Spyware, Adware & What Not!

[rn5a]

I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
the D:\ drive of my m/c. with 512MB RAM.

Today I carried out an online virus scan using Panda ActiveScan. The
report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
Threats were also found in the Windows Registry. Of these 30 threats,
ActiveScan could disinfect only 7 threats.

What I would like to know is will it be safe if I permanently delete
the rest of the 23 threats manually? Doing so, can it affect Win2K &
WinXP in anyway?

This is the scan report ActiveScan generated (note that 'RN 5A' is the
machine name):

--------------------

Incident
Status Location


Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\shginas.dll

Adware:Adware/AzeSearch
Not disinfected C:\WINNT\system32\iasada.dll

Adware:adware/gator
Not disinfected c:\winnt\downloaded program
files\HDPlugin1101.dll

Hacktool:hacktool/rootkit.a!cme-96
Not disinfected c:\winnt\system32\REMON.SYS

Adware:adware/azesearch
Not disinfected c:\winnt\system32\IASADA.DLL

Adware:adware/tubby
Not disinfected c:\winnt\system32\MTC.DLL

Virus:trj/torpig.a
Disinfected Operating system

Spyware:spyware/web3000
Not disinfected c:\winnt\W3KNET.DLL

Adware:adware/webattaker
Not disinfected c:\winnt\UNIQ

Adware:adware/moneygainer
Not disinfected Windows Registry

Potentially unwanted tool:application/mywebsearch
Not disinfected
hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}

Adware:adware/emediacodec
Not disinfected Windows Registry

Adware:adware/secure32
Not disinfected Windows Registry

Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\SYSTEM32\CNETCFGB.DLL

Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\SYSTEM32\mscoriers.dll

Adware:Adware/AzeSearch
Not disinfected C:\WINNT\Downloaded Program
Files\azesearch.inf

Virus:W32/Sdbot.ftp.worm
Disinfected C:\Program Files\Common
Files\System\Mapi\1033\NT\TT

Virus:W32/Sdbot.ftp.worm
Disinfected C:\Program Files\Outlook
Express\TT

Virus:W32/Sdbot.ftp.worm
Disinfected C:\Program Files\Outlook
Express\EQ

Possible Virus.
Not disinfected C:\Program
Files\WMA2MP3\FFMPEG.EXE

Spyware:Cookie/Atlas DMT
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn 5a@atdmt[1].txt

Spyware:Cookie/Com.com
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn 5a@com[1].txt

Spyware:Cookie/Doubleclick
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn 5a@doubleclick[1].txt

Spyware:Cookie/Mediaplex
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn 5a@mediaplex[1].txt

Spyware:Cookie/2o7
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn [email protected][1].txt

Spyware:Cookie/QuestionMarket
Not disinfected D:\Documents and Settings\RN
5A\Cookies\rn 5a@questionmarket[2].txt

Virus:W32/Sdbot.IZD.worm
Disinfected D:\WINDOWS\system32\byh.exe

Virus:W32/Sdbot.ftp.worm
Disinfected D:\WINDOWS\system32\i

Hacktool:HackTool/MailPassView.A
Not disinfected
J:\fscommand\pspv160.exe[pspv.exe]

Virus:W32/Gibe.C.worm
Disinfected Hotmail\Inbox\Update.exe
--------------------

 

[PA20Pilot]

Hi,

........What I would like to know is will it be safe if I permanently
delete the rest of the 23 threats manually?

I'm sure you'll get a little more detailed answer a little later, but in
the mean time, I can tell you that some of what's found can't easily be
deleted just because it's there. For example, if something is found in
your email folder full of messages you've been saving. No antivirus I'm
aware of can open that single file, extract the offending message, then
save/close that folder without damaging things beyond repair.

I'll help someone give you a better answer if you could tell them where
you're finding the trash and what names it's using there.


---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562

 

[PA20Pilot]

Hi again,

Should have mentioned earlier that you might get a better response if
you post to microsoft.public.security.virus instead.


