your desktop.
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check
  

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

 

• Now copy the lines in the codebox below.
  

  netsvcs
  msconfig
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  CREATERESTOREPOINT
  

  
  

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.
  

 

 

In your next reply, please submit:

MBAM scan report

Both reports from OTL

 

 

Thanks.

[Tootech]

My money would be on another user able to access the computer - Limewire doesn't have a mind of its own!!

 

Just as an aside......

 

One of my customers once had a similar problem, loads of spyware turned up on his PC. It was my job to remove it, curious I looked through his browser history to find one Friday night there had been some prolific adult surfing. That was of course the source of the spyware.

 

I was asked by my customer how the spyware had found its way onto the PC. I was a little confused and mentioned the date/time stamps of the surfing history.

 

Turned out his work colleague has been over to 'check the business email' while he was away :)

 

Moral of the story.....I treat my PC like my bank account - locked down and secure (but not full) :-)

[Match]

It may also pay to check that nothing or no one has enabled your remote desktop

 

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/rdesktop_disable.mspx?mfr=true

 

I treat my PC like my bank account - locked down and secure (but not full) :-)

 

I've given up trying to 'own' my own bank account, lol married :)

[yumyumcookie]

Iv'e just checked that and its showing a tick next to allow remote access, what does this mean then? (without stating the obvious)

[RandyL]

Taken from Windows Help and Support.

 

When you enable Windows Remote Assistance:

• <LI class=listItem>You can get help using Windows Remote Assistance.
  
• Windows Remote Assistance is allowed through Windows Firewall so that it can communicate with your helper's computer.
  

When you add a program to the list of allowed programs in a firewall, or when you open a firewall port, you allow a particular program to send information to or from your computer through the firewall. Allowing a program to communicate through a firewall (sometimes called unblocking) is like punching a hole in the firewall.

 

Each time you open a port or allow a program to communicate through a firewall, your computer becomes a bit less secure. The more allowed programs or open ports your firewall has, the more opportunities there are for hackers or malicious software to use one of those openings to spread a worm, access your files, or use your computer to spread malicious software to others.

 

It's generally safer to add a program to the list of allowed programs than to open a port. If you open a port, it stays open until you close it, whether or not a program is using it. If you add a program to the list of allowed programs, the "hole" is open only when needed for a particular communication.

 

To help decrease your security risk:

• <LI class=listItem>Only allow a program or open a port when you really need to, and remove programs from the list of allowed programs or close ports that you no longer need.
  
• Never allow a program that you don't recognize to communicate through the firewall.
  

[Match]

OK lets not get the two mixed up,

 

Remote Assistance works through Windows Live Messenger and allows you to request another computer to log into your computer, Dell has been getting some Bad publicity over using this for support, the idea being that by requesting me to log in to your computer using remote assistance I could for example set up your email account for you.

 

Remote Desktop is designed so that anyone with the right IP address and Password could log in to your computer and use it as though they are sitting in front of it, If wake on lan is enabled in the Bios you can even turn it on from sleep mode. useful if you don't fancy going to the office or you forgot to email that report that you prepared last night.

 

BUT, I have also come across a couple of versions of windows Vista that people have Downloaded that set this up automatically when installed and send the Details to a web site !!!!

 

SO it is quite possible for a virus to also do this in my opinion

 

Windows XP: Get Started Using Remote Desktop

 

Using Remote Assistance to Get Help When You Need It

[yumyumcookie]

Just tried following the link the the walfare software but it doesnt seem to be working for me, keeps saying page cannot be displayed

[Starbuck]

To be honest, i think we can forget about all the possible Remote Assistance and Remote Desktop theories.

I just can't see this being the cause in your case.

To go through all the trouble to access your system, download something from limewire and then just leave it on your system!! no, it doesn't add up.

Someone that has access to your system has done this, so they can watch the porn .... and then has just left it there. ( probably so they could return and watch it again)

 

Follow the steps in post #5 and i'll take a look and make sure nothing bad is on the system and also make sure any p2p programs are nuked.