Sign in to follow this  
cwwllcadaware

Browser Hijacked

Recommended Posts

For Smitrem, let's run this.

 

Download this free tool called: smitRem

http://noahdfear.geekstogo.com/click%20cou.../click.php?id=1

and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

 

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with the Panda Scan log

Share this post


Link to post
Share on other sites

1. You mentioned Panda in your last posting, is Panda and Kaspersky the same company?

2. Is it safe to run an online scan as opposed to a downloaded scan? Won't the online website have access to my files?

 

 

3. Following is the smitRem log:

 

 

smitRem © log file

version 3.0

 

by noahdfear

 

 

Windows 98 [Version 4.10.2222]

 

 

Running from

C:\My Documents\Hijack\SmitRem\smitRem

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Pre-run SharedTask Export

 

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

 

Registry Pseudo-Format Mode (Not a valid reg file):

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

spyaxe uninstaller NOT present

Winhound uninstaller NOT present

SpywareStrike uninstaller NOT present

AlfaCleaner uninstaller NOT present

SpyFalcon uninstaller NOT present

SpywareQuake uninstaller NOT present

SpywareSheriff uninstaller NOT present

 

Existing Pre-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system folder ~~~

 

 

amcompat.tlb

nscompat.tlb

 

 

~~~ Icons in system folder ~~~

 

 

 

~~~ Windows directory ~~~

 

wupdmgr.exe

 

 

~~~ Drive root ~~~

 

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

~~~~ wininet.dll ~~~~

 

wininet.dll Present!!

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Starting registry repairs

Registry repairs complete

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SharedTask Export after registry fix

 

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

 

Registry Pseudo-Format Mode (Not a valid reg file):

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Deleting files

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Remaining Post-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system folder ~~~

 

 

 

 

~~~ Icons in system folder ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

 

~~~~ wininet.dll ~~~~

 

wininet.dll Clean!! :D

Share this post


Link to post
Share on other sites

After running smitRem, I ran MWAV again and have found the following:

 

Precisionpop Spyware/Adware found in File System

Smitfraud Browser Hijacker found in File System

Share this post


Link to post
Share on other sites
1. You mentioned Panda in your last posting, is Panda and Kaspersky the same company?

2. Is it safe to run an online scan as opposed to a downloaded scan? Won't the online website have access to my files?

 

Sorry, didn't mean to mention Panda - that got in there by mistake.

 

Kaspersky has the best detection is why I want to see that one. I use the online scanners all the time. From a trusted company like Kaspersky this should not be a problem, however if you would rather download the program and scan your PC, they do have 30 days free trial. Get the Kaspeky Antivirus 6.0 Trial version, but make sure you uninstall any existing AVs presently on your system. Norton should probably go any anyway as it is so out of date it's hardly useful. AVG you can uninstall and if you decide you want to keep it you can just reinstall later.

 

Make sure your PC can handle these system requirement before trying the Kaspersky Antivirus 6.0 trial home version.

 

Kaspersky Anti-Virus 6.0 (Home user)

http://www.kasperskyusa.com/promotions/tri...apter=146481750

System Requirements

 

General requirements Hardware requirements

Microsoft Windows 98 (SE) / NT Workstation 4.0

 

* Microsoft Windows NT Workstation 4.0 with Service Pack 6a

* Microsoft Internet Explorer 5.5 or higher (for product & antivirus database updates via the Internet)

* CD-ROM (for product installation)

* Internet connection (for product activation)

 

* Intel Pentium 133 MHz or higher

* 64 MB RAM

* 50 MB available HDD space

 

IMHO, the online scanner is just easier and safe to use.

Share this post


Link to post
Share on other sites

I installed and ran Kaspersky (May Edition). I didn't want to go online yet so I didn't install the latest updates. It found and deleted a number of infected emails (Outlook folder). Did not find Precision Spyware nor Smitfraud.

 

I then uninstalled Kaspersky and reinstalled ran MWAV and it found again the following:

 

- Precisionpop Spyware/Adware found in File System

(you're not too concerned about this one as you mentioned it was a false positive)

 

- Smitfraud Browser Hijacker found in File System

 

Can't seem to get rid of Smitfraud.

