Identify this Malware

  • Thread starter Thread starter pgx
  • Start date Start date
P

pgx

Win XP Home, IE favorites keeps getting several porn sites added.
I've deleted the offending favorites and cleared "everything" in IE,
but after a re-boot they all return. Scans by Sbybot and AdAware and
AVG find nothing.

Help!

Phil
 
From: <[email protected]>

| Win XP Home, IE favorites keeps getting several porn sites added.
| I've deleted the offending favorites and cleared "everything" in IE,
| but after a re-boot they all return. Scans by Sbybot and AdAware and
| AVG find nothing.
|
| Help!
|
| Phil

Insuffiencient information to identify any particular piece of malware.

You also failed to state the versions of the software.

Currently, the sofware you listed are...

AVG v7.xxx
SpyBot S&D v1.4
Ad-Aware SE v1.06

So if you used Adaware6, SpyBot S&D v1.2 or AVG v6 then they need to be replaced with their
newer couterparts and updated.

Beside what I have already stated, I suggest the following...

Spywareblaster: http://www.wilderssecurity.net/spywareblaster.html
BHOdemon: http://www.definitivesolutions.com/bhodemon.htm

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *
 
Win XP Home, IE favorites keeps getting several porn sites added.
I've deleted the offending favorites and cleared "everything" in IE,
but after a re-boot they all return. Scans by Sbybot and AdAware and
AVG find nothing.

Help!

Phil
Click to expand...

I use those spyware removers but I haven't had any problems since
switching from IE to Mozilla and Firefox. You can import your IE
bookmarks to Mozilla. HTH.
 
Win XP Home, IE favorites keeps getting several porn sites added.
I've deleted the offending favorites and cleared "everything" in IE,
but after a re-boot they all return. Scans by Sbybot and AdAware and
AVG find nothing.

Help!

Phil
Click to expand...

If you download a copy of hijackthis and post the logs here we'll try
and identify the interloper.
 
|
|You also failed to state the versions of the software.
|
|Currently, the sofware you listed are...
|
|AVG v7.xxx
|SpyBot S&D v1.4
|Ad-Aware SE v1.06

Yes - all up to date

|Beside what I have already stated, I suggest the following...

I will not have direct access to the machine 'til the end of the
month. Your suggestions seem a bit much for the owner to try.

|Dump the contents of the IE Temporary Internet Folder cache (TIF)
|Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Done

|Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
|Tools --> Options --> Privacy --> Cache --> Clear

FireFox is OK. It is now the default browser, but occasionally a site
"requires" IE

|* * * Please report back your results * * *

I will save this message and report back when I can try your
suggestions.

Thanks much

Phil
 
|If you download a copy of hijackthis and post the logs here we'll try
|and identify the interloper.

Thanks. Will try when I have access to the machine.

Phil
 
|Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
|Tools --> Options --> Privacy --> Cache --> Clear

FireFox is OK. It is now the default browser, but occasionally a site
"requires" IE
Click to expand...

Add the extension in Firefox which enables IE when needed. "IE View" is the
name of it and you will see it under Tools when you need it.

There are some other very useful extensions that I added, such as Print It,
Print Preview, Foxy Tunes and so on. Well....Foxy Tunes isn't really
needed, grin.

Cheers......Heather
 
FireFox is OK. It is now the default browser, but occasionally a site
"requires" IE
Click to expand...

if it's only "occasionally" and not "regularly", then perhaps you don't
need that site...
 
|if it's only "occasionally" and not "regularly", then perhaps you don't
|need that site...

My feeling (almost) exactly, but this is not for my computer.

However, many times Southwest Airlines has a far better fare than
other airlines, and their site will not except reservations from
Mozilla (haven't tried the latest FireFox).

Also, I work helping seniors sign up for Medicare Drug Discount Cards.
One of the company's site does not recognize 128-bit encryption from
the latest FireFox - only IE.

Sometimes IE is a necessary evil!

Phil
 
|if it's only "occasionally" and not "regularly", then perhaps you don't
|need that site...

My feeling (almost) exactly, but this is not for my computer.

However, many times Southwest Airlines has a far better fare than
other airlines, and their site will not except reservations from
Mozilla (haven't tried the latest FireFox).
Click to expand...

since firefox is the one that's been getting all the attention in the
media (and will be from now on - mozilla suite is in maintenance mode -
no new development there other than security fixes), try with firefox
and if it fails complain to them...
Also, I work helping seniors sign up for Medicare Drug Discount Cards.
One of the company's site does not recognize 128-bit encryption from
the latest FireFox - only IE.

Sometimes IE is a necessary evil!
Click to expand...

sometimes, yes... it's acceptable to sometimes use it for windows update
too (i don't expect microsoft will ever support firefox for that)...

of course there is an extension that allows you to render a page using
IE's engine...
 
Back
Top