youdontknowwhoiam

[dazednconfused]

May I humbly request that anyone who reads this post would be kind enough to share their knowledge on the questions raised here. I am new to this board, and as there are many clever people online here, I hope my queries do not fall into the “totally stupid” category. I am, however, willing to take the risk of being the board’s resident idiot (!), if it will assist me in the remedy to my problem:

I have recently – and for the first time – fallen victim to either a virus or Trojan attack of some kind but I don’t know what has actually been unleashed on my PC, thus I don’t know how to “look it up” in a virus database or online help centre in order to fix it.

The infection has occurred as a result of a “contaminated” website – it has NOT come via email or from downloading an attachment or free software or games etc. It would appear that this particular web URL is in itself the trigger to infect your PC such that if a person clicks on the web address, the virus/Trojan is activated at that exact time. By clicking on the website mentioned, the user receives the standard “information white screen” saying the website cannot be found; yet it appears to transmit something onto the user’s PC unbeknownst to the user.

The name of the website is:

www(dot)youdontknowwhoiam(dot)org

(I have written the URL above using (dot) because I do not wish to write the address as a “clickable” version since I am under the impression that once this address is clicked on, the damage, whatever that damage may be, is already done. I certainly do not wish to inadvertently direct other people to a known virus/Trojan location if “it” is indeed one.)

I believe that one of my computers has been infected by this web link and as I do not know exactly what has been unleashed upon it I am at a loss as to how to go about repairing the damage. Any insight that anyone can offer would be most gratefully appreciated for I've heard through the rumour mill that the website mentioned has/is causing great havoc amongst many Netizens, yet I have been unable to find out anything about what it is doing except that it is considered 'bad news' and the general sentiments expressed by other users is just to stay away from this URL altogether. From the rumours, the virus/Trojan sounds very ominous indeed, and yet it may actually be quite harmless and easy to remove. But the point is, I am desperately curious to discover what this domain name is actually doing and how I can protect myself from this type of infection in the future.

(This particular kind of attack raises many questions in my own mind regarding the overall integrity of the Internet, not the least of which is, how is a person to know that a web address could actually be a virus in disguise? If one is to become suspicious of every web address on the net, it undermines the entire surfing experience, for who would feel comfortable accessing “unknown” URLs if they feared being infected the moment they “clicked” upon that link? I am also curious as to whether the owner of this web domain has committed some sort of cyber crime by placing a virus/Trojan upon the net itself, as opposed to the usual method of sending nasty infections via “enticing” email messages designed to make the user read them…and weep.)

There are many strange and debilitating symptoms currently exhibited by my PC ever since this infection has occurred and there are also some very strange files residing on the PC which were created at the exact time that this web site was accessed. I am more than happy to furnish all the details as to what these symptoms/files are in another post if it is necessary. But first I thought it best to simply mention the web URL responsible for it may be that I am the only person on this board who is in the dark about this URL – perhaps this problem is common knowledge, and maybe someone out there knows the answer already thus further details are not necessary. If this is indeed the case, then I offer my apologies for being naive and wasting other people’s time; I have tried my best to understand this problem through various avenues before posting this question here, but have come up empty of results. (I also ran a search on this site for “youdontknowwhoiam” in case this topic has been discussed here before, but the search also came up empty too.)

Can anyone offer any insight into this matter – without having to access the link itself, an action that appears to be “the point of no return”?

In closing, I wish to thank in advance anyone who can help with this inquiry. And, for the record I just wish to impart that my own experience with trouble-shooting Microsoft Windows problems is very limited as I come from a mainframe/UNIX background and have only recently begun using Windows software from home for the simple purpose of personal web surfing. My machine that has been infected is currently shutdown and rendered idle until I know what the problem is for I do not wish to connect to the net on that machine in case the virus/Trojan author seeks to unleash chaos the next time I am online.

Any ideas from anyone as to what this problem URL is responsible for doing to all those unfortunate people who have been infected by it?

