IE, trojans, and anti-virus

[History Fan]

I have a PC running XP Home SP1. Against the advice of many people I
know online, I have continued to use Internet Explorer 6 SP1 as my main web
browser. This morning, I (foolishly) clicked the link to a sleazy-sounding
webpage. Seconds later, my anti-virus program popped up, saying it had
detected trojans on this web page. I was strongly urged to run a system
scan immediately. I did so, and no infections were found. Below is a text
log of what my anti-virus software discovered when I clicked on that web
page. From reading the text, does it appear everything was cleaned up? I
have long since cleaned out my TEMP files:

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.
Deleted.

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.

2004/07/06 06:14:29.062 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.
Deleted.

2004/07/06 06:14:29.078 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.

2004/07/06 06:14:29.109 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.

2004/07/06 06:14:34.687 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\6LIHYYHC\shellscript_loader.js[1].htm is
JS.ModalDZoneBypass.exploit trojan. Deleted.

2004/07/06 06:14:34.703 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\6LIHYYHC\shellscript_loader.js[1].htm is
JS.ModalDZoneBypass.exploit trojan.

 

[Jurren Bouman]

I have a PC running XP Home SP1. Against the advice of many people I
know online, I have continued to use Internet Explorer 6 SP1 as my main web
browser. This morning, I (foolishly) clicked the link to a sleazy-sounding
webpage. Seconds later, my anti-virus program popped up, saying it had
detected trojans on this web page. I was strongly urged to run a system
scan immediately. I did so, and no infections were found. Below is a text
log of what my anti-virus software discovered when I clicked on that web
page. From reading the text, does it appear everything was cleaned up? I
have long since cleaned out my TEMP files:

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.
Deleted.

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.

2004/07/06 06:14:27.875 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\checker[1].htm is HTML.MHTMLRedir.exploit trojan.

2004/07/06 06:14:29.062 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.
Deleted.

2004/07/06 06:14:29.078 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.

2004/07/06 06:14:29.109 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\8V4ZYHVK\md[1].htm is JS.ModalDZoneBypass.exploit trojan.

2004/07/06 06:14:34.687 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\6LIHYYHC\shellscript_loader.js[1].htm is
JS.ModalDZoneBypass.exploit trojan. Deleted.

2004/07/06 06:14:34.703 File infection: C:\Documents and
Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\6LIHYYHC\shellscript_loader.js[1].htm is
JS.ModalDZoneBypass.exploit trojan.

If you cleaned out the temp files and your anti-virus software says it
didn't find anything, if that has the latest signature files, then I
think your computer is clean again.

For a 2nd opinion you could do an online scan at either RAV:
http://www.ravantivirus.com/scan/
or Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

 

[History Fan]

If you cleaned out the temp files and your anti-virus software says it

didn't find anything, if that has the latest signature files, then I
think your computer is clean again.

For a 2nd opinion you could do an online scan at either RAV:
http://www.ravantivirus.com/scan/
or Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Thanks for the info. My temp files have been cleaned out, and my
anti-virus is up-to-date. I went to Panda's webpage for the free online
scan. It installed an ActiveX Control, then did a scan of my computer. No
viruses found. I also have Spybot S&D 1.3 installed. A few days ago, I
turned off the immunization feature, and the "tea timer" program. Now they
are both turned back on!

 

[History Fan]

The trojan scare this morning has caused me to upgrade my Internet
"defenses." First, I turned Spybot's immunization feature back on. Then I
disabled the XP Firewall, and installed the free firewall offered by my
anti-virus program, Computer Associates. It's basically ZoneAlarm 4.5 with
a different logo. I configured this new firewall to block pop-up ads, web
bugs, and 3rd party cookies.

 

[Jan Il]

Hi History Fan

The trojan scare this morning has caused me to upgrade my
Internet "defenses." First, I turned Spybot's immunization feature
back on. Then I disabled the XP Firewall, and installed the free
firewall offered by my anti-virus program, Computer Associates. It's
basically ZoneAlarm 4.5 with a different logo. I configured this new
firewall to block pop-up ads, web bugs, and 3rd party cookies.

In addition to what you have already done, which is very good indeed, I urge
you to also install the AdAware on your system. SpyBot S&D is good only for
spyware. AdAware cleans adware. The CWShredder cleans malware. The
additional free programs will be the only on-hand defense you have if you
are unable to access the Internet to download them when you need them. It is
also best to run then in Safe Mode with Hidden Files enabled. I've also
added a few more links to programs you should also have installed on hand as
a precaution, and links to some very good advice.

AdAware: Free
http://www.lavasoftusa.com/support/download/
HOW TO: Reconfigure Ad-aware for a Full Scan
http://forum.aumha.org/viewtopic.php?t=5877

CWShredder: Free
http://tinyurl.com/2l9kl

HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)

The process of removing certain malware may kill your internet connection.
If this should occur, this program, LSPFIX, will enable you to regain your
connection. The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.

Additional information at:
The Parasite Fight http://www.aumha.org/a/quickfix.htm
Bugs, Glitches & Stuffups: http://www.mvps.org/inetexplorer/Darnit.htm

This program will help keep scumware from getting a strong grip on your
system.
SpywareBlaster.
http://www.javacoolsoftware.com/spywareblaster.html

Hope this helps.

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm