IE6 infected

[Eric]

I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
checking. ZoneAlarm is set to automatically check for updates. Updating AVG
is usually the first thing I do every time I go online. I also automatically
check for & immediately install updates to IE6, Win 98 & other Microsoft
products.

My PC seems to have some sort of infection. Web pages I view with IE6 appear
to have JavaScript inserted. This script is not actually in those web
pages & when I use a non-Microsoft browser I can see them as they should be,
This problem does not manifest itself when I create a web page myself and
examine it on my hard drive. However once that page is placed in my webspace
the Javascript problem manifests itself (see example below: first original
file, then file with inserted Javascript).

I have tried doing a free PestScan offered by ZoneLabs, but it just opens a
blank IE window. It doesn't seem to do anything.

Some one suggested using "HijackThis" but the blurb for this says its
"Intended for advanced users". I don't think I know enough to use it. Can
anyone suggest a course of action which doesn't involve spending money on
new software or re formatting my disc& re-installing the operating system?

----------------------------------------------------------------------------
---------------------------
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/css" href="standard.css" ?>

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Testing NTL webspace</title>
</head>
<body>
<div class="footer">
<p>
<a href="http://validator.w3.org/check?uri=referer"><img
src="vxhtml-basic10.png"
alt="Valid XHTML Basic 1.0!"
height="31"
width="88" /></a>
Testing!!!!!!!
</p>
</div>

</body>
</html>

----------------------------------------------------------------------------
---------------------------
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/css" href="standard.css" ?>

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Testing NTL webspace</title>


<script language='javascript'
src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>

</head>
<body>
<div class="footer">
<p>
<a href="http://validator.w3.org/check?uri=referer">
</a>
Testing!!!!!!!
</p>
</div>

</body>
</html>

<script language='javascript'>postamble();</script>











IE6 Infecyed

 

[Jan Il]

Hi Eric

There are several types of warez that can also infect your system other than
a virus. Actually, the most common types are hijackers, malware and
parasites, all of which can cause a variety of problems. If you have more
than one of these types, you may have a series of problems. Most anti-virus
programs can not detect these types of warez as they don't have those types
of definitions.

The warning for the HiJackThis as being meant to be used by advanced users,
does not mean that you have to be an expert to *use* it, but, as it can deal
with removing files in the Registry, and if you really are not sure what
files are what, then it is best to have it analyzed by an expert at one of
the forums that will do this for you and can make recommendations for the
proper corrections needed, if any, and the proper procedures to do so
without compromising your system. Running the program to create the log for
the experts to analyze is not at all difficult, so there is no need to tarry
to use it.

I have provided the link of a few forums that have experts to analyze the
HJT logs for you and provide instructions to make any necessary corrections.
They will see you through the process and make sure your system is fully
clean. You should also download the other programs, such as AdAware SE,
SpyBot S&D and CWShredder, to make sure your system is free of any malware,
spyware, adware and parasites as well. Below is information to obtain the
proper programs and instructions for scanning your system for the various
warez.

Although you may have already run one or more of the programs, please do so
again according to the instructions below. Some variants of malware can
replicate themselves over and over if not removed properly. Please follow
all instructions carefully to be sure your system is thoroughly cleaned:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
Be sure to run CWShredder, Ad-aware and Spybot.
Also be sure to use the HijackThis. Please do not post your log to this
newsgroup, but to the SpywareInfo or the Aumha HiJackThis forums
http://forum.aumha.org/viewforum.php?f=30, to allow the experts there to
evaluate your log and advise you of the necessary steps to clean your
system.

AdAware SE: Free
http://www.lavasoft.de/software/adaware/

New CWShredder version: Free
http://www.intermute.com/spysubtract/cwshredder_download.html

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

Also, get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also
From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
also ....
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)

or ........

Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

Also.........

Courtesy of Jim Byrd -

Download Sysclean.com, from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp
Be sure to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
You might also want to get Art's updater, SYS-UP.Zip, here for future
updating of these: http://home.epix.net/~artnpeg/.
(If you download and use the updater from the beginning, it will
automatically handle downloading the other files. Place them in a dedicated
folder after appropriate unzipping, and then run. This scan may take a long
time, as Sysclean is VERY extensive and thorough

and......

NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again in Safe Mode to be
sure there are no lingering items on the system.

If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt210.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html

* * * Please report your results ! * * *

Dave





| I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
| checking. ZoneAlarm is set to automatically check for updates. Updating AVG
| is usually the first thing I do every time I go online. I also automatically
| check for & immediately install updates to IE6, Win 98 & other Microsoft
| products.
|
| My PC seems to have some sort of infection. Web pages I view with IE6 appear
| to have JavaScript inserted. This script is not actually in those web
| pages & when I use a non-Microsoft browser I can see them as they should be,
| This problem does not manifest itself when I create a web page myself and
| examine it on my hard drive. However once that page is placed in my webspace
| the Javascript problem manifests itself (see example below: first original
| file, then file with inserted Javascript).
|
| I have tried doing a free PestScan offered by ZoneLabs, but it just opens a
| blank IE window. It doesn't seem to do anything.
|
| Some one suggested using "HijackThis" but the blurb for this says its
| "Intended for advanced users". I don't think I know enough to use it. Can
| anyone suggest a course of action which doesn't involve spending money on
| new software or re formatting my disc& re-installing the operating system?
|
| ----------------------------------------------------------------------------
| ---------------------------
| <?xml version="1.0" encoding="utf-8"?>
| <?xml-stylesheet type="text/css" href="standard.css" ?>
|
| <!DOCTYPE html
| PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
|
| <title>Testing NTL webspace</title>
| </head>
| <body>
| <div class="footer">
| <p>
| <a href="http://validator.w3.org/check?uri=referer"><img
| src="vxhtml-basic10.png"
| alt="Valid XHTML Basic 1.0!"
| height="31"
| width="88" /></a>
| Testing!!!!!!!
| </p>
| </div>
|
| </body>
| </html>
|
| ----------------------------------------------------------------------------
| ---------------------------
| <?xml version="1.0" encoding="utf-8"?>
| <?xml-stylesheet type="text/css" href="standard.css" ?>
|
| <!DOCTYPE html
| PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
|
| <title>Testing NTL webspace</title>
|
|
| <script language='javascript'
| src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>
|
| </head>
| <body>
| <div class="footer">
| <p>
| <a href="http://validator.w3.org/check?uri=referer">
| </a>
| Testing!!!!!!!
| </p>
| </div>
|
| </body>
| </html>
|
| <script language='javascript'>postamble();</script>
|
|
|
|
|
|
|
|
|
|
|
| IE6 Infecyed
|
|

 

[Robin T Cox]

IE6 infected

See:
Internet Explorer Is Too Dangerous to Keep Using
http://www.thechannelinsider.com/article2/0,1759,1619762,00.asp

WRT HijackThis, you can download it and follow the directions from here:
http://tomcoyote.com/hjt/

 

[... et al.]

I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
checking. ZoneAlarm is set to automatically check for updates. Updating AVG



My PC seems to have some sort of infection. Web pages I view with IE6 appear
to have JavaScript inserted. This script is not actually in those web
pages & when I use a non-Microsoft browser I can see them as they should be,
This problem does not manifest itself when I create a web page myself and
examine it on my hard drive. However once that page is placed in my webspace
the Javascript problem manifests itself (see example below: first original
file, then file with inserted Javascript).

<script language='javascript'
src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>

<script language='javascript'>postamble();</script>

Incidentally i just came across this when sorting out some
doublettes of various webpages i have saved to my harddiskdrive.

It was in pages saved during a few days in january. At that time
i had reloaded Windows and was, from memory, possibly using the
combination of Internet Explorer, ZonAlarm Pro-Trial with
Popup-blocker activated.

But, i had also comment-code added before the two insertions:
<!-- ZoneLabs Privacy Insertion -->
and
<!-- ZoneLabs Popup Blocking Insertion -->

see also <http://forums.devshed.com/archive/t-77135> for another
example of the same.

Now i use Zonalarm free (containing no inherent popupblocker) and
Mozilla Firefox (containing a popupblocker) and the insertions
are not there anymore.

The strange thing is you saying that you are using Zonalarm free,
and still have the codeinsertions ...

 

[... et al.]

Incidentally i just came across this when sorting out some doublettes of
various webpages i have saved to my harddiskdrive.

It was in pages saved during a few days in january. At that time i had
reloaded Windows and was, from memory, possibly using the combination of
Internet Explorer, ZonAlarm Pro-Trial with Popup-blocker activated.

But, i had also comment-code added before the two insertions:
<!-- ZoneLabs Privacy Insertion -->
and
<!-- ZoneLabs Popup Blocking Insertion -->

see also <http://forums.devshed.com/archive/t-77135> for another example
of the same.

Now i use Zonalarm free (containing no inherent popupblocker) and
Mozilla Firefox (containing a popupblocker) and the insertions are not
there anymore.

The strange thing is you saying that you are using Zonalarm free, and
still have the codeinsertions ...

Explanation.
You are using some popupblocking program that uses the same
technique as ZoneAlarm, but does not identify itself in the
inserted code.
Right?

 

[Eric]

Explanation.
You are using some popupblocking program that uses the same
technique as ZoneAlarm, but does not identify itself in the
inserted code.
Right?

No, but I did recently have a free trial of the ZoneAlarm Pro version. Thiis
supposed to have uninstalled itself but maybe that is the origin of my
problem.

 

[Eric]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Trend give a MD5 checksum for this download. They don't tell you how to use
it, but I found some instructions at
http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
tell you how to verify the checksum for a zip file. What is downloaded is
not a zip file, so how can I verify the checksum?

 

[David H. Lipman]

That's right !

This is a a self extracting EXE file that was renamed to a COM file.
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

This is a ZIP file and it is now at revision 2.238.

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Dave



| | > 1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
|
| Trend give a MD5 checksum for this download. They don't tell you how to use
| it, but I found some instructions at
| http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
| tell you how to verify the checksum for a zip file. What is downloaded is
| not a zip file, so how can I verify the checksum?
|
|

 

[nemo outis]

Trend give a MD5 checksum for this download. They don't tell you how to use
it, but I found some instructions at
http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
tell you how to verify the checksum for a zip file. What is downloaded is
not a zip file, so how can I verify the checksum?

There are a zillion hash-checking programs out there (md5, sha
family, ripemd, etc.) - many of them free. I prefer the ones
that will recurse through subdirectories as this lets you
validate whole chunks of your system against tampering, is the
very best way to compare/synch directories, etc.

Some names:

fsum
iside
m5sum
m5deep
filecheckmd5
winmd5

If you google you'll find these and many more.

Regards,

 

[Eric]

Does that mean I should use the given checksum to check the pattern file
rather than the .COM file?

 

[David H. Lipman]

I'm not going to say one or the other. Just download the .COM and ZIP files, and follow the
directions I provided.

Dave



| Does that mean I should use the given checksum to check the pattern file
| rather than the .COM file?
|
| | > That's right !
| >
| > This is a a self extracting EXE file that was renamed to a COM file.
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > This is a ZIP file and it is now at revision 2.238.
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Dave
| >
| >
| >
| | > | | > | > 1) Download the following three items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > |
| > | Trend give a MD5 checksum for this download. They don't tell you how to
| use
| > | it, but I found some instructions at
| > | http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately,
| these
| > | tell you how to verify the checksum for a zip file. What is downloaded
| is
| > | not a zip file, so how can I verify the checksum?
| > |
| > |
| >
| >
|
|

 

[nemo outis]

Does that mean I should use the given checksum to check the pattern file
rather than the .COM file?

Checksums are easily forgeable (they're linear in the
coefficients). MD5, SHA-* or RIPEMD are better choices.

Regards,

 

[Eric]

I've run Sysclean & Adaware SE. Neither seems to have found the source of my
problem. Running Sysclean in Safe mode seems to cause problems.

Details below.


