irremovable items and ms beta 2 config

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have been using this for the last couple of weeks, impressive. Does anyone
know whether in the full version (whenever THAT may be released??) will it be
possible to exclude scans of DVD/floppy drives in a 'full scan'. This scan
plays havoc with my 3 & 1/2 floppy drive.
Also it has consistently been unable to remove (with same error mess)
'grokster' & 180solutions.searchassistant'...apart of a scan in safe mode, is
there anyway to remove these?

thanks
 
Is this on a Windows 2000 machine? I've seen this scanning issue with a
Windows 2000 machine (and seen reports here)--but not on other platforms--I
believe this is a bug, but I haven't any confirmation of that.

Can you say what error message you get on the removal issue? A common
problem in this version of the beta is threats that are either in places they
can't be removed from--System Restore points, or, antivirus quarantines--or
are a part of an archive file--zip, arj, whatever. Microsoft doesn't want to
risk the loss of user data by just deleting the zip file.

You can find the precise path and object involved by looking at the system
event log for the time of the scan--start, run, eventvwr.msc <enter>

Hightlight the System event log

Then go to View, Filter, and choose Windefend in the drop-down box.

Look for yellow-triangle events and you can even cut and paste to the
clipboard with a button.

You can see what's happening, maybe remove it manually yourself, or post the
details here and we can help.
 
Hi Bill,

Thanks for the response

I am using Win XP, fyi also using adaware se spybot S&D, spyware doctor,
Yahoo anti-spyware, and stinger...these either pick them up and attempt to
remove (unsuccessfully) or dont pick them up.
I have copied the event log to ms word as I dont really understand
them...and dont see how I can attach for your review here?
Would appreciate your further input...and also maybe some advice re the
config issue (and release for full version).

Since my last post I have also scanned in safe mode (using quick scan,
spybot S&D, and spyware doctor)...the latter found a number of bugs and I am
now rescanning (full) with windows defender (full). As it takes some 5-6
hours to complete it may be a while before I can advise success or otherwise
of the scan in safe mode.

Look forward to your further advices.
 
sI did not realize there were two threads dealing with this same issue. We
should probably restrict our entries to this one since Bill is involved. He
knows much more than I do. I agree that we need the path information given
by all the scanners that have detected these items.
 
Just use cut and paste to copy the information from the document to the
message in the forum--If there's a lot, and some of it is repetitive or
similar, just do the ones that stand out.

Old Rebel--stick around--I wouldn't say that I know more than
anybody--either about Windows Defender or about spyware removal--I need all
the help I can get.
 
Thats fine, thanks (again) Old Rebel.


Old Rebel said:
sI did not realize there were two threads dealing with this same issue. We
should probably restrict our entries to this one since Bill is involved. He
knows much more than I do. I agree that we need the path information given
by all the scanners that have detected these items.
Click to expand...
 
While we are waiting for his long scan to run, I wil comment. It strikes me
that there is no entry for either items in add/remove programs. Also, I
believe Yahoo anti-spy is a Pest Patrol product. I thoght Pest Patrol could
handle these. So maybe it is a false postive or there may be a trojan
downloader involved here.
 
Hi Bill (if I may call you that). I wasnt aware there were two threads either
(though the two responses not evidencing each others, should have given it
away....

I now detail below what I BELIEVE to be the messages.
My full scan is continuing. Any knowledge of the config issue or rollout date?

Hope this is what you were looking for....

"Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 4/03/2006
Time: 5:52:52 PM
User: N/A
Computer: XXW7N97XSEC52QV
Description:
Windows Defender scan has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {E88E44D7-9116-4300-A832-69C0001BC7EA}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: XXW7N97XSEC52QV\test download
Threat Name: 180Solutions.SearchAssistant
Threat Id: 14814
Threat Severity: 4
Threat Category: 1
Path Found: file:C:\WINDOWS\system32\bikini8aa.exe->(wise0019)
Detection Type: Signatures


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 4/03/2006
Time: 5:52:52 PM
User: N/A
Computer: XXW7N97XSEC52QV
Description:
Windows Defender scan has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {E88E44D7-9116-4300-A832-69C0001BC7EA}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: XXW7N97XSEC52QV\test download
Threat Name: Grokster
Threat Id: 5841
Threat Severity: 2
Threat Category: 21
Path Found:
regkey:HKLM\Software\Magnet;regkey:HKLM\Software\Classes\magnet;file:C:\Program
Files\InstallShield Installation
Information\{01083175-01CC-42AA-9090-81DD0F88F28F}\data1.cab->(ishld#0019);file:C:\Program
Files\InstallShield Installation
Information\{063E40F4-BA97-42CD-AD8A-21E495916231}\data1.cab->(ishld#0019);file:C:\Program
Files\InstallShield Installation
Information\{4C560D9B-BEA0-4098-ADE2-28576DF8CA8B}\data1.cab->(ishld#0012);file:C:\Program
Files\InstallShield Installation
Information\{F5A4F332-58EF-452B-9D04-B625E77A8A85}\data1.cab->(ishld#0012)
Detection Type: Signatures


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
Have you checked through add or remove programs? Let's be sure these things
aren't listed there and more easily removable by that route.

In terms of the simple technical issue--both detections are, I believe,
archive files--that's what the notation you can see easily in the first one--

bikini8aa.exe->(wise0019)

indicates. The executable is an executable archive of some sort, and one of
the contents is wise0019, which is probably an installer. In this case, I
doubt there's anything innocent in that archive--best just to get rid of it.

The second one is similar in a way--these are installshield related entries
for .cab files--another form of archive.

One way to look at these detections is that they are a little too
specific--they're down to the individual file within an installation
executable archive or a cab file all of which is probably grokster, or 180
solutions. However, it could easly be something different--for example,
suppose you have a backup of a PC to a zip file--something I've done on
occasion, and the pc is gone--scrapped, stolen, whatever--you don't want that
whole zip file blown away because Windows Defender spots that it had some
spyware on it.

So--I would recommend deleting the file referenced in the first
detection--if there's any problem doing that, see if you can do it in safe
mode.

That one seems pretty clear--although it'd be nice to get a second
opinion--ad-aware, for example, should detect that one as well.

I'm not as sure about the second detection. It is the same named content in
a standardly named cab file under a bunch of different guid's in a hidden
folder used by Installshield.

I would investigate what product those guid folders relate to. Each of
those folders has a setup.ini file which is an ascii text file which should
give a clue about what app they relate to. I think I would be cautious about
removing them all without further investigation.

You've got other good antispyware programs--are they ringing any alarm bells
 
Hi Bill,

Yes checked through add/remove a few times now (again espec afetr 'old
rebel' mentioned it) I see nothing untowards in it....

I have also run 'cccleaner' and windows cleanup utlities to remove any
residual installer issues.

So if I get your right, if I search and delete a file named 'wise0019' the
first issue may disappear?

When you say 'a backup of a pc...and the pc is gone'...what does pc stand
for in this instance (may some ignorance, but please excse me).

The next bit you said (about cab and guid files...whatever they are, etc)
goes a little over the top.

I mentioned earlier (maybe in the other thread) that I run spybot s&d, Yahoo
anti-spyware, ad-aware SE, stinger and spyware doctor...these either dont
pcik them up or consistently unsuccessfully remove them.

Look forward to your response.
 
Hi, Lethal, I don't know if Bill is still around. What he said was a bit
"Over the top" for me too. But I think what we need to know next is which of
the other anti-spyware programs founds these when they scanned? Can you
copy/paste their scan logs so we can see the results? Or at least type in the
name and path of what they found. The one other than Defender.
 
Hi Old Rebel,

By over the top (I meant) over my head, of course. Thought that needed some
clarification.

