Windows ControlAd experience this morning

Just removed Windows ControlAd from my Win98 (winctlad.exe, winctladalt.exe,
.... , reg entries). Slow internet, found it was running, disconnected from
the network, then used WinXP boot to do the file(s) removal, then booted
Win98 to do the registry deletions. So far so good ... all that's running is
what should be running (explorer, systray) ... did I miss anything?

bowgus

Oh yeah ... pc-cillin does not report any lingerers.

"bowgus" <> wrote in message
news:5JidnQXP-6vV1yHcRVn-...
> Just removed Windows ControlAd from my Win98 (winctlad.exe,
winctladalt.exe,
> ... , reg entries). Slow internet, found it was running, disconnected from
> the network, then used WinXP boot to do the file(s) removal, then booted
> Win98 to do the registry deletions. So far so good ... all that's running
is
> what should be running (explorer, systray) ... did I miss anything?
>
>

bowgus

bowgus wrote:
> Oh yeah ... pc-cillin does not report any lingerers.
>
> "bowgus" <> wrote in message
> news:5JidnQXP-6vV1yHcRVn-...
>
>>Just removed Windows ControlAd from my Win98 (winctlad.exe,
>
> winctladalt.exe,
>
>>... , reg entries). Slow internet, found it was running, disconnected from
>>the network, then used WinXP boot to do the file(s) removal, then booted
>>Win98 to do the registry deletions. So far so good ... all that's running
>
> is
>
>>what should be running (explorer, systray) ... did I miss anything?
>>
>>
>
>
>
You might want to follow procedures on link below:

http://www.techsupportforums.com/sho...004#post135004

Winged

winged

Thanks for the link ... looks like I got 'em all. Funny that this should
happen later the same dat that I first posted here ??? In all of ... oh I
dunno ... 10 years of home cable use never b4 picked up a trojan. It did
prompt me to load up and activate/update the pc-cillin that came with my
asus mobo though

"winged" <> wrote in message
news:cphrkp$...
> bowgus wrote:
> > Oh yeah ... pc-cillin does not report any lingerers.
> >
> > "bowgus" <> wrote in message
> > news:5JidnQXP-6vV1yHcRVn-...
> >
> >>Just removed Windows ControlAd from my Win98 (winctlad.exe,
> >
> > winctladalt.exe,
> >
> >>... , reg entries). Slow internet, found it was running, disconnected
from
> >>the network, then used WinXP boot to do the file(s) removal, then booted
> >>Win98 to do the registry deletions. So far so good ... all that's
running
> >
> > is
> >
> >>what should be running (explorer, systray) ... did I miss anything?
> >>
> >>
> >
> >
> >
> You might want to follow procedures on link below:
>
>
http://www.techsupportforums.com/sho...721f621aedb4e1
73652d&p=135004#post135004
>
> Winged

bowgus

bowgus wrote:
> Thanks for the link ... looks like I got 'em all. Funny that this should
> happen later the same dat that I first posted here ??? In all of ... oh I
> dunno ... 10 years of home cable use never b4 picked up a trojan. It did
> prompt me to load up and activate/update the pc-cillin that came with my
> asus mobo though
>
> "winged" <> wrote in message
> news:cphrkp$...
>
>>bowgus wrote:
>>
>>>Oh yeah ... pc-cillin does not report any lingerers.
>>>
>>>"bowgus" <> wrote in message
>>>news:5JidnQXP-6vV1yHcRVn-...
>>>
>>>
>>>>Just removed Windows ControlAd from my Win98 (winctlad.exe,
>>>
>>>winctladalt.exe,
>>>
>>>
>>>>... , reg entries). Slow internet, found it was running, disconnected
>
> from
>
>>>>the network, then used WinXP boot to do the file(s) removal, then booted
>>>>Win98 to do the registry deletions. So far so good ... all that's
>
> running
>
>>>is
>>>
>>>
>>>>what should be running (explorer, systray) ... did I miss anything?
>>>>
>>>>
>>>
>>>
>>>
>>You might want to follow procedures on link below:
>>
>>
>
> http://www.techsupportforums.com/sho...721f621aedb4e1
> 73652d&p=135004#post135004
>
>>Winged
>
>
>
I have no idea where you picked it up. I have been all over "this"
newsgroup with no issue. That said, I am probably configured very
differently than most here. I know as a broadband user you wear a nice
red target. 10 years in a nice track record.

Heh I came across a coolwwwsearch variant a while back myself that was
just plain rude, attached itself to my winsock an none of the major AV
or spyware tools seemed to find it. I couldn't find anything unusual
with hijackthis (though it did show the activeX key). I had the thing
for some time, I knew I had something because it would "try" to dial up
my default dial up account (which is a dummy). Because I leave system
on 24/7 processing, the behavior drove me nuts. Finally found an
activeX control on the winsock. I was impressed by the Russian who
wrote that code, didn't realize it could be done in the way it was done
in that portion of the hive. It just goes to show "stuff happens"
sometimes, no matter ones precautions. There is an awful lot of
exploiters of IE out their claiming to be advertisers.

