 |
 Spyware problem: p2pnetworking.exe, winupdates.exe and istbar |
Muad'Dib 
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
 |
|
I have this spyware in my computer (I presume it is called p2pnetworking.exe and/or winupdates.exe) which are crazing me pretty damn much!
I have cable 512kbps connection.
Some serious shit happened with those. Whenever I try to download something with LimeWire, slsk, Shareaza and/or BitTorrent (!) it jams the connection, and I have only 3kb (the most!) download speed! WTF?! Browser downloads seems to run fine (55KBps) but these other (which I prefer) are drivin me nuts!
This happene a week and a half before. My Spybot - Search and Destroy constantly finds some program which wants to access the registry, and which is called p2pnetworking.exe and winupdates.exe. I says that these are located in c:\windows\system32 (for p2pnetworking) and c:\program files\winupdates\ (for winupdates).
While I can successfully locate and delete winupdates, I can't find p2pnetworking.exe anywhere!
A day before I installed the AVG Free antivirus, and run the whole computer with it. It has found 950 (!!!) infected files! WTF?!
Some where hidden even when I set my windows to show Hidden files and folders!!
There were some folders, named c:\uploads and c:\documents and settings\***your username***\complete\ which don't exist for windows, and yet they hide CRACKS FOR PROGRAMS!!
But, the funny thing: those zip files are not CRACKS but are VIRUS INFECTED with, I presume, p2pnetworking.exe and winupdates.exe.
They have all the same size (about 800kb) which would not be normal for cracks for different programs, ain't it?
So I search for about 2 days on the internet for anything connected with these, and this is what I found:
page source: http://research.sunbelt-software.com/thr...&threatid=41270
| quote: |
Threat: RBot.p2pnetworking
Alias: Backdoor:Win32/Rbot
Threat type: Trojan - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy.
Advice: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.
Threat risk: Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description:
Author: NULL
Author URL:
Author description:
RBot.p2pnetworking Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with RBot.p2pnetworking, you can clean your machine of this spyware threat for free by downloading CounterSpy now.
Running Process Signatures:
process: p2pnetworking.exe: MD5 Hash: 183b3411b3f8b85f5d5... |
As I found out on IRC, EFnet network, #help channel, I am infected with trojan that uses my computer to distribute these "cracks" over the LimeWire/Shareaza network. It eats up your connection so that it can distribute these files, and for that it slows down your regular downloads (except the browser-based ones).
Which makes me think, that this is a move of the big companies which produce the programs to destroy the people's computers with which they download cracks for their pirate games. Hmm...
Can ANYONE help me solve this problem which kills my connection?
Be forewarned, if you have the same sympthomes, please respond so that we can together solve this crap!
Peace,
Muad'Dib
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
03-09-2005 14:25 |
|
|
@1$-)
unregistered
|
|
winupdates is not spyware.....its part of windows xp and is an automatic update service.......with your permission it will download and install new security measures etc etc etc for windows.....
dude.......all i can really say is get rid of your filsharing software.....cause thats probably where it is coming from....then try something like noadware......or even better try out http://housecall.trendmicro.com/
if i use limewire......i leave the install folder on my desktop....then simply install it when i need it.....then the minute i dont i disconnect, and then uninstall.....also try out microsoft antispyware,.......but you will need an authentic version of windows and also the number of its certificate of authenticity......
and if you must download stuff then get a decnt anti virus.....and keep it up to date
This post has been edited 2 time(s), it was last edited by utter muppet: 03-09-2005 14:34.
|
|
|
03-09-2005 14:30 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
Winupdates.exe is a spyware.
http://www.liutilities.com/products/wint...ary/winupdates/
| quote: |
winupdates - winupdates.exe - Process Information
Process File: winupdates or winupdates.exe
Process Name: Rbot Worm
Description:
winupdates.exe is a process associated with the Rbot Worm. It is an IRC backdoor trojan giving remote users access to your system. This program is a registered security risk and should be removed immediately. If found on your system make sure that you have downloaded the latest update for your antivirus application. |
And I can't clean it. D-A-M-N. Thanx for the link Munki
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
03-09-2005 14:35 |
|
|
@1$-)
unregistered
|
|
arrr must be something different im thinking of.....
yeh trend housecall is pretty good.....it might also be a good idea to try out some third party firewalls......if only to keep an eye on what processes are running and you will also be able (to try at least!) to block anything that you dont want running....or connecting to something else....
|
|
|
03-09-2005 14:39 |
|
|
Soi
Super Moderator
Registration Date: 29-01-2003
Posts: 1,417
Helpfulness rating:
|
|
|
|
03-09-2005 15:12 |
|
|
gls
Steppa
Registration Date: 10-10-2004
Posts: 229
Helpfulness rating:
|
|
|
|
03-09-2005 15:19 |
|
|
Soi
Super Moderator
Registration Date: 29-01-2003
Posts: 1,417
Helpfulness rating:
|
|
but then again, too much antivirus/anti-spyware-app's on your pc leaves it with an increased chance of vulnerability.
I'd say, try them all, but not at the same time: install one, run tests, un-install it and try the next one.
It's generally known that multiple instances of antivirus/antispyware running at the same time causes conflicts.
__
a myspace
my tunes
"I'm not under the alkafluence of inkahol that some thinkle peep I am.
It's just the drunker I sit here the longer I get."
|
|
|
03-09-2005 15:27 |
|
|
gls
Steppa
Registration Date: 10-10-2004
Posts: 229
Helpfulness rating:
|
|
| quote: |
Originally posted by Soi
but then again, too much antivirus/anti-spyware-app's on your pc leaves it with an increased chance of vulnerability.
I'd say, try them all, but not at the same time: install one, run tests, un-install it and try the next one.
It's generally known that multiple instances of antivirus/antispyware running at the same time causes conflicts. |
Good thinking, I forgot to say that.
I use Firefox as my browser, SpywareBlaster to block cookies from being installed (it just adds a list to your blocked cookies in Firefox and I.E), Microsoft antispyware as my main one and a2 just to scan my computer occasionally and I can honestly say I've not had any spyware for ages.
I do run Ad-Aware and Spybot occasionally just to make sure I'm safe though.
|
|
|
03-09-2005 15:43 |
|
|
KoFFiE
Easy Player
Registration Date: 28-04-2003
Posts: 891
Helpfulness rating:
|
|
I use Hitman pro. This software downloads a bunch of other anti-spyware progrs and runs them autmaticly. The problem is nog all spyware can be found by 1 prog, hitman pro solves this problem.
__
Sleep is a poor substitute for coffee
|
|
|
03-09-2005 18:34 |
|
|
Surya
The Robot
Registration Date: 04-11-2002
Posts: 11,238
Helpfulness rating:
|
|
Yeah, hitman pro is nice!
__
"In dnb you should make people jump not swim"
- Pieter Frenssen 2004
|
|
|
04-09-2005 15:42 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
Latest update:
I was chatting with some guys on IRC and they told me that the virus/trojan/spyware might be using the QoS (quality of service) which is built in Win XP, and is with purpose to share the connection to different programs which are aware of it.
This means that this virus might has a procedure in it self which handles the QoS in Windows, and allows to steal your connection to spread all those cracks (viruses) to other users through limewire and shareaza network.
This QoS is used by no known program till now, so I suggest you to TURN IT OFF if you have the same sympthomes like me.
The procedure:
go Start -> Run -> services.msc [ENTER]
there will be a bunch of services. Search for the service named QoS RSVP.
Right click it -> Properties.
Under [Service Startup] click [STOP] if the service is running (this is indicator that some program is using it, most probably this friggin virus!).
Under [Startup type] select [Disabled] from the drop-down list.
That should disable the bugs to use your connection.
Now I didn't get any improvement in my downloads (still 4KBps max) but I think I solved my virus problem. I will inform you on connection speed problems and if I find solution.
Peace,
Muad'Dib
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
05-09-2005 17:37 |
|
|
Surya
The Robot
Registration Date: 04-11-2002
Posts: 11,238
Helpfulness rating:
|
|
Yeah, one of the first things after installing XP is removing the QoS. One of the other things it does is limit your bandwith to about 70% or 80% of the normal available bandwith, so get rid of it, it's just something Micro$oft invented to give you the feeling they're assuring quality. They're not.
__
"In dnb you should make people jump not swim"
- Pieter Frenssen 2004
|
|
|
05-09-2005 19:10 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
Yeah, listen to Surya. Thanx friend 
Newest update:
I did a Windows repair of the system files. I think that there is some REAL great improvement of connection speed, though I was unable to test it on p2p (peer to peer) programs, such as SoulSeek, BearShare, LimeWire (though I will neva eva install this one again). I will test it later.