 

 

Following is the latest HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 1:47:24 PM, on 06/24/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

Share this post


Link to post
Share on other sites

KAV is no help without the updates. It's time for you to go online and get the updates. Get the standard updates AND the extended updates. Standard is for viruses, trojans and worms Extended is for spyware (so you need BOTH)

 

I have instructions here from Kav 5.0 which is an earlier version, but it should be about the same or similar steps to get the extended database.

 

First get the Standard Updates (Kav should do that automatically as soon as you go online)

 

When you have those, then open KAV again, Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.

 

ExtendedDatabases2.gif

Share this post


Link to post
Share on other sites

Following are both Kaspersky Log and HJT Log.

 

It seems that KAV didn't find any trace what was discovered by MWAV:

- Precisionpop Spyware/Adware found in File System

- Smitfraud Browser Hijacker found in File System

 

 

 

Kaspersky Log:

 

Protection

----------

Total scanned: 1287871

Detected: 2

Untreated: 0

Start time: Unknown

Duration: Unknown

Finish time: Unknown

 

 

Detected

--------

Status Object

------ ------

deleted: adware not-a-virus:AdWare.Win32.SurfSide.av File: c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe

deleted: Trojan program Trojan-Clicker.Win32.Small.jf File: c:\Program Files\html2.htm

 

 

Events

------

Time Event

---- -----

06/24/2006 9:56:54 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.

06/24/2006 10:02:56 PM Kaspersky Anti-Virus 6.0 is not activated.

06/24/2006 10:02:57 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.

06/24/2006 10:06:26 PM Please restart your computer to complete the installation of new or updated protection components.

06/24/2006 10:06:28 PM Update completed successfully.

06/24/2006 10:09:17 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.

06/24/2006 10:17:26 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.

06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: detected adware not-a-virus:AdWare.Win32.SurfSide.av

06/25/2006 6:56:31 AM Security threats have been detected. You are advised to neutralize them immediately.

06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: is not disinfected, postponed

06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: detected adware not-a-virus:AdWare.Win32.SurfSide.av

06/25/2006 6:56:32 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: is not disinfected, postponed

06/25/2006 4:59:00 PM File c:\Program Files\html2.htm: detected Trojan program Trojan-Clicker.Win32.Small.jf

06/25/2006 4:59:00 PM Security threats have been detected. You are advised to neutralize them immediately.

06/25/2006 4:59:01 PM File c:\Program Files\html2.htm: is not disinfected, postponed

06/25/2006 4:59:11 PM File c:\Program Files\html2.htm: detected Trojan program Trojan-Clicker.Win32.Small.jf

06/25/2006 4:59:11 PM File c:\Program Files\html2.htm: is not disinfected, postponed

 

 

Reports

-------

Task Status Start Finish Size

---- ------ ----- ------ ----

Scan My Computer completed 06/24/2006 10:32:38 PM 06/25/2006 9:13:50 PM 200 MB

Scan completed 06/24/2006 10:34:54 PM 06/25/2006 9:13:28 PM 198.3 MB

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

 

 

 

---------------------------------------------------------------------------------------

 

 

HJT Log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:31:08 AM, on 06/26/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [kav] "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [AVP] "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE -r"

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\SCIEPLUGIN.DLL

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

Share this post


Link to post
Share on other sites

These two Kaspersky detected...those are real - you can let KAV disinfect/delete them.

 

MWAV had 2 FPs that I told you about. That one for precision pop is definintely an FP and I would have to see the other one to tell what it is. But I trust KAV with current detections IS finding the two bad ones left and not the others by MWAV which is now out of date. You should probably delete that and if you want to scan with MWAV - get a fresh new copy. The FPs may have been fixed in their detection database.

Share this post


Link to post
Share on other sites

MWAV is in the process of scanning (latest update 06-20-06) and it found them again:

 

- Precisionpop Spyware/Adware found in File System

- Smitfraud Browser Hijacker found in File System

Share this post


Link to post
Share on other sites

In the mean time, I wanted to ask you a couple of questions, if I may, regarding future security:

 

- You had mentioned that Norton Antivirus 2003 was obsolete for today’s malware. I just bought a copy of Norton Internet Security 2005 (Antivirus & Personal Firewall). The 2006 version doesn't work on Win98. Is this version good enough for today's viruses, malware, etc.?