Winged

winged

winged wrote:
> bowgus wrote:
>
>> Thanks for the link ... looks like I got 'em all. Funny that this should
>> happen later the same dat that I first posted here ??? In all of ... oh I
>> dunno ... 10 years of home cable use never b4 picked up a trojan. It did
>> prompt me to load up and activate/update the pc-cillin that came with my
>> asus mobo though
>>
>> "winged" <> wrote in message
>> news:cphrkp$...
>>
>>> bowgus wrote:
>>>
>>>> Oh yeah ... pc-cillin does not report any lingerers.
>>>>
>>>> "bowgus" <> wrote in message
>>>> news:5JidnQXP-6vV1yHcRVn-...
>>>>
>>>>
>>>>> Just removed Windows ControlAd from my Win98 (winctlad.exe,
>>>>
>>>>
>>>> winctladalt.exe,
>>>>
>>>>
>>>>> ... , reg entries). Slow internet, found it was running, disconnected
>>
>>
>> from
>>
>>>>> the network, then used WinXP boot to do the file(s) removal, then
>>>>> booted
>>>>> Win98 to do the registry deletions. So far so good ... all that's
>>
>>
>> running
>>
>>>> is
>>>>
>>>>
>>>>> what should be running (explorer, systray) ... did I miss anything?
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>> You might want to follow procedures on link below:
>>>
>>>
>>
>> http://www.techsupportforums.com/sho...721f621aedb4e1
>>
>> 73652d&p=135004#post135004
>>
>>> Winged
>>
>>
>>
>>
> I have no idea where you picked it up. I have been all over "this"
> newsgroup with no issue. That said, I am probably configured very
> differently than most here. I know as a broadband user you wear a nice
> red target. 10 years in a nice track record.
>
> Heh I came across a coolwwwsearch variant a while back myself that was
> just plain rude, attached itself to my winsock an none of the major AV
> or spyware tools seemed to find it. I couldn't find anything unusual
> with hijackthis (though it did show the activeX key). I had the thing
> for some time, I knew I had something because it would "try" to dial up
> my default dial up account (which is a dummy). Because I leave system
> on 24/7 processing, the behavior drove me nuts. Finally found an
> activeX control on the winsock. I was impressed by the Russian who
> wrote that code, didn't realize it could be done in the way it was done
> in that portion of the hive. It just goes to show "stuff happens"
> sometimes, no matter ones precautions. There is an awful lot of
> exploiters of IE out their claiming to be advertisers.
>
> Winged
>

I decided to take a look at my firewall logs and IDS. I am getting some
repeated and unusual activity.

Something "has" made a connection to 216.22.46.193 port 80 and
transfered about 39420 bytes. This occurred right after I had connected
to get the link I provided earlier from the tech support forums above.

Since I went to that link provided I have received a number (20 to 30
occurances) of an outside source attempting to connect to my PC from

216.22.46.193

I am receiving repeated packets from:

TCP non-syn/non-ack packet on invalid connection. Packet has been dropped.
Source IP address: www.odysseusmarketing.com(216.22.46.193).
Destination IP address: My IP removed.
TCP Source Port: http(80).
TCP Destination Port: 3665.
TCP Message Flags: 0x00000010.

Out of curiosity I decided to look at the owner.

Search results for: ! NET-216-22-46-192-1


CustName: Smartbot.NET, Inc.
Address: 3 Cobblestone Court
City: Richboro
StateProv: PA
PostalCode: 18954
Country: US
RegDate: 2003-08-14
Updated: 2003-08-14

NetRange: 216.22.46.192 - 216.22.46.223
CIDR: 216.22.46.192/27
NetName: SRVN
NetHandle: NET-216-22-46-192-1
Parent: NET-216-22-0-0-1
NetType: Reassigned
Comment: email:
RegDate: 2003-08-14
Updated: 2003-08-14

TechHandle: NO178-ARIN
TechName: Network Operations
TechPhone: +1-703-847-1421
TechEmail:

OrgTechHandle: NO178-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-703-847-1421
OrgTechEmail:

Now I will tell the group I did not intend to provide an unsafe link.

The bad guy on the other end of that link obviously "thinks" I must have
run something, because now his server keeps trying to come into my
machine on port 3665.

That said I decided block the above address range (216.22.46.192 -
216.22.46.223) I really don't care if I ever hear from these folks again.

I am not sure what these folks think they did, But I "think" they tried
to plant some sort of botnet, but I don't believe it worked. If any IE
users followed the above link they may want to check their system. I
apologize for the inconvenience.

Winged

winged