---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562

 

[David H. Lipman]

From: <[email protected]>

| I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
| the D:\ drive of my m/c. with 512MB RAM.

| Today I carried out an online virus scan using Panda ActiveScan. The
| report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
| Threats were also found in the Windows Registry. Of these 30 threats,
| ActiveScan could disinfect only 7 threats.

| What I would like to know is will it be safe if I permanently delete
| the rest of the 23 threats manually? Doing so, can it affect Win2K &
| WinXP in anyway?

| This is the scan report ActiveScan generated (note that 'RN 5A' is the
| machine name):


That's a badly infected computer with viruses and non-viral malware. Some baddies are in
there !



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[rn5a]

David, of all the suggestions you have provided, I downloaded
SUPERAntiSpyware Professional, installed it & ran it in the Normal mode
(& not in the Safe Mode which is what you had adviced). After checking
the system & enlisting the threats, SUPERAntiSpyware advised me to
quarantine the threats & I did so but to my surprise, when I re-booted,
Win2K Pro refused to start after that! I could see the Win2K Pro logo
(which shows that the OS is loading using a blue dotted line) but after
that, it restarted on its own. Restarting Win2K again & again were
futile & Win2K always restarts by itself.

Fortunately, using the "Last Known Good Configuration" (pressing F8
while booting), I managed to log into Win2K but after such an aweful
experience, I am pretty apprehensive in using it again. Will running
SUPERAntiSpyware in the Safe Mode cause the same problem?

BTW, here's the details of the log file:

----------
SUPERAntiSpyware Scan Log
Generated 12/29/2006 at 05:52 AM

Application Version : 3.4.1000

Core Rules Database Version : 3155
Trace Rules Database Version: 1171

Scan type : Complete Scan
Total Scan Time : 01:32:41

Memory items scanned : 337
Memory threats detected : 1
Registry items scanned : 6087
Registry threats detected : 18
File items scanned : 99967
File threats detected : 8

Unclassified.Unknown Origin
C:\WINNT\SYSTEM32\CCFGNTA.DLL
C:\WINNT\SYSTEM32\CCFGNTA.DLL
HKLM\Software\Classes\CLSID\{c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee}
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\InprocServer32
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\InprocServer32#ThreadingModel
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\ProgID
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\Programmable
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\TypeLib
HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\VersionIndependentProgID
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0\win32
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\FLAGS
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\HELPDIR
%SYSTEMROOT%\SYSTEM32\CCFGNTA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee}
C:\WINNT\SYSTEM32\CNETCFGB.DLL
C:\WINNT\SYSTEM32\MSCORIERS.DLL

Adware.ZToolbar
C:\WINNT\Downloaded Program Files\azesearch.inf

Browser Hijacker.Tubby
HKU\S-1-5-21-117609710-1004336348-839522115-500\Software\MTC MTC

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-117609710-1004336348-839522115-500\Software\Microsoft\Internet
Explorer\Main#Default_Page_URL [ c:\secure32.html ]

Adware.TrustInCash
C:\WINNT\ADULT.ICO

Adware.Unknown Origin
C:\WINNT\SHOPPING.ICO

Adware.Tracking Cookie
D:\Documents and Settings\RN 5A\Cookies\rn (e-mail address removed)[1].txt
----------

Note that 'RN 5A' is the m/c. name. I have Win2K Pro installed in the
C:\ drive & WinXP Pro installed in the D:\ drive.

Without any intention to question your credibility, I am now all the
more apprehensive to use the other softwares as well that you have
suggested me to use.

Desparately & eagerly waiting for your next advice......

From: <[email protected]>

| I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
| the D:\ drive of my m/c. with 512MB RAM.

| Today I carried out an online virus scan using Panda ActiveScan. The
| report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
| Threats were also found in the Windows Registry. Of these 30 threats,
| ActiveScan could disinfect only 7 threats.

| What I would like to know is will it be safe if I permanently delete
| the rest of the 23 threats manually? Doing so, can it affect Win2K &
| WinXP in anyway?

| This is the scan report ActiveScan generated (note that 'RN 5A' is the
| machine name):


That's a badly infected computer with viruses and non-viral malware. Some baddies are in
there !



