Questionable file

Discussion in 'NZ Computing' started by Seagull, Aug 9, 2005.

  1. Seagull

    Seagull Guest

    I have a relatives machine here (XP Home) for disaffection and have run
    AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems clean
    but something called
    ZYwCA8LN.exe
    is running and trying to access the net.
    A search for folders finds nil and I find no references on google.
    Anyone know what this file is or does.
    Seagull, Aug 9, 2005
    #1
    1. Advertising

  2. Seagull

    frederick Guest

    Seagull wrote:
    > I have a relatives machine here (XP Home) for disaffection and have run
    > AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems clean
    > but something called
    > ZYwCA8LN.exe
    > is running and trying to access the net.
    > A search for folders finds nil and I find no references on google.
    > Anyone know what this file is or does.
    >
    >
    >
    >

    It's probably spyware or worse.
    Try downloading and using AntiVir from http://www.freeav.com/ . Free,
    and effective for trojans, dialers, and viruses and worms that AVG misses.
    If that doesn't work, then find out how it starts via a registry search
    or through Spybot's system startup tool.
    Disable it starting, reboot, and rename the file. (Don't delete it
    straight away in the unlikely case it isn't malicious - and you might
    need it).
    After reboot, check to see if another similarly random named process is
    now running - if so, you will need to check all startup entries with a
    fine tooth comb.
    Not uncommon for spyware / malware to run a process which drops a new
    randomly named executable, modifies the registry so it starts on windows
    startup, then terminates so you don't see the original offender in task
    manager - making it harder to get rid of the infection.
    frederick, Aug 9, 2005
    #2
    1. Advertising

  3. Seagull

    gl Guest

    Maybe a trojan which alters its filename suffix randomly -

    check google for ZYwCA and trojan and you will find plenty of matches!!



    "Seagull" <> wrote in message
    news:0zVJe.1413$...
    > I have a relatives machine here (XP Home) for disaffection and have run
    > AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems

    clean
    > but something called
    > ZYwCA8LN.exe
    > is running and trying to access the net.
    > A search for folders finds nil and I find no references on google.
    > Anyone know what this file is or does.
    >
    >
    >
    >
    gl, Aug 9, 2005
    #3
  4. Seagull

    Dave Taylor Guest

    "Seagull" <> wrote in
    news:0zVJe.1413$:

    > I have a relatives machine here (XP Home) for disaffection and have
    > run AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now
    > seems clean but something called


    Should use spywareblaster by javacools, MS Antispyware beta, and maybe
    chuck in a-squared for good measure.
    http://www.emsisoft.com/en/


    By the time you do this, you could have backed up, reformatted, reinstalled
    and reimported, patched and immunized.
    Usually...


    --
    Ciao, Dave
    Dave Taylor, Aug 9, 2005
    #4
  5. Seagull

    bambam Guest

    "Seagull" <> wrote in
    news:0zVJe.1413$:

    > I have a relatives machine here (XP Home) for disaffection and have
    > run AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now
    > seems clean but something called
    > ZYwCA8LN.exe
    > is running and trying to access the net.
    > A search for folders finds nil and I find no references on google.
    > Anyone know what this file is or does.


    HijackThis should help you figure out where this program is starting from-

    http://www.spywareinfo.com/~merijn/downloads.html

    The only problem is sorting the good from the bad, these sites should help
    with that-

    http://tomcoyote.com/hjt/

    http://forums.majorgeeks.com/showthread.php?t=38752

    http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

    Good luck. :)
    bambam, Aug 9, 2005
    #5
  6. Seagull

    Tony Guest

    On Tue, 9 Aug 2005 15:38:35 +1200, "Seagull" <> wrote:

    >I have a relatives machine here (XP Home) for disaffection and have run
    >AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems clean
    >but something called
    >ZYwCA8LN.exe




    This File Name is now known, have you listed the Correct file name..?

    Hidden & System files will not show up most of the time..

    I use PowerDesk for searching for files or do a search in the Registry.

    >is running and trying to access the net.
    >A search for folders finds nil and I find no references on google.
    >Anyone know what this file is or does.
    >
    >
    >
    Tony, Aug 9, 2005
    #6
  7. Relatively annoyed

    Dave Taylor wrote:

    >> I have a relatives machine here (XP Home) for disaffection


    Yes, I get a little disaffected with my relatives when this keeps
    happening, too. :)
    Steve Marshall, Aug 9, 2005
    #7
  8. Seagull

    Roger_Nickel Guest

    Tony wrote:
    > On Tue, 9 Aug 2005 15:38:35 +1200, "Seagull" <> wrote:
    >
    >
    >>I have a relatives machine here (XP Home) for disaffection and have run
    >>AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems clean
    >>but something called
    >>ZYwCA8LN.exe

    >
    >
    >
    >
    > This File Name is now known, have you listed the Correct file name..?
    >
    > Hidden & System files will not show up most of the time..
    >
    > I use PowerDesk for searching for files or do a search in the Registry.
    >

    It's getting harder; some of the new scumware copies entries refering to itself
    out of registry on startup and copies them back on shut down. The real preogram
    spawns processes with ramdom names which do the dirty work and any attempt to
    remove these processes alerts the scumware that you are on to it. I wasted a
    morning dealing with this some of this muck on a computer a few months ago and
    the solution for me was Hijack This. The latest wrinkle is to install a Linux
    type rootkit, this subverts some of the windows system calls and means that
    scumware will not necessarily show up in the services list or in task manager or
    as results in a file system search if the search utility uses Windows system
    libraries.
    Roger_Nickel, Aug 9, 2005
    #8
  9. Seagull

    MarkH Guest

    "Seagull" <> wrote in
    news:0zVJe.1413$:

    > I have a relatives machine here (XP Home) for disaffection and have
    > run AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now
    > seems clean but something called
    > ZYwCA8LN.exe
    > is running and trying to access the net.
    > A search for folders finds nil and I find no references on google.
    > Anyone know what this file is or does.


    Now is the right time to test different AV products to see how well they
    do. This is how I came to be using Kaspersky AV, there is a trial version
    available from their site and once installed and updated it should be able
    to identify the Trojan if it is one.

    I manage to get Kaspersky to ID and remove a Trojan which Norton didn't
    know about, even 2 months later Norton was still not recognising the Trojan
    (I kept a copy in a zip file to test different AV programs).


    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 25-June-05)
    "There are 10 types of people, those that
    understand binary and those that don't"
    MarkH, Aug 9, 2005
    #9
  10. Seagull

    GraB Guest

    On Tue, 09 Aug 2005 12:49:21 GMT, MarkH <> wrote:

    >"Seagull" <> wrote in
    >news:0zVJe.1413$:
    >
    >> I have a relatives machine here (XP Home) for disaffection and have
    >> run AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now
    >> seems clean but something called
    >> ZYwCA8LN.exe
    >> is running and trying to access the net.
    >> A search for folders finds nil and I find no references on google.
    >> Anyone know what this file is or does.

    >
    >Now is the right time to test different AV products to see how well they
    >do. This is how I came to be using Kaspersky AV, there is a trial version
    >available from their site and once installed and updated it should be able
    >to identify the Trojan if it is one.
    >
    >I manage to get Kaspersky to ID and remove a Trojan which Norton didn't
    >know about, even 2 months later Norton was still not recognising the Trojan
    >(I kept a copy in a zip file to test different AV programs).


    I had that with a new virus I found. Sent copies to AVG and Nortons.
    Nortons said no malicious code, AVG said a definition was coming out
    with the next update. It was more than two weeks later before Nortons
    identified it as a virus.
    GraB, Aug 9, 2005
    #10
  11. Seagull

    Bob McLellan Guest

    Could well be CoolWebSearch. Have a look at merijn.org (oh, I am not
    sure about the spelling of that). Boot in safe mode and look for recent
    files that are 'suspect'.

