My computer became infected today with some sort of advertising trojan, as far as I can figure it out. I was browsing the common websites I do every day (Message board forums such as this one), all of which I have been going to for years, whenever I encountered an annoying banner and pop-up window as one of the Ads. It seemed to freeze up the browser to where I had to End-task to get out of it. A few minutes later, I noticed my internet connection had an odd lag to it. I did netstat first, and noticed a bunch of outgoing connections. Uh oh, bad sign there. Next I brought up the task manager list and noticed approximately 10 new programs all running simultaneously. One of them even turned out to be a key logger which was recording my every keystroke into a file, which was disturbing. To make a long story short, I browsed through the registry and removed every last one of them and their remnants. Had to clean out my IE toolbar tabs, delete around 20 different .exe files it had placed on my machine, and remove the multitude of start-up entries it had placed in the registry. It was quite annoying, but no irreversible damage done.. this time. What i'd like to know is how on earth they got onto my machine in the first place though, so that this never will happen again to me. I'm running Win98SE, with the latest version of IE6.0. Both are fully patched from Windows Update also. Could it be that they were put onto my machine by some new security hole discovered in IE6.0 that isn't known yet? That's all I can think of. I've looked for information regarding this trojan, and i've found what seems to be a match called the "Peper Trojan". This was reportedly distributed with a bundled software package called Memory Watcher though - not something that is being massively spread over the internet through IE holes. And as you probably guessed, i've never used or even heard of that software until today. If anyone can help me identify what this trojan I have is called, if it is known, and hopefully ways to prevent myself from contracting it again, I would be very grateful. These are the process names and filenames I found running shortly after the trojan installed itself on my machine: ClockSync C:\Program Files\ClockSync\Sync.exe /q Jn.exe C:\WINDOWS\TEMP\JN.exe C:\Windows\system\VmvDwc.exe ClrSchLoader \Program Files\ClearSearch\Loader.exe AutoLoaderAproprosClient C:\MAY17_LOADER.exe Bakra C:\Windows\System\IEHost.exe Dsi C:\Windows\System\DP-HIM.exe rundll32.exe C:\windows\system\STLBDIST.DLL WhenUSave C:\program files\save\save.exe RunWindowsUpdate C:\Windows\uptodate.exe WhenUSearch C:\Program Files\WhenUSearch\Search.exe Various browsing around in the files got me: "wowex32" "whenu.com", and these two filenames which I am guessing the source of the trojans is from: http://download.statblaster.com/updatestats/all_files9.exe http://download.statblaster.com/updatestats/MemoryWatcher_b.exe As well as this, which I discovered in an XML file on my machine. I don't know what the particular encryption technique is below in order to decode it: toolbar width="200"> item type="SearchComboBox" width="150" url="http://www.quickcrawler.com/results.php?dst=DIST1&keywords=%text%" text="Enter the search term"/> item type="SearchComboButton" text="Go" tooltip="Search the web" normal= "Qk3mBAAAAAAAADYAAAAoAAAAFAAAABQAAAABABgAAAAAALAEAAAAAAAAAAAAAAAAAAAAAAAA1+vu 7PX3/////////////////////////////////v79/P79/P76/Pz9/P38///+/////v7+7fb31+ru 7vb40OHQKXspDmcOEmwSE2wTFWwVE2sWFm8VGXIYG3QbFXkWFHoUD3YRCXMJBXEDAWsCIHQgz9/P 7vb4/v7/KYgpFH8UHIIcIociJogmJ4knJYklJIskJIskI4siGJMZFZIUD5UPC5UKBZIFA4sCAXsB IHMg////////D4QPHYwdKZIpMJYwNJg0NZk1MpkyMpoxMpgyKpoqIp0iG58aFKEUDqYOCaQIA50D AYkBAWgB////////FYoVJpMmMpgyOp06Pp8+PqA+PKA8OqE6pNSk////KaMoIaUgGakZEqoSDKsM BqUGA5IDAmwC////////GYwZL5cvO507Q6FDR6NHRqRGRKREQKVC////////////JaslHa0dFrAW D68PC6kKBpUGA28D////////H48fN5s3Q6BDSqRKTaZNS6ZLSKZJRadGQahD////////////H7Eg GbIZE7ATDqkODJYMB3EH////////JpMmPp4+SaNJT6ZPUahRT6hPTKdMSKhIR6hIPqpA//////// ////G7AbF68XFKcUEZcRC3IL////////LJUsRaFFT6dPU6hTVKlUUqlSTqhOSadJR6hHQao+NKw0 ////////////GawZGKYZF5cVEHYQ////////LJUsRaFFT6dP//////////////////////////// ////////////////////GaYZF5gWEHUS////////LJUsRaFFT6dP//////////////////////// ////////////////////////GaUZF5gXEHQS////////M5gzTKVMValVV6pXVqpWU6hTT6dOSqZK