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[rn5a]

If you are using any version of Sun Java that is prior to JRE Version 6.0,

then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

Forgot to mention that I am not using any version of Sun Java, David.
There isn't any folder named 'Java' in C:\Program Files.

From: <[email protected]>

| I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
| the D:\ drive of my m/c. with 512MB RAM.

| Today I carried out an online virus scan using Panda ActiveScan. The
| report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
| Threats were also found in the Windows Registry. Of these 30 threats,
| ActiveScan could disinfect only 7 threats.

| What I would like to know is will it be safe if I permanently delete
| the rest of the 23 threats manually? Doing so, can it affect Win2K &
| WinXP in anyway?

| This is the scan report ActiveScan generated (note that 'RN 5A' is the
| machine name):


That's a badly infected computer with viruses and non-viral malware. Some baddies are in
there !



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: <[email protected]>

| David, of all the suggestions you have provided, I downloaded
| SUPERAntiSpyware Professional, installed it & ran it in the Normal mode
| (& not in the Safe Mode which is what you had adviced). After checking
| the system & enlisting the threats, SUPERAntiSpyware advised me to
| quarantine the threats & I did so but to my surprise, when I re-booted,
| Win2K Pro refused to start after that! I could see the Win2K Pro logo
| (which shows that the OS is loading using a blue dotted line) but after
| that, it restarted on its own. Restarting Win2K again & again were
| futile & Win2K always restarts by itself.

| Fortunately, using the "Last Known Good Configuration" (pressing F8
| while booting), I managed to log into Win2K but after such an aweful
| experience, I am pretty apprehensive in using it again. Will running
| SUPERAntiSpyware in the Safe Mode cause the same problem?

| BTW, here's the details of the log file:

| ----------
| SUPERAntiSpyware Scan Log
| Generated 12/29/2006 at 05:52 AM

| Application Version : 3.4.1000

| Core Rules Database Version : 3155
| Trace Rules Database Version: 1171

| Scan type : Complete Scan
| Total Scan Time : 01:32:41

| Memory items scanned : 337
| Memory threats detected : 1
| Registry items scanned : 6087
| Registry threats detected : 18
| File items scanned : 99967
| File threats detected : 8

| Unclassified.Unknown Origin
| C:\WINNT\SYSTEM32\CCFGNTA.DLL
| C:\WINNT\SYSTEM32\CCFGNTA.DLL
| HKLM\Software\Classes\CLSID\{c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee}
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\InprocServer32
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\InprocServer32#ThreadingModel
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\ProgID
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\Programmable
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\TypeLib
| HKCR\CLSID\{C815ACE8-3DBF-4FFD-8231-AB1D21E8B7EE}\VersionIndependentProgID
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0\win32
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\FLAGS
| HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\HELPDIR
| %SYSTEMROOT%\SYSTEM32\CCFGNTA.DLL
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
| Objects\{c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee}
| C:\WINNT\SYSTEM32\CNETCFGB.DLL
| C:\WINNT\SYSTEM32\MSCORIERS.DLL

| Adware.ZToolbar
| C:\WINNT\Downloaded Program Files\azesearch.inf

| Browser Hijacker.Tubby
| HKU\S-1-5-21-117609710-1004336348-839522115-500\Software\MTC MTC

| Browser Hijacker.Internet Explorer Settings Hijack
| HKU\S-1-5-21-117609710-1004336348-839522115-500\Software\Microsoft\Internet
| Explorer\Main#Default_Page_URL [ c:\secure32.html ]

| Adware.TrustInCash
| C:\WINNT\ADULT.ICO

| Adware.Unknown Origin
| C:\WINNT\SHOPPING.ICO

| Adware.Tracking Cookie
| D:\Documents and Settings\RN 5A\Cookies\rn (e-mail address removed)[1].txt
| ----------

| Note that 'RN 5A' is the m/c. name. I have Win2K Pro installed in the
| C:\ drive & WinXP Pro installed in the D:\ drive.

| Without any intention to question your credibility, I am now all the
| more apprehensive to use the other softwares as well that you have
| suggested me to use.

| Desparately & eagerly waiting for your next advice......


As I stated, you had a badly infected computer. Why your Win2K PC reacted as It did, I
don't know. I have forwarded your reply to Nick Skrepetos, the author.

You have two options. Clean the PC or wipe the PC.
I strong suggest trying to clean the PC first.

None of the tools I sggested are meant to cause deliterious effects. On a badly infected
computer one never knows what will happen when you try to clean it. That is why it is
always important to to use anti malware tools to prevent infections and to limit the amount
of infection if you fail to practice Safe Hex.

Hold off on using SuperAntiSpyware and use the Multi AV Scanning Tool. Start with the
McAfee module.

 

[nskrepetos]

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

Forgot to mention that I am not using any version of Sun Java, David.
There isn't any folder named 'Java' in C:\Program Files.

From: <[email protected]>

| I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
| the D:\ drive of my m/c. with 512MB RAM.

| Today I carried out an online virus scan using Panda ActiveScan. The
| report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
| Threats were also found in the Windows Registry. Of these 30 threats,
| ActiveScan could disinfect only 7 threats.

| What I would like to know is will it be safe if I permanently delete
| the rest of the 23 threats manually? Doing so, can it affect Win2K &
| WinXP in anyway?

| This is the scan report ActiveScan generated (note that 'RN 5A' is the
| machine name):


That's a badly infected computer with viruses and non-viral malware. Some baddies are in
there !



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

I reviewed the scan log and all of the items removed appear to be
spyware/adware/malware components. My only thought is the if there is a
portion of the infection that was not removed and depends on one of the
removed components (i.e. WinLogon Notify and/or APPInit_DLL) it could
cause the system to not load properly.

If you restored to the "Last known good configuration" you likley
removed the remaining registry entry(s) that could have pointed to the
infection so after SUPERAntiSpyware removed the bulk of the infection,
the last know configuration used a previous registry that didn't have a
link to the remaining part of the infection.

You can always UnQuarantine items removed by SUPERAntiSpyware - but all
the items appear to be "bad". The problem you experienced could likley
happen with any software that would have removed those infections
(parts) - we see this type of post regarding all of the various
anti-spyware / anti-virus programs on certain heavily infected system,
which yours appeared to be.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

[rn5a]

You have two options. Clean the PC or wipe the PC.

I strong suggest trying to clean the PC first.

David, the latter option of wiping the PC just doesn't arise. I did
rather commit suicide instead - The first option is very much
feasible but with WHAT do I clean my PC? I tried

- AVG 7.5 (Free Edition)
- Spybot - Search and Destroy 1.2
- Ad-Aware 6.0
- ZoneAlarm 6.5
- SUPERAntiSpyware Pro
- Sophos

& none of them have helped me get rid of ALL the unwanted elements from
my PC. Please.....please.....I beg you give me a concrete solution.
Will McAfee & Kaspersky help me resolve this issue? I don't mind
installing new anti-spywares, anti-malwares etc. in my PC but I guess
installing those might lead to clashes between the new ones & the
anti-viruses, anti-spywares etc. which are already installed in my PC &
that might further compound my problems.

To be very honest, I don't have much faith in Trend Micro because I
tried the Trend Micro online virus scan (after one gentleman adviced me
to use it in one of my earlier posts) about 8 to 10 times but each &
every time the scan lasted for almost 10-12 hours after which I aborted
the scans out of sheer frustration. On all the occasions, the virus
scans just didn't seem to come to an end. The scans went on & on & on &
on....The Trend Micro scans also generated a few errors intermittently.

After these unsuccessful attempts with the Trend Micro online virus
scan, I moved over to Panda's ActiveScan online virus scan
(http://www.pandasoftware.com/products/ActiveScan.htm?sitepanda=particulares).
Unlike Trend Micro, after scanning my PC, the ActiveScan scans
generated reports listing the adwares, malwares etc. existing in my PC.
This is the last report that ActiveScan generated (about 6 hours back):

--------------------
Incident
Status Location

Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\system32\ccfgnta.dll

Adware:adware/gator
Not disinfected c:\winnt\downloaded program
files\HDPlugin1101.dll

Hacktool:hacktool/rootkit.a!cme-96
Not disinfected c:\winnt\system32\remon.sys

Adware:adware/tubby
Not disinfected c:\winnt\system32\MTC.dll

Spyware:spyware/web3000
Not disinfected c:\winnt\w3knet.dll

Adware:adware/webattaker
Not disinfected c:\winnt\uniq

Adware:adware/moneygainer
Not disinfected Windows Registry

Potentially unwanted tool:application/mywebsearch
Not disinfected
hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}

Adware:adware/emediacodec
Not disinfected Windows Registry

Adware:adware/secure32
Not disinfected Windows Registry

Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\system32\cnetcfgb.dll

Adware:Adware/MoneyGainer
Not disinfected C:\WINNT\system32\mscoriers.dll

Adware:Adware/AzeSearch
Not disinfected C:\WINNT\Downloaded Program
Files\azesearch.inf

--------------------

When I used the ActiveScan online virus scan for the first time, it
listed 30 malicious elements, some of which it disinfected. The number
of such malicious elements have now come down to 13 (as shown above).
But what I find strange is some of the files listed above by ActiveScan
doesn't exist only in my PC (I have checked the radio button 'Show
hidden files and folders' under 'Hidden files and folders' & have also
unchecked the checkbox 'Hide protected operating system files
(recommended)' in Windows Explorer by navigating to the Tools--->Folder
Options menu & then selecting the 'View' tab).

For e.g. the files 'ccfgnta.dll', 'cnetcfgb.dll' & 'mscoriers.dll' -
ActiveScan indicates that these 3 files exist in C:\WINNT\system32\ but
I don't find any of them in C:\WINNT\system32\. Similarly, the file
'HDPlugin1101.dll' doesn't exist in c:\winnt\downloaded program files\
but ActiveScan says that it resides in c:\winnt\downloaded program
files\. So I don't understand how ActiveScan is locating these files!

As far as the registry entires are concerned, will navigating to those
entries in the WIndows registry & deleting them manually be a sane
option?

If you restored to the "Last known good configuration" you likley
removed the remaining registry entry(s) that could have pointed to the
infection so after SUPERAntiSpyware removed the bulk of the infection,
the last know configuration used a previous registry that didn't have a
link to the remaining part of the infection.

So what would you suggest now, Nick? How do I ensure that after
running SUPERAntiSpyware, Win2K boots as it normally does?

You can always UnQuarantine items removed by SUPERAntiSpyware - but all
the items appear to be "bad".

But how do I unquarantine the items removed by SUPERAntiSpyware when I
am not being allowed to boot into Win2K after running SUPERAntiSpyware?
As already said, after removing items using SUPERAntiSpyware, the only
way I can log into Win2K is by using the "Last Known Good
Configuration" but I guess that will automatically restore the
malicious items existing in my PC, isn't it?

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

Forgot to mention that I am not using any version of Sun Java, David.
There isn't any folder named 'Java' in C:\Program Files.

From: <[email protected]>

| I have Win2K Pro installed in the C:\ drive & WinXP Pro installed in
| the D:\ drive of my m/c. with 512MB RAM.

| Today I carried out an online virus scan using Panda ActiveScan. The
| report listed 30 threats like Adwares, Spywares, Virus, Hacktool etc.
| Threats were also found in the Windows Registry. Of these 30 threats,
| ActiveScan could disinfect only 7 threats.

| What I would like to know is will it be safe if I permanently delete
| the rest of the 23 threats manually? Doing so, can it affect Win2K &
| WinXP in anyway?

| This is the scan report ActiveScan generated (note that 'RN 5A' is the
| machine name):


That's a badly infected computer with viruses and non-viral malware. Some baddies are in
there !



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

I reviewed the scan log and all of the items removed appear to be
spyware/adware/malware components. My only thought is the if there is a
portion of the infection that was not removed and depends on one of the
removed components (i.e. WinLogon Notify and/or APPInit_DLL) it could
cause the system to not load properly.

If you restored to the "Last known good configuration" you likley
removed the remaining registry entry(s) that could have pointed to the
infection so after SUPERAntiSpyware removed the bulk of the infection,
the last know configuration used a previous registry that didn't have a
link to the remaining part of the infection.