Yahoo anti-spyware seems to find different results each time, I list below
the latest one for it (unable to post it findings...due to no log etc).
'2o7.net...tracking cookie'....no recommendation'

Spybot S&D is finding no issues (with its last three scan)

The scans or results that spyware doctor consistently come back with follows
(note the locations or names of bugs have been added by myself, manually).

'Trojan.StartPage.GEN
Infection risk level: High
Infection description: Trojan.StartPage.GEN is a trojan horse which hijacks
the Internet Explorer home page without your permission.
- Registry

Known Bad Sites
Infection risk level: High
Infection description: Indicates that a known bad site may have hijacked.
Adware, Spyware and Phishing sites may use the Windows hosts file to redirect
your browser to a malicious site when you try to access a valid site such as
your Bank.
- Temporary Internet Files

Tracking Cookie(s)
Infection risk level: Medium
Infection description: A tracking cookie is any cookie that is shared among
two or more unrelated sites for the purpose of tracking a user's browsing
and/or gathering and/or sharing information which many users regard as
"private" Definitions of "private" may differ. Some consider any code
"private" if it uniquely identifies a user, even if it is not their name or
email address. A typical tracking cookie might look like this:
"1www.somedomainname.com/ 0 2719785088 29508922 2980377808 29496852 * " The
encoded info in this cookie includes a unique UserID assigned by a web
server; the cookie can be used to track a user as they visit other sites that
accept this cookie.
- cookies (2o7.net)
- cookies (imrworldwide.com)'

This was after yahoo anti-spyware supposedly removed the 2o7.net cookie

Look forward to your further advises
 
1)The tracking cookies that were detected should be insignificant. 2o7.net
for example is a cookie I pickup everytiime I visit AOL. They can be easily
deleted manually or you can use CCleaner (options:cookies) to selectively
pick which cookies to keep and which to save. Some 1st party cookies are
good, as they are used to save passwords for sites you visit regularly. 3rd
party cookies are usually advertising related. You can simply the cookie
issue by going to Internet Options via control panet or via Internet
Explorer, clicking on the Privacy tab>advanced, then click override automatic
cookies options; then click either prompt or accept for 1st party cookies and
block for 3rd part cookies. Also click to enable "always allow session
cookies." Once you have done that, cookies lilke 2o7.net won't be on your
computer. If I recall correctly, you already have CCleaner. If not, then see:
http://www.ccleaner.com/
2)The reference to bad sites and your host file seems vague. In your
temporay files? That could be easily deleted. Have you deliberately added any
sites to your hosts file or used Spybots host file list? To make sure nothing
is in your host file that does not belong there, it is best to manually
inspect the file. HijackThis has a good host file viewer in its miscellanour
tools section. My preference for editing the Host file manually is the
program Hoster by Funky Toad. It permits you to view, edit, restore the
Original Windows HOst file, make backup, and lock Host file as read only.
Defender will alert if you edit the hosts file, but since you know who is
doing it, you can simply "allow" or "ignore" For Hoster, see:
http://www.funkytoad.com/hoster.htm
3)Trojan.StartPage.GEN in "registry"? That may be a false positive for
Spyware Doctor. I would expect Yahoo Antispy to pick that one up also.
There are many variations on Trojan.StartPage.GEN listed in the CA Spyware
Encyclopedia. I may have to research that elsewhere and get back to you. If
Spyware Doctor gives any other info about it, that would be helpful to know.
For genera info about Trojan.StartPage.GEN see:
http://www3.ca.com/securityadvisor/virusinfo/search.aspx?mode=tmc&pst=Trojan.StartPage.GEN
I believe that is the knowledge base that Yahoo antispy uses. I don't know
about the Doctor. I'll attempt to find out more and be back in touch.
 