I thank you all for your time.

Sincerely,

dazednconfused

[debwalin]

Hello there! I know *very* little in comparison to some who will come along and read your post, but I thought I might give you someplace to start. As you don't currently know what virus/trojan you've been infected with, that might be as good a place to start as any! There are several websites that offer virus/trojan scans, the two that I use are www.grisoft.com ... you can download a clean antivirus software there (some viruses deactivate your current AV) and scan for known viruses in their database. I also use www.tauscan.com for trojan scanning. Most of the time, if you are infected w/ a known virus/trojan, these sites will either give you removal tools or simply remove the infected files. However, if you have loads of new files...

There are many strange and debilitating symptoms currently exhibited by my PC ever since this infection has occurred and there are also some very strange files residing on the PC which were created at the exact time that this web site was accessed.

...you may be in for a bit more work, but identifying the cause of the problem is the first step in fixing it

I did a quick google search and didn't come up with anything in reference to this particular website, but I don't really have time right this minute to do a more thorough search, so if anyone else comes up with something better, I apologize Someone else may in fact have experience with this and may be able to offer you more help, but all I can say right now is to get started trying to find out what the infection actually is. Keep us posted and if you find out what it is and still can't figure out what's going on, or how to clean it, I'm sure someone can help you!

Deb

[Tiger Shark]

Well..... I telnetted to the server and dumped the main page..... Didn't seem like it was doing anything particularly henous..... So I went to the page and it did exactly what I thought it might. It runs a bunch of new windows with "You are and Idiot" around your screen so fast that you can't close them. CTRL-ALT-DEL brings up the Task manager that takes two efforts to close the thing down.

I took an ethereal dump of the packets incoming to ensure I wasn't missing anything. The entire capture was 56 packets so it wasn't d/ling anything to your PC and the transaction seemed to be quite normal.

I don't think that this web page has anything to do with your problems......

[debwalin]

God I hate that "you are an idiot" thing....it makes me want to rip my hair out. And I won't tell you how many times I've fallen for it. (Darksnake, you KNOW what I'm talking about )

Deb

[x acidreign x]

don't worry, that page doesn't do any permanent damage to your computer, just annoys the hell outta you.. and as for your concerns of being the village idiot, don't worry, at least you can spell, that already puts you markedly ahead of a good percentage of the idiots here. good luck.

[micky05]

I went to site got the same message, "You are and Idiot". Couldn't closed the pages. CTRL-ALT-DEL end task. When I had accessed the site, I had loaded filemon. the following accurred:

IEXPLORER.EXE OPEN \winnt\System32\shell32.dll
IEXPLORER.EXE Query Information \winnt\System32\shell32.dll
IEXPLORER.EXE CLOSE Information \winnt\System32\shell32.dll

The same thing happen about 12 times in one second.

[dazednconfused]

For Deb:

Thanks for your prompt reply !

With respect to using google to look for info about this problem, I used google too before coming here to this site.

It should be noted that if you type in: "youdontknowwhoiam" (in quotes like this) and run a normal google search, the page of results you receive is quite interesting:

The first result shown displays the full URL of the "contaminated" website I have mentioned - but the underlined "clickable" title designed to direct you to the website literally says: You are an idiot !

Well, how's that for adding insult to injury for one such as I who has already been infected - before I knew how much of an idiot I had become ?!

The other matches listed under google - some, but not all, I've read - actually direct you to user forums online of people complaining about being infected by this very web link, but as of yet, I have not been able to ascertain any useful remedies from these user complaints - only general anxiety from those who have experienced the problem.

It should be mentioned here that if you used the "I feel lucky" option inside google's main page that will automatically search and direct you to the first match it finds, then in the case of searching for "youdontknowwhoiam", you would already have been directed to the infected link itself on the first search.....and thus infected on the spot.

This is really quite a nasty aspect of this particular "contaminated" web address in my opinion, for you can end up in that location by the most innocuous of methods.

