Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky Scan


  • Please log in to reply
8 replies to this topic

#1 the doomed

the doomed

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 March 2006 - 02:37 PM

Can anyone advise me of bst course of action to remove the problems highlighted by the scan below please? AVG says I am virus free. (AVG was turned off to run Kaspersky scan)


Tuesday, March 14, 2006 7:34:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/03/2006
Kaspersky Anti-Virus database records: 182398


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 125641
Number of viruses found 1
Number of infected objects 0
Number of suspicious objects 4
Duration of the scan process 01:49:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{552EE286-6770-4FDA-9D24-5727D8D6BC96}\Microsoft\Outlook Express\Deleted Items.dbx/[From albert_nk@corte.inra.fr][Date Wed, 27 Oct 2004 10:29:11 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Documents and Settings\David\Local Settings\Application Data\Identities\{552EE286-6770-4FDA-9D24-5727D8D6BC96}\Microsoft\Outlook Express\Deleted Items.dbx/[From albert_nk@corte.inra.fr][Date Wed, 27 Oct 2004 10:29:11 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Documents and Settings\David\Local Settings\Application Data\Identities\{552EE286-6770-4FDA-9D24-5727D8D6BC96}\Microsoft\Outlook Express\Deleted Items.dbx/[From albert_nk@corte.inra.fr][Date Wed, 27 Oct 2004 10:29:11 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Documents and Settings\David\Local Settings\Application Data\Identities\{552EE286-6770-4FDA-9D24-5727D8D6BC96}\Microsoft\Outlook Express\Deleted Items.dbx

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:59 AM

Posted 15 March 2006 - 12:29 PM

Hi the doomed

The files that Kapersky is flagging are infected emails that reside in your Outlook Express email client. My recommendation is that you firstly try and find the emails that correspond to the following:

Sent from the email address --> albert_nk@corte.inra.fr

Next empty all deleted/spam folders. If you scan with Kapersky and they are still there, i recommend that you save all the emails that you definatley need then basically flush all other emails out of Outlook, as you cannot be sure where the email is hiding.

David

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:59 AM

Posted 15 March 2006 - 02:21 PM

The 'Exploit.HTML.Iframe.FileDownload' is a report about an HTML formatted document, which contains a code that refers to Internet Explorer IFrame vulnerability. This vulnerability allows an malicious HTML document, such as email message, to execute automatically when the document is viewed using IE. It also affects email clients that use IE to view HTML formatted email messages, such as Outlook and Outlook Express.

See MS Security Bulletin MS01-20:
http://www.microsoft.com/technet/security/...in/MS01-020.asp

The fix for the vulnerability is available at:
http://www.microsoft.com/windows/ie/downlo...9ie/default.asp

In addition to what David said, I would also recommend that you run scans with:
Ad-Aware SE 1.06
Spybot S&D 1.4

Then run another online scan at Panda ActiveScan
ActiveScan Panda does not remove adware/spyware but will autoclean for viruses & worms.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 March 2006 - 04:49 PM

thanks guys. here is report from panda



Incident Status Location

Adware:adware/cydoor Not disinfected C:\WINDOWS\SYSTEM32\AdCache
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\David\Cookies\david@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Cookies\david@adultfriendfinder[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\David\Cookies\david@anm.co[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Cookies\david@burstnet[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\David\Cookies\david@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\David\Cookies\david@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David\Cookies\david@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David\Cookies\david@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@dist.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\David\Cookies\david@kinghost[2].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\David\Cookies\david@outster[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\David\Cookies\david@searchportal.information[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\David\Cookies\david@tucows[2].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\David\Cookies\david@www.seeq[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\David\Cookies\david@www47.buydomains[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\David\Cookies\david@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Cookies\david@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\David\Cookies\david@xmts[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\David\Cookies\david@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Cookies\david@adultfriendfinder[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\David\Cookies\david@anm.co[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Cookies\david@burstnet[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\David\Cookies\david@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\David\Cookies\david@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David\Cookies\david@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David\Cookies\david@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@dist.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\David\Cookies\david@kinghost[2].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\David\Cookies\david@outster[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\David\Cookies\david@searchportal.information[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\David\Cookies\david@tucows[2].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\David\Cookies\david@www.seeq[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\David\Cookies\david@www47.buydomains[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\David\Cookies\david@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Cookies\david@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\David\Cookies\david@xmts[2].txt
Hacktool:HackTool/EvID Not disinfected C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
Potentially unwanted tool:Application/Processor Not disinfected Personal Folders\Sent Items\RE: SpyAxe\smitRem.zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected Personal Folders\Sent Items\FW: SpyAxe\smitRem.zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\david\installation exe\smitRem.exe[Process.exe]
Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Mail Delivery (failure newsgroup@kilmarnockfc.co.uk)\~0000003.~

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:59 AM

Posted 15 March 2006 - 05:44 PM

Panda got Exploit/iFrame.

The Potentially unwanted tool:Application/Processor is the smitRem.exe tool (legit) which you can delete if you no longer want to keep it.

C:\WINDOWS\SYSTEM32\AdCache <-- delete this file

or if your using Win XP/2000 download and scan with Ewido Anti-Malware v3.5
Ewido Install and Scan Instructions

Ewido should take care of it and may find other things that Panda did not.

Read this about PowerStrip: http://www3.ca.com/securityadvisor/pest/pe...px?id=453074932

For all the crap in C:\Documents and Settings\David\, download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Edited by quietman7, 15 March 2006 - 05:52 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 March 2006 - 07:04 PM

thank you very much

#7 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 March 2006 - 09:15 AM

run all scans mentioned and down t one error in registry that is not being fixed:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:14:06, 16/03/2006
+ Report-Checksum: A69AB178

+ Scan result:

HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID -> Adware.WebSearch : Error during cleaning


::Report End

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:59 AM

Posted 16 March 2006 - 09:35 AM

Run the Symantec Adware.Websearch Removal Tool (scroll down the page for link)
http://www.symantec.com/avcenter/venc/data....websearch.html

Look at the manual removal instructions and uninstall any of the programs they have listed via Add/Remove if present on your system.

Instructions for backing up and editing the registry are provided in step 4.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 March 2006 - 10:25 AM

not been found seemingly!

ahh well. cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users