Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Rockford.discoverconsole.com

  1. #1
    esando Guest

    Default Rockford.discoverconsole.com

    Has anyone heard of this?
    It keeps trying to access thru "MyFTP.exe" every hour.
    I ran the ZA scan and it stopped for a little while then it changed the time it tries to log on.
    ZA blocks it's access but I am suspicious.Thanks,Ed

    Operating System:Windows XP Home Edition
    Software Version:5.x
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Rockford.discoverconsole.com



    Hi,

    Welcome to the Forum!

    May I suggest the following, PLEASE?

    PLEASE go to the following site and have them run a FREE online scan for any type of bugs that may or may not be hiding in your computer. If You have anything NASTY installed on your computer this site will find it and remove it for you, unless it is something that they can not fix, but let's hope that is not the case here.

    Free Spyware Removal & Virus Removal

    Got infected?

    Get free virus removal, including spyware removal. ESET provides this free virus cleaner as a public service to customers of Symantec, McAfee, Trend Micro, and other antivirus vendors. If you were running one of these products and were infected by a virus or spyware, we can help you with this free virus cleaner.

    Note: ESET customers running NOD32 do not need these, since protection is already built into the product.

    http://www.eset.com/download/free-virus-remover.php

    PLEASE keep me posted on your results, THANKS.

    SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  3. Default Re: Rockford.discoverconsole.com

    I ran the online scan and it found nothing.
    I did not run the free trail offer that has the rootkit scan.
    I ran AVG in safe mode and it found Some "HiJack.low" I deleted it and then three times since the MyFTP.exe (rockford.discoverconsole.com) tried again. Each time it gets blocked by ZA.Should I try running the complete eset? or try some
    kind of "Rootkit"?What is
    "Rockford..." anyway?
    ThanksEd

  4. #4
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Rockford.discoverconsole.com

    Hi,It could be a number of things. I googled it and here is the link to many areas it covers.http://www.google.com/search?client=...=Google+SearchIf it was me, I would go to the following link and have them run a complete HJT Log on your computer and see if it is a very nasty bug or not.http://www.bleepingcomputer.com/forums/forum22.htmlPLEASE keep me posted on your results, THANKS.SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  5. Default Re: Rockford.discoverconsole.com

    Slyfox, UPDATEI am going through what you recommended.
    I got on bleepingcomputer and am following their "Preparation Guide" before posting a HIJACKTHIS log.
    I opened an account, ran "cleanmgr", ran Ad-Aware, and Spybot. to this point nothing has been found that stands out (Couple of tracking from known sites) but after each I would check the ZA logs. Although none of the scans stopped the "rockford..." from attempting to access the internet, after I ran Spybot there were two logs one from the program I have been questioning "myFTP.exe" which was blocked and one from spybot reads as follows:"rating: HIGH; type: New Program; Program:C:\program files\spybot-search & destroy\sdupdate.exe; destination IP:66.63.163.176.53 direction: outgoing; action: allowed; destination DNS: rockford.discoverconsole.com"
    Now I'm really confused!!ZA has been the only virus protection I've used, why would Spybot be related to rockford... (especially since I just now downloaded it)Just keeping you updated, thanks for your assistance.
    I will now continue the "Preparation Guide"
    Ed

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Rockford.discoverconsole.com

    myFTP.exe is a SDBOT worm or IRC BOT.
    See http://vic.zonelabs.com/tmpl/body/CA....jsp?VId=46504

    Rockford.discoverconsole.com is a malicious activeX/BHO.
    See http://www.castlecops.com/modules.ph...&id=533&type=y.

    Removal advice, and by no means perfect.

    First disable the System Restore.
    Download and install the CCleaner
    Then.

    Start the PC in ths Safe Mode.
    Start > Run > type in regedit and OK.
    Open the Edit in the top and then select the Find and copy and paste this

    B56FF813-9B72-439D-BFF3-E722EBAECA8E

    or

    {B56FF813-9B72-439D-BFF3-E722EBAECA8E}

    into the Find What bar.
    Click Find Next.
    Look at the key and see if there is a file location indicated in the right side panel. Note the location.
    Then.
    Delete the found item (in the right panel).
    Continue with again the Find next until all are noted/deleted and no more are found.

    Next open these keys are look for any mention of myftp.exe:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ethernet = "myftp.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\ethernet = "myftp.exe"

    and also:

    HKEY_CURRENT_USER\Software\Microsoft\OLE
    ethernet = "myftp.exe"

    These may vary, and may exist under the Run and RunServices of other areas of the Regedit, not just in these two areas.

    But look for the locations of the files (more than likely in WINDOWS\system32\ folder) and note these locations before deleting these (as seen in the right sided panel)

    Now open the Edit once again and in the Find use this time the myFTP.exe. Again note the file locations and delete all found.

    Close the regedit.
    Open the Folder options of the Control Panel.
    Make sure the "Show hidden files and folders" is checked and the "Do not show hidden files and folders" is unchecked.
    Uncheck the "Hide extensions for known file types".
    Apply and OK.
    Close the Windows completely. In other words shut the PC down.
    Now restart once again in the safe mode or safe boot.

    Now open the WINDOWS and open the Search.
    Click the "All files and folders"
    Open the "more advanced options"
    Check everything listed.
    now type into the "All or part of the file name;" the myFTP.exe and hit the Search button.
    Delete all found files.
    Do the same again but this time using the "A word or phrase in the file;"
    Delete all found files.