 

- What do you recommend having installed at all times from the usual list (Adaware, Spybot, AVG, Kaspersky, etc.)? It seems that AVG was the only one that removed Qoologic. What are your feelings about the software?

 

- Are there any known conflicts between the above AV software and Norton?

 

- What about Norton Personal Firewall? Any feelings on the software?

 

- Do you have any recommendation on security Equipment (Routers, etc.)?

Share this post


Link to post
Share on other sites
In the mean time, I wanted to ask you a couple of questions, if I may, regarding future security:

 

- You had mentioned that Norton Antivirus 2003 was obsolete for today’s malware. I just bought a copy of Norton Internet Security 2005 (Antivirus & Personal Firewall). The 2006 version doesn't work on Win98. Is this version good enough for today's viruses, malware, etc.?

Yes, should be much better than the 2003 version

 

- What do you recommend having installed at all times from the usual list (Adaware, Spybot, AVG, Kaspersky, etc.)? It seems that AVG was the only one that removed Qoologic. What are your feelings about the software?
In my opinion (and I handle a lot of malware), Kaspesky is absolutely the best in detection and usually the first to detect new variants of viruses, trojans and spyware. For cleaning Adaware and Spybot are dedicated privacy software scanners for adware/spyware pests and do a very good job of registry cleaning that the AVs don't (AVs will usually stop the active infection but don't scan deep for system changes, etc. like the Antispyware cleaners do). I recommend keeping those. They are both on my list of the top Antispyware scanners.

 

- Are there any known conflicts between the above AV software and Norton?
You should only have one AV running realtime protection. Otherwise you may have conflicts. Having a 2nd as a backup scanner is ok, as long as it isn't running realtime while Norton is.

 

- What about Norton Personal Firewall? Any feelings on the software?
All of the software firewalls do about the same - and all perform well. Be sure you turn off the alerts though. Incoming alerts will make you paranoid. They are a normal part of the internet and everyday they block those incoming events as they are supposed to do. The incoming alerts turn off. It is the outgoing alerts you should check out. If something you don't recognize is trying to get out, that's when you need to know about it.

 

- Do you have any recommendation on security Equipment (Routers, etc.)?
You need a router if you have a network. If this is a standalone PC, I think a software firewall should be adequate.

Share this post


Link to post
Share on other sites
The latest MWAV Log is 24,994 KB. The link will accept up to 20,048 KB. Are there any other links where it can be uploaded.

 

Can you divide it into two files? Upload each one separately

Share this post


Link to post
Share on other sites

The log file is so large it freezes each time I try to open it. Not sure what to do. Also, once you view it, what happens to the file? Do you delete, does a copy remain somewhere, etc.?

Share this post


Link to post
Share on other sites
Can't believe I didn't think of zipping it.
:) Can't believe I didn't either! ;)

 

Also, what happens to the file? Do you delete, does a copy remain somewhere, etc.?

When I receive the file I put it into a folder named: Deletable stuff (because I clean that out regularly and don't need to keep old logs once a problem is resolved).

 

The file on your system remains unless you delete it.

Share this post


Link to post
Share on other sites

Only approved Malware Fighters can see any of the attachments in that forum. In accordance with your request I removed both MWAV logs.

 

These were the two items found and my comments follow on each:

 

Mon Jun 26 13:09:38 2006 => Offending file found: C:\WINDOWS\starter.exe

Mon Jun 26 13:09:38 2006 => System found infected with precisionpop Spyware/Adware (starter.exe)! IAction taken: No Action Taken.

I had you upload this file: C:\WINDOWS\starter.exe for analysis

This file is clean and is NOT PrecisionPop.

It belongs to Creative Technologies and is a legitimate on your system

Description:

starter.exe is installed alongside Creative Labs Ensoniq Mixer and provides added functionality to the default Windows volume facility. This is a False Finding by MWAV.

.....................................