    Seagull wrote:
    > I have a relatives machine here (XP Home) for disaffection and have run
    > AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems clean
    > but something called
    > ZYwCA8LN.exe
    > is running and trying to access the net.
    > A search for folders finds nil and I find no references on google.
    > Anyone know what this file is or does.
    >
    >
    >
    >
    Bob McLellan, Aug 10, 2005
    #11
  12. Seagull

    bambam Guest

    Bob McLellan <> wrote in news::

    > Could well be CoolWebSearch. Have a look at merijn.org (oh, I am not
    > sure about the spelling of that). Boot in safe mode and look for recent
    > files that are 'suspect'.


    It's moved a couple of times recently-

    <quote>

    Originally developed by Merijn Bellekom of the Netherlands, CWShredder™ was
    owned and maintained by InterMute until June of 2005 when InterMute was
    aquired by Trend Micro.

    <quote>

    http://www.intermute.com/spysubtract/cwshredder_download.html

    Still free for now, I think.
    bambam, Aug 10, 2005
    #12
  13. Seagull

    Seagull Guest

    "frederick" <> wrote in message
    news:1123564278.174381@ftpsrv1...
    > Seagull wrote:
    >> I have a relatives machine here (XP Home) for disaffection and have run
    >> AdAware, Spybot, Xcleaner and updated Zonealarm and AVG. It now seems
    >> clean
    >> but something called
    >> ZYwCA8LN.exe
    >> is running and trying to access the net.
    >> A search for folders finds nil and I find no references on google.
    >> Anyone know what this file is or does.
    >>
    >>
    >>
    >>

    > It's probably spyware or worse.
    > Try downloading and using AntiVir from http://www.freeav.com/ . Free, and
    > effective for trojans, dialers, and viruses and worms that AVG misses.
    > If that doesn't work, then find out how it starts via a registry search or
    > through Spybot's system startup tool.
    > Disable it starting, reboot, and rename the file. (Don't delete it
    > straight away in the unlikely case it isn't malicious - and you might need
    > it).
    > After reboot, check to see if another similarly random named process is
    > now running - if so, you will need to check all startup entries with a
    > fine tooth comb.
    > Not uncommon for spyware / malware to run a process which drops a new
    > randomly named executable, modifies the registry so it starts on windows
    > startup, then terminates so you don't see the original offender in task
    > manager - making it harder to get rid of the infection.


    Thanks to all who replied .
    Being only partly computer literate, I started with AntiVir and it found the
    nasty and a couple of others
    I think the offender I spotted was probably Hailport 1 and/or Hailport 2
    but Anti Vir also found and deleted
    Trojan TR/Dldr 1st Bar IT
    TR/Rkit Agent Q
    Dropper DR Common name J

    All suspicious activity now seems to have stopped.
    Where on earth do they pick up all this garbage?

    Having discovered that AVG has some sizeable holes I ran AntiVir on my own
    system which thankfully came up clear.
    Thanks again for all the help and advice.
    Seagull, Aug 11, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nemesis
    Replies:
    0
    Views:
    450
    Nemesis
    Jul 15, 2004
  2. zxcvar

    Converting JPG file ppt file [Powerpoint] file

    zxcvar, Nov 4, 2003, in forum: Digital Photography
    Replies:
    7
    Views:
    28,438
    TheMountain
    Jun 22, 2009
  3. Lu Tze

    questionable file

    Lu Tze, Jul 20, 2003, in forum: Computer Security
    Replies:
    1
    Views:
    801
    Jim Watt
    Jul 20, 2003
  4. Kulvinder Singh Matharu

    Re: National Geographic's comment on that questionable picture

    Kulvinder Singh Matharu, Dec 23, 2008, in forum: Digital Photography
    Replies:
    6
    Views:
    301
    Wolfgang Weisselberg
    Dec 27, 2008
  5. RichA
    Replies:
    32
    Views:
    1,007
    Chris Malcolm
    Aug 18, 2009
Loading...

Share This Page