Re: I'm probably safe but can someone explain what I've just seen?

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 08/29/05 

Date: Sun, 28 Aug 2005 19:06:45 -0400

From: "B. Chernick" <BChernick@discussions.microsoft.com>

| First I'm sorry I can't provide greater detail, but what happened was that I
| got careless and accidentally visited a website supposedly crawling with
| spyware (emp3world.com). Basically I got suspicious about what I saw,
| googled the site and found some hits associating it with something called
| 'Dial 300263 executable'.
| I immediately physically disconnected from the phone line and did complete
| scans with eTrust EzAntiVirus and AdAware 6, both of which found nothing.
|
| 1st, can I stop hyperventilating?
|
| 2nd, I thought I had clicked on emp3world but when I looked at the dropdown
| list of the Back button, I found that another website had somehow been
| inserted inbetween the current site and my Google search:
| www.cashventure.com/sgo.ph?id=4.
|
| Can someone explain what happened here? I am a programmer but not a hacker
| or a web expert.

Ad-aware6 is no longer supported nor updated. It has been superceded by Ad-aware SE v1.06

I recomend removin the old version and installing the new version.
http://www.lavasoft.de/
http://www.lavasoftusa.com/

Accessing the emp3world web site tried to install a ActiveX OCX malware file as indicated by
McAfee VirusScan v7.1E.
The following is the log file from McAfee...
8/28/2005 6:56:06 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\mp3[1].ocx Adware-UCMore

Everytime I access that web site, I get a different response. Ad additional access to the
site tried to install ISTbar malware...
8/28/2005 7:01:18 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\0006_mp3[1].cab\0006_MP3[1].CAB Adware-ISTbar

Therefore if if eTrust missed this OCX file there is the possibility you did get a non-viral
malware infection. I strongly suggested replaceing Ad-aware6 with Ad-aware SE and updating
it with the latest signatures then perform a scan with the new version.

I also suggest using the following Multi AV scanning tool. It has scanners for; sophos,
McAfee and Trend Micro.

Since McAfee found the OCX associated with "Adware-UCMore" and the CAB file associated with
"Adware-ISTbar" trying to be installed into IE, I suggest using the McAfee module in the
Multi AV scanning tool. You can use the Sophos and Trend modules but I suggest starting
with the McAfee module.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * * 

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Quantcast