WinPatrol says I have a browser object called Related.htm. I can't find any
info on this in the list of known browser objects at
http://www.sysinfo.org/bholist.php. It has also twice reported that the
file associations for .CAB have changed, but doesn't specify what's changed
it.

Downloaded Adaware & Sysclean.com. Ran MD5 checksum verification on
Sysclean.com - checksums matched. Unzipped sysclean, downloaded latest
pattern file, unzipped it & copied lpt$vpn.246 to the same folder as
Sysclean.exe. Rebooted while holding down F8. During boot up sequence got
the
message:

CMOS/GPNVChexcksum bad!

Continued & started up in Safe Mode. Ran Sysclean by double-clicking on
Sysclean.exe in Windows explorer. Twice (before & after starting Sysclean)
got a message saying "
If you run a text-based program in safe mode, you risk corruption of the
video display or experiencing other anomalies...". Closed all other
application before
starting scan with automatic clean/delete of infected files. Sysclean ran
for about 25 minutes before a message came up saying vscantn (might be wrong
spelling, I forgot to write it down) had performed an illegal operation &
would be shut down This happened while it was scanning the root directory
(C:*.*). Had to use button on the PC casing to perform a hardware shut down.
While rebooting held down F8 again & again got the message:

CMOS/GPNVChexcksum bad!

Also, mouse was not detected.

Again continued & started in Safe mode. Mouse not working.

Scandisk log said "Log file generated at 06:10PM on Friday, January 04,
1980....There was one lost cluster."

Sysclean.log was empty.
TSCDebug.log said "Debug Information Level=0"

Ran Sysclean as before. After about 30 minutes got windows message saying
Pstores had pergformed an illegal operation & would be shut down. When I
closed that, got the same message for vscantm. Sysclean finishefd & produced
a liog, but when I exited I saw a Windows message saying Sysclean had
performed an illegal operation.

TSCDebug.log said "Debug Information Level=0"

SYSCLEAN.log was as follows:

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


1980-01-04, 18:37:24, Auto-clean mode specified.
1980-01-04, 18:37:24, Running scanner "C:\MY
DOCUMENTS\SECURITY\TSC.BIN"...
1980-01-04, 18:42:09, Scanner "C:\MY DOCUMENTS\SECURITY\TSC.BIN" has
finished running.
1980-01-04, 18:42:09, TSC Log:

Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows 98

Start time : Fri Jan 04 1980 18:41:37

Load Damage Cleanup Template (DCT) "C:\MY DOCUMENTS\SECURITY\tsc.ptn"
(version 449) [success]

Complete time : Fri Jan 04 1980 18:42:09
Execute pattern count(1391), Virus found count(0), Virus clean count(0),
Clean failed count(0)

1980-01-04, 18:46:08, An error occurred while scanning file
"C:\WINDOWS\WIN386.SWP": Access is denied.
1980-01-04, 19:12:29, Running scanner "C:\MY
DOCUMENTS\SECURITY\VSCANTM.BIN"...
1980-01-04, 19:13:07, Files Detected:
1980-01-04, 19:13:07, Files Clean:
1980-01-04, 19:13:07, Clean Fail:
1980-01-04, 19:13:07, Scanner "C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN" has
finished running.
--------------------------- end of SYSCLEAN.log ------------------------

Booted up in normal mode. No checksum problem reported during boot-up
sequence. Stopped anti-virus, firewall & other windows applications. Ran
Sysclean. No illegal operation errors reported. Log file seems to have
appended new report to old one. My system time needs to be reset, but
Sysclean only detected one virus, in an email attachment I already
suspected. However, it was unable to scan my swop file & reported an error.
New report as follows:
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


1980-01-04, 13:49:02, Auto-clean mode specified.
1980-01-04, 13:49:02, Running scanner "C:\MY
DOCUMENTS\SECURITY\TSC.BIN"...
1980-01-04, 13:49:54, Scanner "C:\MY DOCUMENTS\SECURITY\TSC.BIN" has
finished running.
1980-01-04, 13:49:54, TSC Log:

Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows 98

Start time : Fri Jan 04 1980 13:49:02

Load Damage Cleanup Template (DCT) "C:\MY DOCUMENTS\SECURITY\tsc.ptn"
(version 449) [success]

Complete time : Fri Jan 04 1980 13:49:54
Execute pattern count(1391), Virus found count(0), Virus clean count(0),
Clean failed count(0)

1980-01-04, 13:49:56, An error occurred while scanning file
"C:\WIN386.SWP": Access is denied.
1980-01-04, 14:12:13, Running scanner "C:\MY
DOCUMENTS\SECURITY\VSCANTM.BIN"...
1980-01-04, 14:44:59, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/4/1980 14:12:15
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
/LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
DOCUMENTS\SECURITY

23338 files have been read.
23338 files have been checked.
15902 files have been scanned.
54484 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/4/1980 14:44:58
---------*---------*---------*---------*---------*---------*---------*------
---*
1980-01-04, 14:44:59, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/4/1980 14:12:15
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
/LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
DOCUMENTS\SECURITY

Success Clean [ WORM_NETSKY.P]( 1) from C:\My Documents\Hacker
details\possible email with virus 1.txt,(message.scr)
23338 files have been read.
23338 files have been checked.
15902 files have been scanned.
54484 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/4/1980 14:44:58 32 minutes 39 seconds (1959.14 seconds) has
elapsed.

---------*---------*---------*---------*---------*---------*---------*------
---*
1980-01-04, 14:44:59, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/4/1980 14:12:15
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
/LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
DOCUMENTS\SECURITY

23338 files have been read.
23338 files have been checked.
15902 files have been scanned.
54484 files have been scanned. (including files in archived)
1 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/4/1980 14:44:58 32 minutes 39 seconds (1959.14 seconds) has
elapsed.

---------*---------*---------*---------*---------*---------*---------*------
---*
1980-01-04, 14:44:59, Scanner "C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN" has
finished running.

--------------------------- end of SYSCLEAN.log ------------------------

Ran a compl;ete scan of system using up to date AVG. No viruses found.

Ran Adaware SE. It found 9 critical objects, all tagged "Alexa", which it
says are low threat.

 

[Guest]

PLEASE HELP. My internet browser seems to be totally corrupted. When I try
to visit yahoo.com, for example - I see that it starts to automatically open
all kinds of other internet sites that I have NEVER visited. I cannot open
other URL's now, and it just continues to do this - even as I open a valid
URL's that I have typed in. What do I do. I cannot open the msn website
download site to upgrade to another internet explorer version.

 

[Gary S. Terhune]

You have a serious malware infestation--Malware is a general term that
encompasses viruses, spyware, adware and the like.

The below includes everything I think is necessary for computer security, no
more, and certainly no less. Yes, there are valid differences of opinion
regarding which antivirus software to use, but the rest of my suggestions have
fairly unanimous support among the cognoscenti. The initial suggestions go hand
in hand with maintaining a clean and secure system. Not all links to
Spyware/Adware programs may be functioning (it's a war out there), so if you
have any problems, try using the links available at
http://www.aumha.org/a/quickfix.htm

See my article, "Clean Boot--What it is and why you need it"
http://www.google.com/groups?selm=#[email protected]

Because some of the more recent known invaders are capable of interfering with
the suggestions contained in the above, I suggest you also consider first doing
the following, though it may be necessary to set up a clean boot, and even then
manually kill a malicious process or two before you can even get these
accomplished. Many invaders are built to first detect and disable protections
that are in place, so that you might, for instance, have to obtain and employ a
DOS-boot antivirus like F-Prot. Repeated running of scanners, booting back and
forth from Safe Mode to Normal, or into DOS Mode--a lot of gymnastics are often
required to get to an error-free and nasties-free condition. Once there,
however, some user sanity and education, plus regular "wetware" updating, will
*keep* your system healthy.

