False Report

[Jon]

Due to Hi-Jacking of my Internet Explorer 6 it was
recommended that i download this Beta and it would take
care of the problem. I downloaded it , did the update, and
ran the sca. The scan came up with 3 signatures of IE
Tray, and 3 Registry entries under
HKEY_Current_User\SoftwareMS\Internet Explorer, a Serious
Browser Modifier. I did the quarentine and delete, and
rebooted, now the same problem is still there, as bad as
ever, and subsequent scans say everything is alright. I
also tried to send a suspected spyware scan, and I cannot
transmit the scan resuts. It is blocked. If I can't get
rid of this I will have to down load Firefox.

 

[Bill Sanderson]

Please try restarting in Safe mode by pressing F8 function key before the
initial Windows screen appears.

Do full, deep scans until a scan comes through clean--probably two scans.

This bug is not brand new, and I believe Microsoft antispyware should be
able to clean it.

Here's one reference describing how to clean it based on a HijackThis log
file:
--------------------------------------------------------------------
Hijacks to search-aide.com and changes the function of the F9 key.

IETray

Uses a Windows filename as a startup entry.

Log example:

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} -
C:\WINDOWS\SYSTEM32\IEMsg.dll
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia -
C:\WINDOWS\Web\ERS_ENC.HTM

Fix the entries above and delete the CSRSS.EXE in the Windows directory, not
the one in System(32).

 

[Guest]

-----Original Message-----
Please try restarting in Safe mode by pressing F8 function key before the
initial Windows screen appears.

Do full, deep scans until a scan comes through clean-- probably two scans.

This bug is not brand new, and I believe Microsoft antispyware should be
able to clean it.

Here's one reference describing how to clean it based on a HijackThis log
file:
---------------------------------------------------------- ----------
Hijacks to search-aide.com and changes the function of the F9 key.

IETray

Uses a Windows filename as a startup entry.

Log example:

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6- D5FEBB655D10} -
C:\WINDOWS\SYSTEM32\IEMsg.dll
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia -
C:\WINDOWS\Web\ERS_ENC.HTM

Fix the entries above and delete the CSRSS.EXE in the Windows directory, not
the one in System(32).
---------------------------------------------------------- ---------
Let me know whether the safe mode scans do the job for you.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Due to Hi-Jacking of my Internet Explorer 6 it was
recommended that i download this Beta and it would take
care of the problem. I downloaded it , did the update, and
ran the sca. The scan came up with 3 signatures of IE
Tray, and 3 Registry entries under
HKEY_Current_User\SoftwareMS\Internet Explorer, a Serious
Browser Modifier. I did the quarentine and delete, and
rebooted, now the same problem is still there, as bad as
ever, and subsequent scans say everything is alright. I
also tried to send a suspected spyware scan, and I cannot
transmit the scan resuts. It is blocked.

I already mentioned that I have tried that because it was
an answer form my
previous post. I will try to explain it better. Most of
the time when I open
a new web page I will see a "Panel" The panel asks for a
network user name
and password, In a Safe Mode scan the
spyware scanner came up empty. I tried it 3 times. One of
the biggest was
Double-click.com. When I blocked it in the Windows Hoat
files, they never
came back. This was also true with several others. Now I'm
getting new ones
and even though they are listed in the Windows Host file I
can no longer
block them. On my Home page I get the Not Authorized to
view portion. The
screen shot says Double-click, but that was before I
blocked it.
This is still the same recurring problem, I run Win 2000
with all the
Service packs, all of my Anti Spyware is up to date. I
also have Norton, and
Zone Alarm.

Thank You,

Jon

 

[Bill Sanderson]

I already mentioned that I have tried that because it was
an answer form my
previous post. I will try to explain it better. Most of
the time when I open
a new web page I will see a "Panel" The panel asks for a
network user name
and password, In a Safe Mode scan the
spyware scanner came up empty. I tried it 3 times. One of
the biggest was
Double-click.com. When I blocked it in the Windows Hoat
files, they never
came back. This was also true with several others. Now I'm
getting new ones
and even though they are listed in the Windows Host file I
can no longer
block them. On my Home page I get the Not Authorized to
view portion. The
screen shot says Double-click, but that was before I
blocked it.
This is still the same recurring problem, I run Win 2000
with all the
Service packs, all of my Anti Spyware is up to date. I
also have Norton, and
Zone Alarm.

Thank You,

Jon

This is clearer, and I think I understand the symptom, and that it has
nothing to do with Microsoft Antispyware.

If you go to Tools, Advanced Tools, System Explorers, and click on Windows
hosts file in the left column--do you see a number of entries?

As a test please block each of the entries except the first one--localhost,
using the "block host" function at the lower right.

Please do not do this if your machine is part of a large corporate
internetwork--consult your network manager for help.

Otherwise--lets see if that makes the symptom go away.