site infestation - kingdomsofdown.com

[Larry]

My site seems to have been infested by something called
'kingdomsofdown.com' which has appeared on several illogical pages on
my site. [Found it after a site url validation]. The code is on my local
system as well which is scary. This in spite of Norton? Has anyone run
into this, or similar situation?
Larry

--
For your security and peace of mind ALL emails are automatically scanned
with the latest Norton AV Virus Definitions. Not that I have any virus'
but why not be careful! I get virus signature updates regularly!

A Belt and Suspenders are the best security invented!

 

[Wes]

Sounds like adware.

 

[Murray]

And it's not affecting your site, it's affecting your local browser. Norton
doesn't stop these guys.

Get a good malware tool, like CWShredder or AdAware (lavasoft.com).

--
Murray

Sounds like adware.

My site seems to have been infested by something called
'kingdomsofdown.com' which has appeared on several illogical pages on my
site. [Found it after a site url validation]. The code is on my local
system as well which is scary. This in spite of Norton? Has anyone run
into this, or similar situation?
Larry

--
For your security and peace of mind ALL emails are automatically
scanned
with the latest Norton AV Virus Definitions. Not that I have any
virus'
but why not be careful! I get virus signature updates
regularly!

A Belt and Suspenders are the best security invented!

 

[Steve Easton]

You have been infected with a BHO.
Browser Helper Object.

Look for a file named iehelp.dll

--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
........................with a computer

 

[Murray]

And, when you find it, eat it.... 8)

--
Murray

You have been infected with a BHO.
Browser Helper Object.

Look for a file named iehelp.dll

--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
.......................with a computer

My site seems to have been infested by something called
'kingdomsofdown.com' which has appeared on several illogical pages on
my site. [Found it after a site url validation]. The code is on my local
system as well which is scary. This in spite of Norton? Has anyone run
into this, or similar situation?
Larry

--
For your security and peace of mind ALL emails are automatically
scanned
with the latest Norton AV Virus Definitions. Not that I have any
virus'
but why not be careful! I get virus signature updates
regularly!

A Belt and Suspenders are the best security invented!

 

[Larry]

Hi Steve,
I checked and do not have iehelp.dll on my system. I do use AdAware on a
regular basis.
The kingdomsofdown stuff is in these folders:
_vti_txt\default.wti\All.dct
_vti_txt\default.wti\All.inv
_vti_pvt\linkinfo.cnf
one file in the _vti_cnf area of a folder
and in two other pages on the site.
Only on one website and only in FrontPage [I think. For some reason
TextReplacer refuses to scan whole C:\ drive].

Any idea what the default.wti folder is for? Can I safely delete it?
Will FP regenerate it?
There are a number of other 'All' files in this folder with different
extensions: cat, dct, doc, fmt, fm, hl, idx, inv and src. All but fmt &
src were added on the same day.

Larry

You have been infected with a BHO.
Browser Helper Object.

Look for a file named iehelp.dll

--
For your security and peace of mind ALL emails are automatically scanned
with the latest Norton AV Virus Definitions. Not that I have any virus'
but why not be careful! I get virus signature updates regularly!

A Belt and Suspenders are the best security invented!

 

[Steve Easton]

Go here: http://www.spybot.info/en/index.html and download and run Spybot S&D. ( search and
destroy ) It's free.
Let it scan your whole computer.



--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
........................with a computer

Hi Steve,
I checked and do not have iehelp.dll on my system. I do use AdAware on a
regular basis.
The kingdomsofdown stuff is in these folders:
_vti_txt\default.wti\All.dct
_vti_txt\default.wti\All.inv
_vti_pvt\linkinfo.cnf
one file in the _vti_cnf area of a folder
and in two other pages on the site.
Only on one website and only in FrontPage [I think. For some reason
TextReplacer refuses to scan whole C:\ drive].

Any idea what the default.wti folder is for? Can I safely delete it?
Will FP regenerate it?
There are a number of other 'All' files in this folder with different
extensions: cat, dct, doc, fmt, fm, hl, idx, inv and src. All but fmt &
src were added on the same day.