    Next open the Downloaded Programs Files folder of the WINDOWS and delete any mention of the {B56FF813-9B72-439D-BFF3-E722EBAECA8E} and any myftp.exe and carefully examine any unusal file and then delete any if found suspicious.

    Using the notes of the file locations from the first time in the safe mode, delete any files found from the possible file locations.

    Empty the Recycle Bin.
    Start the resident AV scanner and finish a complete scan. Remove all found.
    Then open the Program Files\CCleaner folder and double click the CCleaner.exe. Open the Options and slect maximum cleaning. Run first the Cleaner (delete all found) and then the Registry buttons (delete all found).

    Now reboot into the normal mode or normal boot.
    Open the IE and under the Tools, click the "Manage Add-ons" and then the "Enable or disable the add-ons"
    Then in the "Show" drop down, check all, especially the "downloaded activeX controls" and disable any rogues.


    Something like the BHODEMON or others maybe a useful utility for you.

    The paid ZA version has controls for all activeX installations in the OSFirewall tab. If using the paid version, this should be enabled for better protection of your PC.

    Then open the IE and navigate to here. This site requires an activeX installation, thus the need for the IE.
    Do a full scan and delete all found. This scanner will only leave some temp files in the Temp folders- which can be easily removed with one single clean with the CCleaner.

    Then download and install the freeware version of superantispyware found here and update and do a complete or full scan. Delete all found.

    An additional and worthwhile malware/troyan/worm freeware scanner, ASquared, for the desktop, is found here. Also very recommendable.

    Run the CCleaner in full.

    Reboot.

    Any better??


    Oldsod

    Message Edited by Oldsod on 12-10-2007 10:21 AM
    Best regards.
    oldsod

  7. #7
    esando Guest

    Default Re: Rockford.discoverconsole.com

    I was continuing my search on my computer for this file and found the myFTP.exe file in it's properties it lists "Digital Interactive Systems Corporation, Inc." as the company.
    In my windows task manager it lists DISCcover in the processes.

    Seems like a game site.
    I know this HP came with a lot of "free" games on it I
    played some of them and got rid of the most.
    I will try it also.
    I am paranoid yea but who can afford stolen ID's
    Thanks,Ed

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Rockford.discoverconsole.com

    Okay Ed. That file does sound legitimate and above board.
    Just do some more checking on the 'net to make sure.
    Take care, Oldsod
    Best regards.
    oldsod

  9. #9
    coisa Guest

    Default Re: Rockford.discoverconsole.com myFtp.exe

    I tried to run through your procedure to remove myFtp.exe. Searching the registry in safe mode did not find the registry code or myFTP.exe in any locations except the program files\disc folder

    I reviewed the INI file in the folder and apparently the folder with its program appears totally related to games. I am not much of a gamer, and do not recall downloading any games listed within the INI. The software may have been shipped with this HP system when it was new based on the file dates

    Zonealarm identified myFtp.exe running frequently some time ago, usually within hours of restart and when browsing the web with both Firefox and IE. I blocked the program and sites as soon as I became aware of it running frequently (I also used the kill option in Zonealarm Programs | Program control)

    I ve also found program listings in the Zonealarm Program Alerts | Programs for Programs for svchost.exe and nmsrvc.exe directing to IP 218.66.104.248 - miorsocft.com (this is the correct spelling at easy glance it might be mistaken as Microsoft). This site is in central China. I may have inadvertently accepted myFtp or miorsocft before I blocked them.

    Additionally, I ve found MYFTP.EXE-3ACD71EC.pf in the windows/prefetch folder when myFtp.exe tried to run.

    I publish a number of web sites using Microsoft Front page and have had at least 3 of them hacked. I suspect that the China IP and or myFtp.exe are somehow responsible. Both program / site appeared in the ZA logs seemingly related in time. I suspect that myFtp or Rockford.discoverconsole.com may be well hidden key loggers of user accounts / pw s.

    I used the uninstall program in the program files/disc folder it apparently uninstalled myFtp as well as everything else in the folder. I also deleted the prefetch file.

    I have had no further problems once uninstalling and the system is stable. And it seems, faster. My hacked site may be responsible for miorsocft.com, but myFtp may have been involved it being hacked

    It s hard to o find what is exactly going on and I may be partially or totally wrong, however, there are a many references on the web to myFtp being a problem

    Warning: myFtp.exe in the Program files/disc folder may be a legit program version but the malicious stuff may have used it. Know what you are doing before uninstalling

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Rockford.discoverconsole.com myFtp.exe

    Hi coisa

    Usually the myftp.exe comes shipped with the HP machines and is used in IIS 4.0/5.0. But more often than not, the machine is not HP and it is safe to assume the myftp.exe is malware.

    Open the prefetch file with the notepad and see what the related files and folders are - this will help clear the air. So will the Properties feature found of the right click of the myftp.exe listed in the ZA Program listing.

    Block the IP from China in the ZA Zones. Obvious to us it is a bogus bogus IP.

    nmserve.exe.

    I wonder too what is going on. Maybe more than just what is seen and there could more infections somewhere (rootkit or troyan) on the PC.

    Cheers, Oldsod

    Message Edited by Oldsod on 12-16-2007 04:26 PM
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •