I think many will find this interesting, and helpful if this ever happens to you. This is what happened to me during a visit to a website. It's a bit long, but necessary for all the details.
I had ALL of the following RUNNING IN THE BACKGROUND: SpywareGuard, SpywareBlaster, SpySweeper, SpyBot (the newest version of SpyBot v1.3 that has a new feature that can run in the system tray for added protection), my hardware firewall, and of course my software firewall and AV software. All of sudden I got this onslaught of "attacks" where SpywareGuard, Sygate (firewall), SpySweeper, PCcillin (Trend Micro AV), SpywareBlaster, and that new version of SpyBot, ALL gave alerts that my search settings were being changed and my home page being changed, and about a worm by PCcillin. The Sygate warning was about some file trying to be accessed, but there were so many dozens of alert windows popping up I didn't have to time to read it! There must have been 50 or 60 alerts in a matter of 2-3 minutes and I could not exit out of them! I of course kept denying all of them, and telling the anti-spyware programs to deny the changes, and with every denial came another popup warning. No harm was done except for rendering my address bars unusable*. When I closed all browser windows and ran the anti-spyware programs; SpyBot only found 2 or 3 things and they were registry keys regarding browser hijackers. AdAware found THIRTEEN pieces of malware. Most were the criminal parasite @!#$! at "Cool WWW Search" and some cr-p from e-finder, but some were p-0-rn links that were ADDED TO MY FAVORITES FOLDER WITHOUT my knowledge!! SpySweeper found nothing (but it did find something several hours earlier that both AdAware and SpyBot missed, fairly harmless). Then I let the programs (all were running at the same time) remove the malware, but not before I copied all the registry keys and made a backup of the entire registry, plus I always opt for the programs to where applicable save backups of what was removed/changed. *I thought all was well, but when I typed a URL in my address bar under the Quick Launch toolbar (I wanted to find out about e-finder.cc), I got these errors I've never before seen! http://orpheuscomputing.com/tests/1.gif http://orpheuscomputing.com/tests/2.gif http://orpheuscomputing.com/tests/3.gif Every time I typed or pasted an address in the address bar and hit [enter] this is what was happening! Obviously from this I surmised that some associations somewhere regarding outside search functions was screwed up. I realized that the address bar WOULD work IF and only if the http:// was added first! It was then I realized it was a URL prefix issue that had gotten corrupted. I searched the registry for anything regarding prefixes and found a couple of keys. I then remembered two tags that SpyBot "fixed", or so I thought. I went to check them again and what SpyBot did was REMOVE them completely, instead of fixing them: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UR L\DefaultPrefix] (something missing here) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\U RL\Prefixes] "ftp"="ftp://"; "gopher"="gopher://"; "home"="http://"; "mosaic"="http://"; "www"= (something missing here) Below the first key above (in the right pane of the registry I should say) should be http:// and that "www" area in the second key should have http:// after that equal sign, which would show in the right pane. I wanted to see if some piece of software would fix this all on its own, and in some searches regarding these 7 mysterious files that showed up**, I found "HijackThis", another anti-spyware program. It saw those keys and it did indeed FIX them without me having to re-enter the correct data again. So, that's another great program to use, it's free to download and I suggest you guys try it! It really works. http://www.spychecker.com/program/hijackthis.html . What SpyBot tagged on those keys was "!www" and "http!" or something like that. Instead of removing the ! marks (if that's what it was tagging), or maybe it just added the ! marks for emphasis and in that case instead of removing the bogus parts, it removed the whole area at the right pane in the registry. So, it's a good idea to always make notes and backups of EXACTLY what malware SpyBot or any other anti-spyware program is changing or removing. **Now, regarding these new files mysteriously added to my HD....remember that these SEVEN FILES were added to my HD EVEN WITH ALL of these anti-spyware programs running, and TWO firewalls!!! When I realized I had the address bar problem, I thought I'd better check for any newly added files on my HD, so I opened the Windows folder and System32 folder and arranged icons by date, so the newest files would be in one spot at the end of the folder. In the Windows folder, I found these files: dllhelp.exe, dlltemp.exe, e.exe, m.exe, dpe.dll, and msxmidi.exe (of which some sites are saying it's a vir/us). All except the dll file were the default blue and white icons for "applications" or executables. Right clicking each of them and checking properties gave no information as to what they were, nor what app used or opened them. But they ALL were "created on:" the same day within an hour of each, some created at the EXACT same minute and second during these attacks I mentioned. So during some searches on each of these files, I found out all of them are indeed spyware of some kind (except for e.exe, couldn't find anything on it), and I also found that something called "IEengine.exe" may be in my IE folder, and it WAS, and it was also created at the same time as these other 6 files. NONE of these files did ANY of the anti-spyware programs find! If I would not have investigated the matter further by checking for any new files added to my HD, these 7 files would still be on my PC. I had no references anywhere to "mypoiskovik", not even in the registry. Even though some of these files are associated with that bug, it does not appear to be the actual Mypoiskovik bug. As for the file called msxmidi.exe, I don't understand why people are saying "my Norton AV identified it as a vir/us". I ran the vir/us scan at Norton's website, and it didn't see it and that's what people were using to identify it as a vir/us! (What is strange is Norton DID find 3 "vir/uses" on my PC, but I put them there. They were "exploits" and not vir/uses. What's great about this is they were only TEXT FILES and NAV still identified them! That's pretty good. What these files are, is I have some codes in Notepads that I execute on every new Windows install to make sure they can't run. They are harmless, but they COULD be very bad if designed to run a bad code. What I made will only execute the Windows calculator when you click the .html file. You put the code in a Notepad file, then rename the extension to .htm or .html, and click the file and see if the calculator is launched. It's a similar thing here on one of the following pages: http://browsercheck.qualys.com/ I think XP by default is protected against that). Ok, so I then went to XP's Native search and searched for all files created on this day, and was sure to go to "folder options" first and check/uncheck boxes to show hidden files and show "protected operation system files" as well. I went through the entire results list and didn't find any more files created on this day of which I did not know the origin. So, apparently it was "only" these 7 files that were added. It's OBVIOUS that having every anti-malware program you can find and even having them running in the background is NOT enough to protect you, and additionally, running the programs to find malware is STILL not enough to protect you! They can, and DO make changes that (like SpyBot did) can mess up your PC if you don't make notes of the changes, and in the case of all of them miss these 7 executable files. I could have run XP's restore function, or ran the undo/restore feature of SpyBot, or run my backup of XP's "Files and Settings Transfer Wizard" ("settings only") of which any of these would have probably fixed the URL prefix issue, and I would have done that if I would not have been able to find out the cause. But, I wanted to find out the cause, and none of these would have identified nor removed the 7 executables. >From this I think it's safe to say that when you get infected with any kind of malware, it's a good idea to try what I did. Search for any files that were recently created and if you are not familiar with them (if they are not obvious like a your AV software updates or the like), and you have to use the "advanced" search options of Windows to do this. Then put these file(s) names you may find in any search engine to find out about them. And, to always be sure you don't totally delete anything that the anti-malware programs find, to only quarantine them and to make notes of exactly what they are doing. Also, if anyone ever has this address bars issue that I had, check those registry keys. -Clint God Bless Clint Hamilton, Owner http://OrpheusComputing.com ) ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