Update your Antivirus, run a full scan. Then, if you haven't already, obtain,
update, and run any or all of the following Trojan/Parasite/Adware/Spyware
cleaners. I recommend getting and running *all* of them. They each target
slightly different things. Again, be sure you update the definitions they are
using to identify crap before running them, each time you run them--which,
depending on your surfing habits, should be anything from once a month, to once
a week, to once a day, to once an hour if you're really into junkware sites (aka
"Free goodies", game sites, fun-places-to-be, etc.)

Tradition had it that Firewalls were generally not needed when using simple
dial-up modem connections. Alas, this is no longer the case. *Everyone* needs a
firewall! Also, I make no bones about it--Norton, McAfee and Trend-Micro
products (and probably a few others) are ABOMINATIONS!, particularly when it
comes to Win9x systems. They are massive suites that intrude into basic
functions where they simply do not need to go. For freeware solutions, I suggest
AVG or AVAST (based upon the recommendations of others, though each has it's
minor drawbacks) and ZoneAlarm Firewall. But for really good, inexpensive, and
trustworthy protection, you simply can't beat eTrust Armor. Antivirus and
Firewall combined, very non-intrusive upon the system itself (I've *never* seen
a crash caused by EZ Antivirus, and there's hardly any impact whatsoever on
Resources, etc.) eTrust is from Computer Associates Inc.--the antivirus is a
version of their corporate product usually known as Inoculan, and they got smart
recently and switched to using a version of ZoneAlarm for their firewall.

You can get a one-year free trial of eTrust EZ Armor at
http://www.my-etrust.com/microsoft/. The trial offer is also
included in at least some versions (not sure about all languages) of Microsoft's
Windows Security Update CD, an item *everyone* should own.
(However, do *not* just run the Update CD on your system without a proper
analysis of where your system stands with regard to Updates. Might do more harm
than good.) EZ Armor would normally cost $50 for the first year (a deal in
itself), and yearly renewal subscriptions only cost $25--an absolute steal when
compared with other offerings. I'm told that the Security Update CD can still be
ordered by phone, even though it's no longer possible to order it online.

In addition to Antivirus and Firewall protection, I consider the following items
to be indispensable protection and clean-up utilities. My judgment is based upon
their being free, good, accurate, and safe, if handled correctly. See, also,
suggestions from MVP Mike Burgess on his site, http://www.mvps.org/winhelp2002/,
particularly the general Windows/IE
Security page, http://www.mvps.org/winhelp2002/security.htm. More current
discussions of Security issues can be found at the Windows Support Center
(provided by MVP Jim Eshelman, a true Saint!) at http://www.aumha.org (as can
mirror download links for the following.)

(SpyBot S&D = "SpyBot Search & Destroy")

Ad-Aware http://www.lavasoftusa.com/software/adaware/
SpyBot S&D http://www.safer-networking.org/index.php?page=download
HijackThis http://www.spywareinfo.com/~merijn/files/HijackThis.exe
CWShredder http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.html

PLEASE! Before doing any of these, see also,
http://www.mvps.org/inetexplorer/Darnit.htm for suggestions and cautionary
information about internet surfing, and some important hints about using the
above. ESPECIALLY, be aware that HijackThis scans result in a LOT of stuff that
you *don't* want to delete. The admonishment to save a log and show it to an
expert is critically good advice. Not following that advice can really do some
damage to your system. SpyBot S&D, too, is capable of similar problems,
especially if you change default scan settings, or "Immunize".

An additional tool that is very helpful in protecting your machine is a HOSTS
file. Microsoft MVP Mike Burgess maintain a frequently updated list of bad
sites. They may be sites that provide most of the junky advertisements you see
in other places, or sites that install spyware/adware, or that, for whatever
reason, you shouldn't allow into your system. Using the HOSTS file, you can
redirect such addresses to a site that's guaranteed will fail to load on most
machines--your own computer.
HOSTS Overview -- http://www.mvps.org/winhelp2002/hosts.htm

I also consider MVP George Gedye's HOSTS File Manager an indispensable tool.
I've been amazed at how well this one tool stopped most of the crap from getting
in in the first place. You can find it at the bottom of this page:
http://www.mvps.org/PracticallyNerded/Software.htm