You can always UnQuarantine items removed by SUPERAntiSpyware - but all
the items appear to be "bad". The problem you experienced could likley
happen with any software that would have removed those infections
(parts) - we see this type of post regarding all of the various
anti-spyware / anti-virus programs on certain heavily infected system,
which yours appeared to be.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

[David H. Lipman]

| David, the latter option of wiping the PC just doesn't arise. I did
| rather commit suicide instead - The first option is very much
| feasible but with WHAT do I clean my PC? I tried

| - AVG 7.5 (Free Edition)
| - Spybot - Search and Destroy 1.2
| - Ad-Aware 6.0
| - ZoneAlarm 6.5
| - SUPERAntiSpyware Pro
| - Sophos

| & none of them have helped me get rid of ALL the unwanted elements from
| my PC. Please.....please.....I beg you give me a concrete solution.
| Will McAfee & Kaspersky help me resolve this issue? I don't mind
| installing new anti-spywares, anti-malwares etc. in my PC but I guess
| installing those might lead to clashes between the new ones & the
| anti-viruses, anti-spywares etc. which are already installed in my PC &
| that might further compound my problems.

| To be very honest, I don't have much faith in Trend Micro because I
| tried the Trend Micro online virus scan (after one gentleman adviced me
| to use it in one of my earlier posts) about 8 to 10 times but each &
| every time the scan lasted for almost 10-12 hours after which I aborted
| the scans out of sheer frustration. On all the occasions, the virus
| scans just didn't seem to come to an end. The scans went on & on & on &
| on....The Trend Micro scans also generated a few errors intermittently.

| After these unsuccessful attempts with the Trend Micro online virus
| scan, I moved over to Panda's ActiveScan online virus scan
| (http://www.pandasoftware.com/products/ActiveScan.htm?sitepanda=particulares).
| Unlike Trend Micro, after scanning my PC, the ActiveScan scans
| generated reports listing the adwares, malwares etc. existing in my PC.
| This is the last report that ActiveScan generated (about 6 hours back):

< snip >

Ad-aware 6.0 won't help !

That product is no longer supported nor updated.

Remove it and install Ad-aware SE v1.06 and update it.

SpyBot S&D v1.2 won't help either !

That product is no longer supported nor updated.

Remove it and install SpyBot S&D v1.4 and update it.

Please go back to my instrauctions (sans SuperAntiSpyware) adn thoroughly read them and
follow them.
I strongly suggest the Multi AV Scanning Tool and starting with the McAfee module.

 

[David H. Lipman]

ADDENDUM:

After re-reading your reply, I must state again that your PC is badly infected.

Either you clean it or wipe it.

If you choose NOT to wipe it and clean it you MUST go through what I have suggested and
let ALL scans complete. Do NOT stop them. Be patient, run them overnite but you must run
them.

 

[rn5a]

Dave, let me first thank you & Nick for offering me such valuable
suggestions.

I could manage to bring down the no. of malicious objects from 13 to 6
after running ActiveScan again. I guess I can take care of 5 of them
but the 6th one is turning out to be problematic.

As already pointed out in my earlier post, the 6th file is named
'HDPlugin1101.dll' which ActiveScan describes as 'Adware:adware/gator'.
ActiveScan says that this DLL exists in c:\winnt\downloaded program
files\ but when I navigate to the said folder, I don't find
'HDPlugin1101.dll' in the 'downloaded program files' folder!

Anyways, I will do as you say....

 

[Gary Smith]

Downloaded Program Files is one of the stsrem folds which has a customized
view, so you can't see what files are actually in there by most normal
means. What you can do is this:

Open a command prompt window and type

dir /a "\winnt\Downloaded Program Files\*.dll"

If the file is actually there, it should appear in the resulting list.
You should also be able to delete it from the command prompt or move it to
another folder.

Dave, let me first thank you & Nick for offering me such valuable
suggestions.

I could manage to bring down the no. of malicious objects from 13 to 6
after running ActiveScan again. I guess I can take care of 5 of them
but the 6th one is turning out to be problematic.