From what I see, the knowledge base info on that trojan is very vague at
SpywareDoctor. See:
http://www.pctools.com/mrc/infections/id/Trojan.StartPage.GEN/
If you have the subscription version of Doctor, I suggest you report that
finding to them and see what they have to say. There may be a tool within
Doctor that allows that, but I found this on their site:
http://www.pctools.com/mrc/submit/
If you are not having any symptoms of infection such as unwanted popups or
change of home page and redirected search pages, I would suspect the finding
to be meaningless. The other scanners should be picking that up. If you want
another scanner that would probably detect that if it were a real threat, I
suggest the free version of Ewido anti-malware. If you install it, you do not
need its real time protection enabled, so uncheck "install guard" and "add to
contect menu." It makes an excellent backup on demand scanner for trojans.
http://www.ewido.net/en/download/
http://castlecops.com/t137442-CCSP_Ewido_Install_and_Scan_Instructions.html
Hopefully Bill will see this thread today and add his insight. I recall you
asking about a new build of Defender. I have not seen reference to one yet
anywhere in the newgroups. I am looking foreward to an improved version
myself. It will be an excellent protection once some of the bugs are fixed. I
am quite pleased with it so far myself, as far as the reatime protection and
alerts are concerned.
 
Hello Lethal,

do you use LimeWire?
Grokster is a part of that i beleaf.

Regards >*< TOM >*<


Lethal schreef:
 
On that first detection, here's what I'd do:

Restart in safe mode, and rename:

C:\WINDOWS\system32\bikini8aa.exe

Rename it perhaps something like bikini8aa.exe.bak

Consider also moving it to a different location--say, c:\temp.

Then restart and lets see if there are any ill effects from that change.

These findings are on a full scan, rather than a quickscan. One question
that may be relevant is whether either of these items is found by a
QuickScan.

If they are not--it is quite possible that neither is "active"--i.e. in a
location where they are set to start with Windows. They may well be
leftovers.

At any rate--let's see what we can do about that first one for now--I'm not
sure that either of these is really a problem--i.e. they don't appear to be
active issues--but I believe the first one is a proper detection that we can
remove.

--
 
Bill Sanderson said:
On that first detection, here's what I'd do:

Restart in safe mode, and rename:

C:\WINDOWS\system32\bikini8aa.exe

Rename it perhaps something like bikini8aa.exe.bak

Consider also moving it to a different location--say, c:\temp.

Then restart and lets see if there are any ill effects from that change.

These findings are on a full scan, rather than a quickscan. One question
that may be relevant is whether either of these items is found by a
QuickScan.

If they are not--it is quite possible that neither is "active"--i.e. in a
location where they are set to start with Windows. They may well be
leftovers.

At any rate--let's see what we can do about that first one for now--I'm not
sure that either of these is really a problem--i.e. they don't appear to be
active issues--but I believe the first one is a proper detection that we can
remove.
Click to expand...
 
Thank you both,

I need to print this advice out and act...I will let you know the results...
 
Gents (Tom, Bill & 'Old Rebel),

Thanks again for your input.
Tom, indeed I do use LimeWire, hence Grokster (probably being an inactive
spyware item from what Bill has said)...I may just have to live with.
To this end, FYI, and as asked earlier.....none of the 'bigs' are picked up
by WinDefend in a Quick Scan.
Old rebel thanks for your thoughts on the attraction of a release for the
full version (we shall not hold our breath though eh). I was also interested
if any of you gents knew if it was likely to be configurable, as the beta 2
version is not, to exclude cd/dvd/floppy drives.

In response to taking the action Bill suggested scans in safe mode...Yahoo,
Spybot S&D did not pick any up.
WinDefen was again unable to remove the two we started with (though as
mentioned above these could be inactive).
Further CCleaner was also run fully in safe mode before running WinDefen
scan, and removed all cookies including the 2o7 cookie (which was shown with
another prefix).

One of the links Old Rebel was good enough to supply earlier had a tool for
the 180 solutions item, short of any other suggestions I may try this.

Thanks again for the involvement and I welcome any further
comment/advice/response.
 
Back
Top