scorpionsearch.com scumware???

[Bug_Master]

Hi, i recently downloaded a program(Privacy eraser) i don't remember where but it sems that the program was corrupted and when i run it supposedly to erase my temporary internet files and cookies it deleted all my documents, my site (htdocs apache folder), some antivirus files and also it seems that in the same file it was another exe file that make calls to scorpionsearch.com( i'm not sure but i think that it have something to do with C:\WINDOWS\System32\1786\twunk_64.exe). i tried to search for some related issues and i find that there is many types of netbeius.exe that does the same calls. i can't be more accurate because i'm still trying to find out what is happening, does somebody know anything about this? if i find something more i'll post here.


here is a sample of the firwall alerts:

Date: 09-09-2002 Time: 0:23:56
Rule "Windows Automatic Update" blocked (www.scorpionsearch.com(64.246.30.54),http(80)). Details:
Outbound TCP connection
Local address,service is (localhost,3472)
Remote address,service is (www.scorpionsearch.com(64.246.30.54),http(80))
Process name is "C:\WINDOWS\updatewiz.exe"










thanks and sorry for my english,
Bug_

[doktorf00bar]

Not sure it's corrupted. Probably a trojan. Have you run an AV, or an anti-trojan program? Where'd you download it from?

[prodikal]

another thought on the matter have u got ad-aware or some simmilar type of proggrame to scan your computer for spy ware if you havent download it here www.lavasoftusa.com run that if u allready havent to see if it is some sort of spy ware i think it is because it is trying to connect to port 80 through tcp

EDIT i noticed it was a search engine it is trying to connect to a lot of spy ware is from crummy search engine`s trying to gather info for more sites over the web

[Bug_Master]

well, i don't remember where i downloaded the program but i scanned it with Norton AV Before install and it didn't detect anything. The problem is that my AV (Norton and AntiTrojan) aren't working anymore. By the way i found that there are some versions of netbeius.exe that were coded to do some calls to a list of Hit based banners in scorpionsearch.com and other sites, but i didn't find any files in my system that mach with any of them, the only thing i found it's that there is a new entry in reg HKLM>SOFTWARE>WINDOWS>run that point to twain_64.dll in system32, i edited that entry and now i'm waiting to see what appens.
I'm not sure but it seems that i have 2 problems: 1- Privacy eraser deleted files that weren't to delet; 2- i have a scumware that act like netbius.exe but i don't find any known files that match.

I'll try to install NAV again to see if it detects something.


Thanks,
Bug_

[doktorf00bar]

Try using f-prot or the like from a cold DOS boot. Sounds like this one kills norton.

[Confucist]

Check for "NetBUIE.exe", NBconfig.exe", "NBSetup.exe (with MiKrOsOFT) in the file info section. Also check for Reg key "HKLM/SOFTWARE/Microsoft/Windows/Run/NetBUIE" with the value "C:\windows\system\NetBUIE.exe". I believe it is Trojan/Spyware. There is another similar incident involving and xbox emulator prog on a w2k server. Whereas it may need to update, I doubt scorpionsearch is where it would do it from. Wipe it out, wildcard check for other related entries, download directly from the company site or zdnet. Save to disk, AV check and file check then open. If scorpion comes back up dump totally.
Hope this is helpfull

I have finished checking all the spyware lists I can find and Privacy eraser didn't hit any of them so I bet on a Trojan. On my prior post the person didn't hit save but hit open. This then produced an "Setup.exe is not a valid Win32application" message. By then the setup files had already been copied. It somehow escapes normal detection due to a slight name change. This was in May 2002. Scorpion comes back Bob Dole with extremly generic information except for a possible valid email. Looks like someone slipped you a pill.

[Bug_Master]

Ok, i opened the twunk_64.exe with bintext.exe from Found Stone Tools and i get this lines:

0000343A 0040343A 0 Exclusive Offer from your friends at Scorpion Networks - Microsoft Internet Explorer

00001660 00401660 0 *\AC:\Documents and Settings\Scorpion.SCORPION\Desktop\VB Code\StealthXP\spectre series\diablo\Kemet.vbp


00002160 00402160 0 www.scorpionsearch.com
000021DC 004021DC 0 http://www.scorpionsearch.com/diablo_admin.html
0000A482 0040C482 0 CompanyName
0000A49C 0040C49C 0 Twain Working Group
0000A4CA 0040C4CA 0 FileDescription
0000A4EC 0040C4EC 0 Twain.dll Client's 32-Bit Thunking Server
0000A546 0040C546 0 FileVersion
0000A560 0040C560 0 1,7,1,0
0000A576 0040C576 0 InternalName
0000A590 0040C590 0 Twunk_32
0000A5AA 0040C5AA 0 OriginalFilename
0000A5CC 0040C5CC 0 Twunk_32.exe
0000A5EE 0040C5EE 0 ProductName
0000A608 0040C608 0 Twain Thunker
0000A62A 0040C62A 0 ProductVersion
0000A648 0040C648 0 1,7,1,0


and a lot of references to internet calls so it seem's that it is it


thanks to all

[skarsatai]

hi
go to http://www.diamondcs.com.au/ and download yourself the demoversion of tds-3 ( full funktionally , but you have download the ref file . in the registered version, the update feature is enabled.... thats the only difference between demo and registration ! ) .
a very good trojanscanner ! try this one .... maybe it helps !
greetings from germania
M.

[preep]

Ports Prot Name Category
Source or Submitter of the Port Details
Details

3001 - 6001 TCP ChiliASP System
Johan Denoyer
Asp module for Apache servers...

3472 TCP jaugsremotec-1 IANA
IANA
JAUGS N-G Remotec 1

if the webpage apache or frontpage?
and i dunno what remotec 1 is try googling it

Preep