For everyone, if you want to make a repair of your existing Win XP installation:
1. Put your Win XP installation CD in your cd-rom drive.
2. Select "Install Windows" or somethinf similar (the first option)
3. There will be a drop-down list. MAKE SURE YOU SELECT THE "New installation" option, and not the "upgrade" option. The upgrade option will not allow you to repair your installation.
4. Enter your CD-KEY. PM Me
5. Let windows copy its installation files. It will restart your system.
6. There will be, now, a list of operating systems."
- 1. Windows XP
- 2. Windows XP setup
select the second (Windows XP setup)
7. Windows will run some test to check your computer hardware config. Leave it in its work.
8. There will be a list of options. I don't remember them exactly, but they were like this:
- 1. For new installation press [ENTER]
- 2. For repair existing windows installation press [R].
- 3. Blablabla blablablabla press [bla]
Here you should press R. Not ENTER, not BLA, but R. Please write it down.
9. Leave windows handle its files. Though the further part of the installation will look like the regular (new) Win XP installation, it is NOT. All of your files (except windows sytem) will remain, and your usernames and desktop settings will remain.
If you have any problems and you cannot solve them, try this.
Peace,
Muad'Dib
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
07-09-2005 23:03 |
|
|
gls
Steppa
Registration Date: 10-10-2004
Posts: 229
Helpfulness rating:
|
|
| quote: |
Originally posted by Muad'Dib
I think that there is some REAL great improvement of connection speed, though I was unable to test it on p2p (peer to peer) programs, such as SoulSeek, BearShare, LimeWire (though I will neva eva install this one again). I will test it later. |
Try here to test your connection speed.
http://www.adslguide.org.uk/tools/speedtest.asp
Or just google internet speed test.
|
|
|
09-09-2005 01:03 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
| quote: |
Originally posted by gls
| quote: |
Originally posted by Muad'Dib
I think that there is some REAL great improvement of connection speed, though I was unable to test it on p2p (peer to peer) programs, such as SoulSeek, BearShare, LimeWire (though I will neva eva install this one again). I will test it later. |
Try here to test your connection speed.
http://www.adslguide.org.uk/tools/speedtest.asp
Or just google internet speed test. |
Thanx dude
Newest update: I renamed the thread. Now it is more clear and people can immediately find resemblance with the spyware. 
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
10-09-2005 02:34 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
Newest update:
I got it. I think.
1. press ctrl+alt+delete (or go Start->run->taskmgr.exe [ENTER])
Press the [Processes] Tab. Search for a proces named rservers.exe. If it runs and takes 80+% of your CPU, or whatever, if it just runs, kill the process. Click on it, right click -> End process tree.
go to (system drive)\windows\system32\ folder and search for file named rservers.exe. According to Sophos AV report on this shit, this virus copies itself in system32 folder under the name of rservers.exe, and uses your connection somehow. It is an IRC BACKDOOR program, so that means that either you go too much on IRC, or that you have hidden IRC server in your computer.
You can freely delete this file, but you MUST kill its process first, from the task manager, or you won't be able to delete it.
Anyway, I experienced tremendeous speed enhancement after this fix, and I hope this will solve your problem too!
Peace,
Muad'Dib
PS It's 4 AM and I'm still behind this friggin monitor, killin viruses with tea and antibiotics
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
10-09-2005 04:12 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
New update:
since I see that this thread has no such views as before, I will unstick it and make it a normal thread. And there it goes, into the future....
noone will remember it after about a year or sumthing...
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
28-09-2005 03:00 |
|
|
Muad'Dib
Andrejnalin
Registration Date: 02-12-2003
Posts: 4,197
Helpfulness rating:
|
|
Newest update:
I had my TeaTimer module (a background program from Spybot - Search and Destroy, which doesn't allow programs to change settings in registry) reported some program that is trying to change
{0E5CBF21-D15F-11D0-8301-00AA005B4383} (category user-specific browser toolbar)
I forbiden the change and this trojan or spyware is pretty damn persisten - it asks to change the registry every second!!
Now I've found out that this is actually the spyware named istbar. Download the free demo version of Spy Sweeper here, and sweep your computer. This might be a trojan too.
If you have any problems, just ask.
__
Thinking about becoming an Image-Line/FL Studio customer? Want a 10% reduction in price? Use this affiliate link:
http://affiliate.image-line.com/BADEBDG473
There is no such thing without its opposite
-Bene Gesserit
|
|
|
01-10-2005 20:11 |
|
|
|
|
