Identify this Malware

Win XP Home, IE favorites keeps getting several porn sites added.
I've deleted the offending favorites and cleared "everything" in IE,
but after a re-boot they all return. Scans by Sbybot and AdAware and
AVG find nothing.

Help!

Phil

From: <pgx@pgrahams.com>

| Win XP Home, IE favorites keeps getting several porn sites added.
| I've deleted the offending favorites and cleared "everything" in IE,
| but after a re-boot they all return. Scans by Sbybot and AdAware and
| AVG find nothing.
|
| Help!
|
| Phil

Insuffiencient information to identify any particular piece of malware.

You also failed to state the versions of the software.

Currently, the sofware you listed are...

AVG v7.xxx
SpyBot S&D v1.4
Ad-Aware SE v1.06

So if you used Adaware6, SpyBot S&D v1.2 or AVG v6 then they need to be replaced with their
newer couterparts and updated.

Beside what I have already stated, I suggest the following...

Spywareblaster: http://www.wilderssecurity.net/spywareblaster.html
BHOdemon: http://www.definitivesolutions.com/bhodemon.htm

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Fri, 03 Jun 2005 15:45:21 GMT, pgx@pgrahams.com wrote:

>Win XP Home, IE favorites keeps getting several porn sites added.
>I've deleted the offending favorites and cleared "everything" in IE,
>but after a re-boot they all return. Scans by Sbybot and AdAware and
>AVG find nothing.
>
>Help!
>
>Phil

I use those spyware removers but I haven't had any problems since
switching from IE to Mozilla and Firefox. You can import your IE
bookmarks to Mozilla. HTH.

pgx@pgrahams.com wrote:
> Win XP Home, IE favorites keeps getting several porn sites added.
> I've deleted the offending favorites and cleared "everything" in IE,
> but after a re-boot they all return. Scans by Sbybot and AdAware and
> AVG find nothing.
>
> Help!
>
> Phil

If you download a copy of hijackthis and post the logs here we'll try
and identify the interloper.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
|
|You also failed to state the versions of the software.
|
|Currently, the sofware you listed are...
|
|AVG v7.xxx
|SpyBot S&D v1.4
|Ad-Aware SE v1.06

Yes - all up to date

|Beside what I have already stated, I suggest the following...

I will not have direct access to the machine 'til the end of the
month. Your suggestions seem a bit much for the owner to try.

|Dump the contents of the IE Temporary Internet Folder cache (TIF)
|Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Done

|Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
|Tools --> Options --> Privacy --> Cache --> Clear

FireFox is OK. It is now the default browser, but occasionally a site
"requires" IE

|* * * Please report back your results * * *

I will save this message and report back when I can try your
suggestions.

Thanks much

Phil

Spacen Jasset <spacenjasset@yahoo.co.uk> wrote:

|If you download a copy of hijackthis and post the logs here we'll try
|and identify the interloper.

Thanks. Will try when I have access to the machine.

Phil

<pgx@pgrahams.com> wrote in message
newsmk3a11ibm06u7nddm5mfkrqg79m1gm2oh@4ax.com...
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>
> |Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> |Tools --> Options --> Privacy --> Cache --> Clear
>
> FireFox is OK. It is now the default browser, but occasionally a site
> "requires" IE

Add the extension in Firefox which enables IE when needed. "IE View" is the
name of it and you will see it under Tools when you need it.

There are some other very useful extensions that I added, such as Print It,
Print Preview, Foxy Tunes and so on. Well....Foxy Tunes isn't really
needed, grin.

Cheers......Heather
>

pgx@pgrahams.com wrote:
[snip]
> FireFox is OK. It is now the default browser, but occasionally a site
> "requires" IE

if it's only "occasionally" and not "regularly", then perhaps you don't
need that site...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"

kurt wismer <kurtw@sympatico.ca> wrote:

|if it's only "occasionally" and not "regularly", then perhaps you don't
|need that site...

My feeling (almost) exactly, but this is not for my computer.

However, many times Southwest Airlines has a far better fare than
other airlines, and their site will not except reservations from
Mozilla (haven't tried the latest FireFox).

Also, I work helping seniors sign up for Medicare Drug Discount Cards.
One of the company's site does not recognize 128-bit encryption from
the latest FireFox - only IE.

Sometimes IE is a necessary evil!

Phil

pgx@pgrahams.com wrote:
> kurt wismer <kurtw@sympatico.ca> wrote:
>
> |if it's only "occasionally" and not "regularly", then perhaps you don't
> |need that site...
>
> My feeling (almost) exactly, but this is not for my computer.
>
> However, many times Southwest Airlines has a far better fare than
> other airlines, and their site will not except reservations from
> Mozilla (haven't tried the latest FireFox).

since firefox is the one that's been getting all the attention in the
media (and will be from now on - mozilla suite is in maintenance mode -
no new development there other than security fixes), try with firefox
and if it fails complain to them...

> Also, I work helping seniors sign up for Medicare Drug Discount Cards.
> One of the company's site does not recognize 128-bit encryption from
> the latest FireFox - only IE.
>
> Sometimes IE is a necessary evil!

sometimes, yes... it's acceptable to sometimes use it for windows update
too (i don't expect microsoft will ever support firefox for that)...

of course there is an extension that allows you to render a page using
IE's engine...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"