Windows ControlAd experience this morning

Discussion in 'Computer Security' started by bowgus, Dec 12, 2004.

  1. bowgus

    bowgus Guest

    Just removed Windows ControlAd from my Win98 (winctlad.exe, winctladalt.exe,
    .... , reg entries). Slow internet, found it was running, disconnected from
    the network, then used WinXP boot to do the file(s) removal, then booted
    Win98 to do the registry deletions. So far so good ... all that's running is
    what should be running (explorer, systray) ... did I miss anything?
     
    bowgus, Dec 12, 2004
    #1
    1. Advertisements

  2. bowgus

    bowgus Guest

    Oh yeah ... pc-cillin does not report any lingerers.
     
    bowgus, Dec 12, 2004
    #2
    1. Advertisements

  3. bowgus

    winged Guest

    winged, Dec 12, 2004
    #3
  4. bowgus

    bowgus Guest

    Thanks for the link ... looks like I got 'em all. Funny that this should
    happen later the same dat that I first posted here ??? In all of ... oh I
    dunno ... 10 years of home cable use never b4 picked up a trojan. It did
    prompt me to load up and activate/update the pc-cillin that came with my
    asus mobo though :)
     
    bowgus, Dec 12, 2004
    #4
  5. bowgus

    winged Guest

    I have no idea where you picked it up. I have been all over "this"
    newsgroup with no issue. That said, I am probably configured very
    differently than most here. I know as a broadband user you wear a nice
    red target. 10 years in a nice track record.

    Heh I came across a coolwwwsearch variant a while back myself that was
    just plain rude, attached itself to my winsock an none of the major AV
    or spyware tools seemed to find it. I couldn't find anything unusual
    with hijackthis (though it did show the activeX key). I had the thing
    for some time, I knew I had something because it would "try" to dial up
    my default dial up account (which is a dummy). Because I leave system
    on 24/7 processing, the behavior drove me nuts. Finally found an
    activeX control on the winsock. I was impressed by the Russian who
    wrote that code, didn't realize it could be done in the way it was done
    in that portion of the hive. It just goes to show "stuff happens"
    sometimes, no matter ones precautions. There is an awful lot of
    exploiters of IE out their claiming to be advertisers.

    Winged
     
    winged, Dec 12, 2004
    #5
  6. bowgus

    winged Guest

    I decided to take a look at my firewall logs and IDS. I am getting some
    repeated and unusual activity.

    Something "has" made a connection to 216.22.46.193 port 80 and
    transfered about 39420 bytes. This occurred right after I had connected
    to get the link I provided earlier from the tech support forums above.

    Since I went to that link provided I have received a number (20 to 30
    occurances) of an outside source attempting to connect to my PC from

    216.22.46.193

    I am receiving repeated packets from:

    TCP non-syn/non-ack packet on invalid connection. Packet has been dropped.
    Source IP address: www.odysseusmarketing.com(216.22.46.193).
    Destination IP address: My IP removed.
    TCP Source Port: http(80).
    TCP Destination Port: 3665.
    TCP Message Flags: 0x00000010.

    Out of curiosity I decided to look at the owner.

    Search results for: ! NET-216-22-46-192-1


    CustName: Smartbot.NET, Inc.
    Address: 3 Cobblestone Court
    City: Richboro
    StateProv: PA
    PostalCode: 18954
    Country: US
    RegDate: 2003-08-14
    Updated: 2003-08-14

    NetRange: 216.22.46.192 - 216.22.46.223
    CIDR: 216.22.46.192/27
    NetName: SRVN
    NetHandle: NET-216-22-46-192-1
    Parent: NET-216-22-0-0-1
    NetType: Reassigned
    Comment: email:
    RegDate: 2003-08-14
    Updated: 2003-08-14

    TechHandle: NO178-ARIN
    TechName: Network Operations
    TechPhone: +1-703-847-1421
    TechEmail:

    OrgTechHandle: NO178-ARIN
    OrgTechName: Network Operations
    OrgTechPhone: +1-703-847-1421
    OrgTechEmail:

    Now I will tell the group I did not intend to provide an unsafe link.

    The bad guy on the other end of that link obviously "thinks" I must have
    run something, because now his server keeps trying to come into my
    machine on port 3665.

    That said I decided block the above address range (216.22.46.192 -
    216.22.46.223) I really don't care if I ever hear from these folks again.

    I am not sure what these folks think they did, But I "think" they tried
    to plant some sort of botnet, but I don't believe it worked. If any IE
    users followed the above link they may want to check their system. I
    apologize for the inconvenience.

    Winged
     
    winged, Dec 12, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.