For the record, I ended up being infected because someone on a message forum posted that particular link as a recommended site.... just as you, in your reply, have posted what are, no doubt, legitimate links, to help me address this problem I am facing. But the question remains: Supposing you are a rotten person - How am I to know, (or anyone else for that matter), if people are posting links to websites that are not legitimate? (This is a question I raised in the original post.)

Because of this "infection" I currently have on my PC - and in particular, the manner it has arrived, I am currently very interested in the larger issues surrounding detection of "contaminated" URL's in general.

I wonder if anyone out there knows how to access this type of contaminated URL and literally capture the "assailant" before the virus gets to your PC. It would be of great interest to me if there exists some sort of "ambush" that could be undertaken in order to perform an autopsy on the assialant before the attack has been completed.

I'm sure that some clever people know how to do something of this nature. Unfortunately, I'm not one of them ! I am however, more than intrigued by this whole matter, as, if there is one "rotten" link out there, I'm sure there are probably others. I hope that this overall discussion will prove to be helpful to all who participate.

Meanwhile, thanks for your input Deb !

Cheers!

[Tiger Shark]

Dazed: You seem to be confused.......

This web page did nothing to your computer. It was a pain in the ass, it downloaded youare.swf which is what makes the pages flash at you and that's about all. Mickey indicates that during that time IExplore made about a dozen queries of shell.dll...... I'm guessing there were about six windows so a couple of calls to the dll is ok. They were only qureies too.

Yes there are numerous web pages out there that actually do bad things to your computer and there will be many more in the future. The reason M$ puts out so many patches for IExplore is because of the number of vulnerabilities that keep being found. It's a fact of life on the web and the only sure way not to get something nasty is to unplug the phone or cable connector. Other than that set your secutiry in the Internet zone to High and pray.

[dazednconfused]

Thank you so much to all who have replied....

If this problem is not really a problem, then these idiosyncracies remain on my PC - and these problems occurred at the EXACT time of accessing this "suspect" domain name, and yet have NEVER been present before on my PC:

*I am continually kicked out of my net connection on the "infected" computer.
*I am told during random sessions that "there is not enough memory to perform this operation", no matter how trivial an operation (couldn't even open up a DOS window yesterday).
*During online sessions, I am often redirected to webpages I have not requested, and those pages I have requested - and which I know exist - are returned to me as "page not found".
*Webpages are displayed incorrectly - the page being displayed may have a title of one news story, yet display the contents of another unrelated news story
*My entire system can lock-up to the degree that ctrl-alt-del does not respond.
* The main menu (Start menu) sometimes cannot even display itself properly and freezes on the screen when accessed causing a complete hang of the system, fixable only by a complete reboot.
* Peculiar links to critical DOS system files (registry edit/cleaner executables) amongst others have appeared inside my own personal folder on the PC, and were created exactly at the time of the suspected infection.
* And something called a "5A File" (regarding file type) was downloaded into the Temp. Int. Files Directory when the system was first "hit".

What does all this mean?

(The only way I knew I had been "infected" at the time, was because someone else on the particular msg. board where the "bad link" had been posted, pleaded with everyone else NOT to click on that link (as posted by the "assailant") because he/she advised it was a nasty Trojan and according to his post : "We are trying to get it shut down" - referring to the web address "youdontknowwhoiam".)

Hmmm. Any further thoughts ?

[Dr_Evil]

Whey dazed or confused,

Apa ini !

I just checked the web site, u know which web site. It is not a virus or trojan.It's just made by an idiot which makes your page jump about.Now , my computer has a firewall and sophos antivirus and therefore nothing can be changed.
If have the same problem all the time, its likely that your homepage has chaged to the web address.

I have checked for virus and trojan and never found one.

if you are worried about virus or trojan then get a free virus checker and firewall from here:-

http://www.zonelabs.com/store/content/home.jsp

and

AVG ANTIVIRUS


*debwalin has suggested good web links as well.

Dr_Evil