This (my first post on Afterdawn) is part question, part warning. When I insert the (legit) DVD "Stargate SG-1 - Children of the Gods (Final Cut 2009)" on my Windows machine my Comodo Firewall reports a process with a random, single letter name (seemingly a letter in unicode) attempting to do one of the following (it seems random which): * listen on 0.0.0.0:0 * listen on 0.0.0.0:30 * listen on 0.0.0.0:60 * connect to 166.84.48.97:230 * connect to 62.136.230.97:196 * connect to 164.205.72.98:120 * do nothing I suspect these attempts are actually tests to probe or bypass my firewall. I have not allowed it past this point because I have no idea what it intends to do once it connects. The process has hidden itself from Task Manager (which is not unusual) but surprisingly it is also able to hide from the MSDN "Process Explorer" which I understood to be much more thorough. I tried Googling for "Children of the Gods" +spyware and found nothing. Does anyone out there have more information on this probable spyware/malware/rootkit?
If it happened recently, use system restore to revert your system back to before you first inserted the DVD. After the restore, insert the DVD while holding the left shift key down. Keep it held for at least 30 seconds after the disk goes in. Release the shift key and use Windows Explorer to navigate the DVD's folders. Look for any suspicious folders/files. For what it's worth, I would NEVER let a commercial DVD autoplay - you never know what it's going to do. Same with commercial CD's.
I don't have much confidence in system restore. Most spyware seems to install itself in the restore snapshots as well. I can add some additional information since I posted: * The issue is not limited to the Stargate movie. I am now seeing the alert for other discs. Whatever it is has installed itself between the drive and the system. * Another potential culprit could be the movie "Blindness" (another new release - pretty boring too) which I watched last night. * I haven't installed any software lately, I use FF with noscript, I have no email on this PC and my LAN connection is firewalled so the most likely means of infection is still a rootkit DVD (especially since the primary symptom appears to be an attempt to report DVD viewing. I only hired "Blindness" and it's gone back now so I cannot check that disc. EDIT: On second thoughts I watched Blindness at a friends house, I don't believe I ever put it in this PC (I can't remember). * I checked the SG1 disc on linux and it appears to be a simple UDF volume with no strange files however I'm unsure how to check for multitrack discs. * Other addresses contacted are: 146.112.212.108 (Alcatel-Lucent Austria AG) Vienna 194.109.38.109 (XS4ALL Internet BV) Amsterdam 160.139.208.106:78 (Another DoD NIC address) I'm about to try spybot and hijackthis. @varnell: no I use VLC and Media Player Classic. I wouldn't touch WMP if you paid me.
Don't think those are anything that could be associated with a disk.. more likely some other spyware. Run a full spyware/malware scan in safe mode and see what it turns up.. if it finds nothing then start looking for a rootkit.. http://kareldjag.over-blog.com/article-1232492.html