RqZGQKdAOKc4////////////HqUdHaEdHJYdFnQT////////OJs4UqhSWKtYWqtaWKpYVKhTUKdR TaZNSaZJQ6ZD////////////KaEnJaAlI58jIpQiGHIX////////TqZOb7dvcblxa7VrY69jXKtb VahWUadRTadN////////////NqE1L54uLZssLpctLY4tHnIe////////U6hTer16fb59crlyaLNo Ya5hXatcWKhY////////////RKREPqE+OJ44M5ozMZcxLY0tHnIe////////WaxZicSJjcaNgL+A crhya7RrZbFlX65ftdq1////UalSS6ZMRqNGQaBBO507NZk1K4wrGW8Z////////ZrJml8uXms2a icSJe717c7lzbrZuabNpZrJnXq9gV6tYUKhSTadOS6RLRKFEOJo4KYspFmwW////////d7t3kMiQ lMqUhcKFdrt2b7dvabRpZ7JnZ7FnZbJlVqxZU6lVUKZPSqVKQKBAM5gzJIkkMX8x/P7+7fb43O3c dLl0YbBhVqpWTqZOSaNJQ6BDRaFFRaJFRqFGPZ08NZo1NJo0MZgyKZQqII0gNY810uPS7Pb42Ozw 7fb4/P7+//////////////////////////////////////7/////////////////////7fb42Ozw" hot= "Qk3mBAAAAAAAADYAAAAoAAAAFAAAABQAAAABABgAAAAAALAEAAAAAAAAAAAAAAAAAAAAAAAA5Ozt 8/f4/f7+/////////////////////////////////////////////////////////f7+9Pf45e3u 9vn50OjQKZIpDIEMEIMQE4QTFoUWFIYUFIoUFI8UD5cPDJsMCp4KB5sHBaAFAp0CAZQBIJIgz+TP 9vn5/v7+KaIpFJ8UGqAaIaUhJaUlJ6cnJaglJaslJLAkH7sfGsEaFsMWEcYRC8gLBcUFAroCAaUB IJAg/v7+////DqcOHK0cJ7EnL7MvM7UzNLY0NLg0NLw0MsAyK8wrJdIlH9cfF9oXEdoRCNcIBM4E AbgBAZEB////////FK0UJrMmMbcxOLk4Prs+Pr0+Pr4+PsI+p+an////LtouJd8lHuIeFuMWDeAN B9gHBMQEApsC////////Ga4ZLrYuOro6Qr1CRr5GRr9GRcFFRcVF////////////LOMsJOYkG+gb EuQSC9oLB8cHBJ4E////////H7AfNrk2Qr1CSb9JTcBNTMFMS8JLSsZKSMtI////////////JuYm HecdFuMWEdoRDccNCJ0I////////JrMmPrs+Sb9JTsFOUsNSUcNRTcNNTcZNSstKP9U///////// ////IOMgG+AbGNcYFMQUDJsM////////MrcyTcFNVsRWWcRZWcVZV8VXUsRSTsVOSsdKPc09NtE2 ////////////ItEiIswiIbwhFJgU////////Obk5VMNUXMZc//////////////////////////// ////////////////////J8UnJbclGJQY////////Pbs9XMZcY8hj//////////////////////// ////////////////////////Kr8qKbIpG5Eb////////R75HZMlkastqaMpoY8hjXsdeVsVWTsJO R8BHOL44Mb0x////////////KbwpLbotK64rHY0d////////SL9Ibcxtc85zb81vaMpoYchhWsZa UsNSSsBKOrw6////////////KbgpLLgsL7cvLKssHose////////TsFOd893fNF8ds92bcxtZspm XcddVsRWTsJO////////////LrcuLrcuLrcuMLYwLaktHooe////////VMNUgNKAhtWGf9J/dM50 a8trYshiW8Vb////////////O7o7N7k3NLg0M7czMrUyLaktHYkd////////XMZcjdeNldqVitaK ftF+ds92bcxtZslmt+a3////TsFOTMBMRr5GQbxBO7o7NLU0K6krGYcZ////////Z8pnmtuaoN6g ldqVhdSFfdF9dc91cM1wbMtsZMlkYMdgW8ZbVMNUTcBNQr1CN7c3KKYoFYYV/////v//bsxuk9mT mNuYi9eLftJ+ds92cM1wastqZ8pnYMdgWsVaV8RXUMJQSb9JPrs+MbUxIqUiMJQw/v//+/z82/Lb bcxtZcllWcVZT8FPS8BLRL1ERL1EQLxAPrs+Oro6NLg0M7gzLrYuJ7MnH60fM6gz0ejR+/z8+Pz8 /P39/////////////////////////////////////////////////////////////////P39+Pv7" /> /toolbar

You do not indicate that you have a firewall. If you don't, that is probably 90% of your problem: Sygate firewall: http://smb.sygate.com/products/spf_standard.htm I use it, it is free, simple, and effective, I run it on "Normal". Okay, so, whatever it is, let's just get rid of it. Use these, run the scans from safe mode: Trojan Hunter trial version: http://www.misec.net/ Trojan Scan: http://www.windowsecurity.com/trojanscan/ Remove it (them) with this: SWATIT: http://swatit.org/download.html Are you running either Spybot or Adaware? If no to either, run them both, from Safe Mode for this situation, update and run them no more than three (3) day interval (once a week at most). These are the settings I use: (I use and recommend a two minute shut down, it is optional of course) Spybot: Download and Read the SpyBot tutorial here: http://s89223352.onlinehome.us/mirror/spybot/index1.php Download it, Unzip the program, and immediately check for updates, install the updates and then do the scan. Let it fix everything marked in red. Reboot but not with restart, shut it down for two full minutes. You’ve got two measely minutes and it’s worth it, and let Spybot run if it indicates. To add an item to your ‘Ignore List” click on the little ‘+’ sign next to the item and left click it to highlight it, then right click it and a menu appears, select the function you want. When you are done reboot again same way. Two full minutes shut sown is best. Tea Time discussed by designer here: http://forums.net-integration.net/index.php?showtopic=13433 Also, go to the update page. Notice 3 icons across the top. Between "Search For Updates" and "Download Updates" there is an icon for the download mirror location. After you click on ‘search for updates,’ the one in the middle will change. If it doesn't say "Spybot.US by Rootboxen.net USA" click on the dropbox arrows and click on Rootboxen, and use only that one. If you got