Mon Jun 26 13:09:50 2006 => Offending file found: C:\WINDOWS\Favorites\exporting\pharmacies\uae\directories\pharmacy.url

Mon Jun 26 13:09:50 2006 => System found infected with smitfraud Browser Hijacker (pharmacy.url)! Action taken: No Action Taken.

 

This is an URL added to your Favorites. It cannot harm your system (unless you click on it, and then it might be a harmful site). You can delete this file from your favorites:

C:\WINDOWS\Favorites\exporting\pharmacies\uae\directories\pharmacy.url

 

In fact, if you don't have a folder for pharmacies in your favorites you can just delete the "Pharmacies" folder in your Favorites.

Share this post


Link to post
Share on other sites

I really don't know how to thank you. I am very, very lucky to have run into you. Your non-stop help and compassion is very much appreciated. You were right when you said it might take days to fix it. But, nevertheless, we did it thanks to you. It has been a definite learning experience.

 

So, to sum it up:

 

1. Regarding Anti-Virus software, you recommend only installing one program; and you prefer Kaspersky over Norton Anti-Virus or AVG. I assume the paid version of Kaspersky. Does it use a lot of memory while running in the background?

 

2. Regarding spyware/adware, it is OK to have multiple programs installed (Ad-Aware, Spybot, Webroot Spy Sweeper, etc.).

 

3. Regarding firewall, I am assuming that any of them will do (Norton, Webroot, Zone Alarm, etc.)

 

4. Regarding system back-ups, I forgot to ask you this before, how do you feel about the program BackupMyPC? Any programs that you might be aware of that you recommend? Also, will the Anti-Virus and Spyware programs detect problems with already backed-up data?

Share this post


Link to post
Share on other sites

Yes, your summary is correct. I wouldn't have more than one Antispyware program running realtime protection though. People tend to go overboard on having too many Antispyware products. For backups, Acronis True Image is the most often recommended I have seen.

http://www.acronis.com/homecomputing/products/trueimage/

 

I have all my backups on an additional external hard drive.

 

You'll need to empty out all the quarantined items in the various programs used to clean your system, and you can delete any of the special tools we used or programs you don't intend to keep. Ewido is a nice anti-trojan scanner that you can keep after the trial is over as a free on-demand scanner. It will need to be updated manually but the cleaning function still works if needed.

 

I ran Zone Alarm 2.6 on my Win98 and I have it on my XP as well - that particular old version is still a good one and a lot less resource hungry than the newer versions of ZA, which is usually just packed with extra "features" that don't really enhance the security/firewall function. You can get v. 2.6 ZA here:

http://www.oldversion.com/program.php?n=zalarm

 

These are my recommendations for extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

In that article, IESPYAD is really worth looking into (yes, it's free). It will put over 20,000 known bad websites into your restricted zone so even if you hit one by accident, it can't harm your PC. Spyware Guard and SpywareBlaster (also free) and two other "must haves" IMHO. Those 3 programs only need to be updated about 1 a month.

Share this post


Link to post
Share on other sites
You'll need to empty out all the quarantined items in the various programs used to clean your system, and you can delete any of the special tools we used or programs you don't intend to keep. Ewido is a nice anti-trojan scanner that you can keep after the trial is over as a free on-demand scanner. It will need to be updated manually but the cleaning function still works if needed.

 

Where are the quarantined files usually located?

Share this post


Link to post
Share on other sites
Where are the quarantined files usually located?

It's usually obvious within each program.

 

Norton has a "quarantine"

AVG calls it the "Virus Vault"

Adaware has a quarantine

Spybot has "Recovery"

Not sure about KAV but probably something similar.

 

Adaware's quarantine can be viewed from the main screen click on the link that says: "Open Quarantine List"

 

After a period of time (say, a couple of weeks) there is no need to keep those items in quarantine once you are sure all your program and computer are running properly. The whole idea is that if a problem is discovered and you needed to recover something previously "deleted and held in quarantine", you could do that.

 

Nothing can run from there, but keeping those old infected files around is ineffective and other security programs will most likely alert on them, so it's a good idea to clean them out so you are not continually tripping over them :huh:

Share this post


Link to post
Share on other sites
Sign in to follow this