Larry

You have been infected with a BHO.
Browser Helper Object.

Look for a file named iehelp.dll

--
For your security and peace of mind ALL emails are automatically scanned
with the latest Norton AV Virus Definitions. Not that I have any virus'
but why not be careful! I get virus signature updates regularly!

A Belt and Suspenders are the best security invented!

 

[=?Windows-1252?Q?Rob_Giordano_\=28aka:_Crash_Gordo]

Interesting that it put itself in the FP folders.
Probably how they ended up getting published?


| Go here: http://www.spybot.info/en/index.html and download and run Spybot S&D. ( search and
| destroy ) It's free.
| Let it scan your whole computer.
|
|
|
| --
| Steve Easton
| Microsoft MVP FrontPage
| 95isalive
| This site is best viewed............
| .......................with a computer
|
| > Hi Steve,
| > I checked and do not have iehelp.dll on my system. I do use AdAware on a
| > regular basis.
| > The kingdomsofdown stuff is in these folders:
| > _vti_txt\default.wti\All.dct
| > _vti_txt\default.wti\All.inv
| > _vti_pvt\linkinfo.cnf
| > one file in the _vti_cnf area of a folder
| > and in two other pages on the site.
| > Only on one website and only in FrontPage [I think. For some reason
| > TextReplacer refuses to scan whole C:\ drive].
| >
| > Any idea what the default.wti folder is for? Can I safely delete it?
| > Will FP regenerate it?
| > There are a number of other 'All' files in this folder with different
| > extensions: cat, dct, doc, fmt, fm, hl, idx, inv and src. All but fmt &
| > src were added on the same day.
| >
| > Larry
| >
| >
| > Steve Easton wrote:
| >
| > >You have been infected with a BHO.
| > >Browser Helper Object.
| > >
| > >Look for a file named iehelp.dll
| > >
| > >
| > >
| >
| > --
| > For your security and peace of mind ALL emails are automatically scanned
| > with the latest Norton AV Virus Definitions. Not that I have any virus'
| > but why not be careful! I get virus signature updates regularly!
| >
| > A Belt and Suspenders are the best security invented!
|
|

 

[Larry]

I d/l and ran spybot 1.3. It found a few extraneous cookies but did not
detect/remove kingdomsofdown. It does not offer the option of what to
check so I 'presume' it checks all system files as well as cookies. Ran
AdAware just in case but it found nothing so I guess it's manual repair
time.
Back to my question about the _vti_txt\default.wti\ folder in FP. Can I
safely delete this folder and will FP regenerate it? Files infected in
this folder are All.dct, All.inv. The other infected pages can be
manually regenerated.

Larry

Go here: http://www.spybot.info/en/index.html and download and run Spybot S&D. ( search and
destroy ) It's free.
Let it scan your whole computer.

--
For your security and peace of mind ALL emails are automatically scanned
with the latest Norton AV Virus Definitions. Not that I have any virus'
but why not be careful! I get virus signature updates regularly!

A Belt and Suspenders are the best security invented!

 

[Thomas A. Rowe]

Publish the current web to another location on your HD, as a backup, then delete the default.wti
folder(s), then open the web in FP and run Tools | Recalculate Hyperlinks.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, WebCircle, MS KB Quick Links, etc.
==============================================

 

[Larry]

Hi Mr. Rowe,
Did that and also removed the linkinfo.cnf file. Is fixed now....thanks.
This is one of the benefits of FrontPage. It recalculates all it's links
in all it's reference files. Been using it for about 7 years now and
still happy, most of the time -

Larry

Publish the current web to another location on your HD, as a backup, then delete the default.wti
folder(s), then open the web in FP and run Tools | Recalculate Hyperlinks.

--
For your security and peace of mind ALL emails are automatically scanned
with the latest Norton AV Virus Definitions. Not that I have any virus'
but why not be careful! I get virus signature updates regularly!

A Belt and Suspenders are the best security invented!