Re: I'm probably safe but can someone explain what I've just seen?

From: B. Chernick (BChernick_at_discussions.microsoft.com)
Date: 08/29/05

  • Next message: David H. Lipman: "Re: I'm probably safe but can someone explain what I've just seen?" 
    Date: Sun, 28 Aug 2005 18:11:05 -0700

    You say: "Therefore if if eTrust missed this OCX file there is the
    possibility you did get a non-viral malware infection. I strongly suggested
    replaceing Ad-aware6 with Ad-aware SE and updating it with the latest
    signatures then perform a scan with the new version."

    Are you saying that you tested eTrust and it failed, or that you just don't
    have confidence in eTrust? I should point out that I keep my antivirus
    subscription up to date.

    "David H. Lipman" wrote:

    > From: "B. Chernick" <BChernick@discussions.microsoft.com>
    >
    > | First I'm sorry I can't provide greater detail, but what happened was that I
    > | got careless and accidentally visited a website supposedly crawling with
    > | spyware (emp3world.com). Basically I got suspicious about what I saw,
    > | googled the site and found some hits associating it with something called
    > | 'Dial 300263 executable'.
    > | I immediately physically disconnected from the phone line and did complete
    > | scans with eTrust EzAntiVirus and AdAware 6, both of which found nothing.
    > |
    > | 1st, can I stop hyperventilating?
    > |
    > | 2nd, I thought I had clicked on emp3world but when I looked at the dropdown
    > | list of the Back button, I found that another website had somehow been
    > | inserted inbetween the current site and my Google search:
    > | www.cashventure.com/sgo.ph?id=4.
    > |
    > | Can someone explain what happened here? I am a programmer but not a hacker
    > | or a web expert.
    >
    > Ad-aware6 is no longer supported nor updated. It has been superceded by Ad-aware SE v1.06
    >
    > I recomend removin the old version and installing the new version.
    > http://www.lavasoft.de/
    > http://www.lavasoftusa.com/
    >
    > Accessing the emp3world web site tried to install a ActiveX OCX malware file as indicated by
    > McAfee VirusScan v7.1E.
    > The following is the log file from McAfee...
    > 8/28/2005 6:56:06 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
    > Internet Files\Content.IE5\WCZFECUD\mp3[1].ocx Adware-UCMore
    >
    > Everytime I access that web site, I get a different response. Ad additional access to the
    > site tried to install ISTbar malware...
    > 8/28/2005 7:01:18 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
    > Internet Files\Content.IE5\FZ4HCZOS\0006_mp3[1].cab\0006_MP3[1].CAB Adware-ISTbar
    >
    >
    > Therefore if if eTrust missed this OCX file there is the possibility you did get a non-viral
    > malware infection. I strongly suggested replaceing Ad-aware6 with Ad-aware SE and updating
    > it with the latest signatures then perform a scan with the new version.
    >
    > I also suggest using the following Multi AV scanning tool. It has scanners for; sophos,
    > McAfee and Trend Micro.
    >
    > Since McAfee found the OCX associated with "Adware-UCMore" and the CAB file associated with
    > "Adware-ISTbar" trying to be installed into IE, I suggest using the McAfee module in the
    > Multi AV scanning tool. You can use the Sophos and Trend modules but I suggest starting
    > with the McAfee module.
    >
    >
    > Download MULTI_AV.EXE from the URL --
    > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
    >
    > It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    > http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    > (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    > simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
    > remove viruses, Trojans and various other malware.
    >
    > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    > This will bring up the initial menu of choices and should be executed in Normal Mode. This
    > way all the components can be downloaded from each AV vendor’s web site.
    > The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
    >
    > You can choose to go to each menu item and just download the needed files or you can
    > download the files and perform a scan in Normal Mode. Once you have downloaded the files
    > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    > during boot] and re-run the menu again and choose which scanner you want to run in Safe
    > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
    >
    > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    > file.
    >
    > To use this utility, perform the following...
    > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    > Choose; Unzip
    > Choose; Close
    >
    > Execute; C:\AV-CLS\StartMenu.BAT
    > { or Double-click on 'Start Menu' in C:\AV-CLS }
    >
    > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    > FireWall to allow it to download the needed AV vendor related files.
    >
    > * * * Please report back your results * * *
    >
    >
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >

  • Next message: David H. Lipman: "Re: I'm probably safe but can someone explain what I've just seen?"