Browser Plug-in threat.

[Guest]

Please can someone help. Have pasted a report of my scan earlier today. As
you can see it reports a Browser plugin threat. How can I get rid of this.
When I view spyware history details, it doesn't give me an option of deleting
it. Thanks for any help.

Spyware Scan Details
Start Date: 21/10/2005 09:45:01
End Date: 21/10/2005 09:59:34
Total Time: 14 mins 33 secs

Detected Threats

WindUpdates Browser Plug-in more information...
Details: WindUpdates downloads additional adware and displays pop-up
advertising.
Status: Ignored
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
c:\windows\system32\ide21201.vxd


Detected Spyware Cookies
No spyware cookies were found during this scan

 

[Guest]

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize. You can also use the System Explorers in
Microsoft Antispyware to look at BHO's and block them--it also shows known
and unknown fºr BHO's..
http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx .

Good luck Trish

Engel

 

[Guest]

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize. You can also use the System Explorers in
Microsoft Antispyware to look at BHO's and block them--it also shows known
and unknown fºr BHO's..
http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx .

Good luck Trish

Engel

Thank you so much for your help. This one is a bit new to me. I only have
one BHO listed in my Add On's and that is 'Yahoo Companion BHO'. Should I
un-check that. I also have the following:
(53707962-6F74-2D53)
AcroIEHlprObj class
Real.com
Sun Java Console
Wanadoo
Windows Messenger
XML Document
Yahoo Companion As well as Yahoo Companion BHO.

Which one's would you suggest I un-check. Thanks again for your help.

 

[Guest]

Thank you so much for your help. This one is a bit new to me. I only have
one BHO listed in my Add On's and that is 'Yahoo Companion BHO'. Should I
un-check that. I also have the following:
(53707962-6F74-2D53)
AcroIEHlprObj class
Real.com
Sun Java Console
Wanadoo
Windows Messenger
XML Document
Yahoo Companion As well as Yahoo Companion BHO.

Which one's would you suggest I un-check. Thanks again for your help.

Sorry, just noticed another one:
Shockwave Flash Object.

What harm would it do if I un-checked something I shouldn't. Also, should I
do anything to MSAS to remove it from there? Sorry, but I am a bit new to all
this. Thanks again.

 

[Guest]

Hi Trish & Engel

Its showing in the scan results that it was ignored so you would be best
rescanning with MS Antispy and then when the scan is finished and it goes to
the results page next to this entry you will see some options
(Ignore,Remove,Quarantine) set this to remove and then let MS Antispy remove
the threat.

Also check your Add/Remove screen (Start Menu> Control Panel> Add/Remove
Programs) and remove 'Wind Updates' if its in the list.

This is probably whats being detected :

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.BF&VSect=T

It may be worth also running Ewido on your system to be sure you don't have
any other problems.

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes (the status bar
at the bottom will display "Update successful")

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Regards

Andy

 

[Guest]

Hi Trish & Engel

Its showing in the scan results that it was ignored so you would be best
rescanning with MS Antispy and then when the scan is finished and it goes to
the results page next to this entry you will see some options
(Ignore,Remove,Quarantine) set this to remove and then let MS Antispy remove
the threat.

Also check your Add/Remove screen (Start Menu> Control Panel> Add/Remove
Programs) and remove 'Wind Updates' if its in the list.

This is probably whats being detected :

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.BF&VSect=T

It may be worth also running Ewido on your system to be sure you don't have
any other problems.

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes (the status bar
at the bottom will display "Update successful")

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Regards

Andy

Thank you for your help. 'Windows Update' is not in my Add/Remove list. I
only do priority updates. Which Add on's do you suggest I un-check from my
list. Please help. Thank you.

 

[Guest]

Hi Again

Wind Updates is not "Windows Updates" and has no connection to Microsoft,
Wind Updates is Adware and gets installed by ActiveX pop ups on some sites,
It can also come bundled with some software (Games, File Sharing Bundles,
ScreenSavers) but it will then add itself to Add/Remove screen as
WindUpdates, They also make other adware (Mediapass, MediaAccess,
Adware.WinAd) but its not likely you have these as they would of been
detected in the scan.

From The list you post XML Document could be anything as it doesnt give any
indication what put it there but if you return to the manage add-ons page and
look in the other area's for Publisher and File it may give you more
information

The line 53707962-6F74-2D53 is not complete but it refers to Spybot Search &
Destroys SDHelper.dll ( Where it shows name in Manage Add-ons you can left
click on the Name Area and move it to view the rest of the numbers, Then it
will display
{53707962-6F74-2D53-2644-206D7942484F} and all the rest are genuine and not
causing any problems so I would say leave them in place and just let MS
Antispy remove the file it detected in the initial scan especially if its not
added itself to add/remove screen.

One other area you could check is (Downloaded Program Files) open a IE
browser window and goto 'Tools' on the Top Bar then to 'Internet Options', On
the Temporary Internet Files section press 'Settings' and then Press 'View
Objects', check here for any entries by WindUpdates, If your unsure of a
entry just right click and choose View Properties and it will then show you
who put it there, If you find one like this remove it :

{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
h**p://public.windupdates.com/get_file.php...(Random Letters & Numbers)

To remove a entry right click and press remove ( If its there then it would
allow Windupdates to download more junk to your computer if you visit certain
sites ) but if you dont find it there then its good news and you can just let
MS Antispy scan again then at the end of the scan let MS Antispy remove what
it finds as thats all that may be on your system.

Regards

Andy

 

[Guest]

Hi Again

Wind Updates is not "Windows Updates" and has no connection to Microsoft,
Wind Updates is Adware and gets installed by ActiveX pop ups on some sites,
It can also come bundled with some software (Games, File Sharing Bundles,
ScreenSavers) but it will then add itself to Add/Remove screen as
WindUpdates, They also make other adware (Mediapass, MediaAccess,
Adware.WinAd) but its not likely you have these as they would of been
detected in the scan.

From The list you post XML Document could be anything as it doesnt give any
indication what put it there but if you return to the manage add-ons page and
look in the other area's for Publisher and File it may give you more
information

The line 53707962-6F74-2D53 is not complete but it refers to Spybot Search &
Destroys SDHelper.dll ( Where it shows name in Manage Add-ons you can left
click on the Name Area and move it to view the rest of the numbers, Then it
will display
{53707962-6F74-2D53-2644-206D7942484F} and all the rest are genuine and not
causing any problems so I would say leave them in place and just let MS
Antispy remove the file it detected in the initial scan especially if its not
added itself to add/remove screen.

One other area you could check is (Downloaded Program Files) open a IE
browser window and goto 'Tools' on the Top Bar then to 'Internet Options', On
the Temporary Internet Files section press 'Settings' and then Press 'View
Objects', check here for any entries by WindUpdates, If your unsure of a
entry just right click and choose View Properties and it will then show you
who put it there, If you find one like this remove it :

{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
h**p://public.windupdates.com/get_file.php...(Random Letters & Numbers)

To remove a entry right click and press remove ( If its there then it would
allow Windupdates to download more junk to your computer if you visit certain
sites ) but if you dont find it there then its good news and you can just let
MS Antispy scan again then at the end of the scan let MS Antispy remove what
it finds as thats all that may be on your system.

Regards

Andy

Found nothing at all for Windupdates. Thanks for all your help.

 

[Guest]

No Problem

All The best

Andy