I had this same thing on my Win98 machine the other day, but without Grokster. Could be a totally different thing, but ohwell ;) Turned out that in \windows, there was a hidden folder called "explorer", with explorer.exe in it. Norton AV picked it up as Backdoor.Trojan, and I removed it immediately. Before I did that, I was getting Visual C++ errors from "explorer.exe", which first made me a bit suspicious about what someone could have put on my computer.. Hope that helps. ----- Original Message ----- From: "scott [gts]" <scottat_private> To: "vuln-dev" <vuln-devat_private> Sent: Friday, December 28, 2001 7:49 AM Subject: Grokster and possible trojan > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I apologize if any of this is already known or not applicable > to this list, but i found something that disturbs me today > about grokster. > > While going thru my registry today, i noticed the reg entry: > SOFTWARE\Microsoft\windows\currentversion\run > "dlder"="C:\winnt\explorer\explorer.exe" > > C:\winnt\explorer\ turned out to be a hidden folder, with one > file "explorer.exe" (31Kb). So i deleted the entry in the > registry, PGP-Wiped the directory and EXE file, and rebooted. > > Upon rebooting, i noticed a "dlder.exe" hidden executable > in my C:\winnt\ folder (i dont know if it was there before, > but i think it was, i just didnt notice it). > > After opening up explorer.exe and dlder.exe in an editor > that displayed them as Hex, i noticed "clicktilluwin", > which is a (supposedly) optional add-on piece of software > that comes with Grokster. I had installed grokster last > month and used it once, disliked it, then uninstalled it. > > So it worries me that this "click till u win" thing that i > told grokster *not* to install, is still hanging around. > > Then i called a friend of mine, who verified that he had > the same reg key and hidden folder/files. he deleted the > affected registry keys and bogus "explorer.exe" and "dlder.exe" > files and rebooted. Then, he did a fresh install of Grokster, > specifically telling it *not* to install "clicktilluwin", > then rebooted, and there the registry keys and hidden files > appeared again -- seems that "click till u win" is installed > no matter what you tell grokster. > > I have no clue what these two binaries are doing to my > system, and it worries me that they might be keyloggers > (or something malicious). I attached an email my friend > sent to me after he did some research into Grokster, and > now i am even more nervous. It seems that the information > he found about the company is completely bogus.... > (Please see attached email) > > For more information and copies of the two binaries > that i found on my system, please go to: > http://furt.com/grokster/ > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPCuJYcaXTGgZdrSUEQJ0mQCgzDuXQ4JLbEshiHs1UySN3Wt/hOkAoKiv > SZ6OlPu4ACdHv1V6V3iruLoY > =XTZ3 > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 16:38:37 PST