a "checksum error" trying to download --that's why. Ad-Aware: Download AdAware from http://www.lavasoft.de/ check for updates at "webupdate". I use these settings (green check) From main window click "Start" then make sure " Activate in-depth scan" has a green check next to it. Put a black dot nest to "Use custom scanning options” and click Customize" next to it, then green check these options: "Scan within archives" ,"Scan active processes", "Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" "Scan my host-files" At the top of the “STATUS” page notice the Tweak (gear) icon. Click on it. The first setting is “Scanning Engine.” Click on the little plus sign next to it, and in the drop-down green check "Unload recognized processes during scanning", and “include basic Ad-Aware settings in log file”. Next click on the ‘+’ next to "Cleaning Engine" and in the drop-down green check "Let windows remove files in use at next reboot" and Delete quarantine objects after restoring” Click "proceed", that will save those settings. Click "Scan" When the scan finishes, mark everything for removal and delete it. Right-click the window and choose "select all" from the drop down menu, press ‘next’ and then ‘yes’ to the prompt: “remove all these entries”. However, if you have certain programs running that will give a false indicator of a browser hijack attempt, such as Script Sentry, which places a monitoring function in the registry and looks like a browser hijacker but is not, then you may want to add that to the ignore list because you want to keep it there to do it’s job. To add an item to the ignore list, put the a cursor on the file it reveals and left click it to highlight it, then right click it and a menu appears. Click on ‘ignore list.’ Shut down, two minute shut down is best, and let Adaware run on reboot if it indicates. If they all run in Safe Mode clean, then you should be ok. however, the malware world is getting creative. Here are some free diagnostics: Jason’s Browser Security Test: http://www.jasons-toolbox.com/BrowserSecurity/ Gibson tests: http://www.grc.com/default.htm I use grc's LeakTest, DCOMbobulator, UnplugnPray, and ShieldsUp Post back results, and read this too: http://www.eweek.com/article2/0,1759,1618458,00.asp Thresher

Thanks for the response. I do have a firewall installed on my machine, but I would also like to get to the source of the problem which allowed this trojan to get on there in the first place, instead of just remeding the symptoms with a firewall, so I can take care of it at the root of the problem. I went ahead and ran all of those diagnostics you provided, but they all came back clean, no security holes found. The eweek.com site you linked at the end caught my attention though. That sounds very similar to how I may have contracted this trojan - by an ad image downloaded to my computer. Unfortunately though, I cleared out my Temporary internet files yesterday so I can't be sure if that was the case or not. Has the security hole mentioned on that website not had a patch to fix it released yet by Microsoft? My machine is up to date with all of the Windowsupdate critical updates and fixes to IE.

I haven't had time to look into whether there is a patch yet. This apparently is the nature of the new malware: something that can jump off a page at you without you even downloading. There has already been the Zero-Day virus, read: http://www.pcguide.com/vb/showthread.php?s=&threadid=28843&highlight=zeroday and this: http://www.pcguide.com/vb/showthread.php?s=&threadid=27737&highlight=Zero+Day+virus and this: http://www.pcguide.com/vb/showthread.php?s=&threadid=30594 As for how the intrusion came about...hard to say. Check your firewall settings, or get a new one. If you have Zone Alarm, I would go to Kerio or Sygate. Sygate happens to work better on my OS for some strange reason (this an atypical Me). I'd say if your symptoms are gone, forget about it, really, just do what you can to stay safe from here on: Stay updated on everything you have. If you have Outlook stay updated on it even if you do not use it--affects IE settings. If your diagnostics looked good at GRC and JTB, or you corrected the vulnerabilities, then you are in very good shape. If Spybot and Adaware ran clean in Safe Mode, then you should be okay. Thresher