IE6 infected

Discussion in 'Computer Security' started by Eric, Oct 22, 2004.

  1. Eric

    Eric Guest

    I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
    checking. ZoneAlarm is set to automatically check for updates. Updating AVG
    is usually the first thing I do every time I go online. I also automatically
    check for & immediately install updates to IE6, Win 98 & other Microsoft
    products.

    My PC seems to have some sort of infection. Web pages I view with IE6 appear
    to have JavaScript inserted. This script is not actually in those web
    pages & when I use a non-Microsoft browser I can see them as they should be,
    This problem does not manifest itself when I create a web page myself and
    examine it on my hard drive. However once that page is placed in my webspace
    the Javascript problem manifests itself (see example below: first original
    file, then file with inserted Javascript).

    I have tried doing a free PestScan offered by ZoneLabs, but it just opens a
    blank IE window. It doesn't seem to do anything.

    Some one suggested using "HijackThis" but the blurb for this says its
    "Intended for advanced users". I don't think I know enough to use it. Can
    anyone suggest a course of action which doesn't involve spending money on
    new software or re formatting my disc& re-installing the operating system?

    ----------------------------------------------------------------------------
    ---------------------------
    <?xml version="1.0" encoding="utf-8"?>
    <?xml-stylesheet type="text/css" href="standard.css" ?>

    <!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>

    <title>Testing NTL webspace</title>
    </head>
    <body>
    <div class="footer">
    <p>
    <a href="http://validator.w3.org/check?uri=referer"><img
    src="vxhtml-basic10.png"
    alt="Valid XHTML Basic 1.0!"
    height="31"
    width="88" /></a>
    Testing!!!!!!!
    </p>
    </div>

    </body>
    </html>

    ----------------------------------------------------------------------------
    ---------------------------
    <?xml version="1.0" encoding="utf-8"?>
    <?xml-stylesheet type="text/css" href="standard.css" ?>

    <!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>

    <title>Testing NTL webspace</title>


    <script language='javascript'
    src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>

    </head>
    <body>
    <div class="footer">
    <p>
    <a href="http://validator.w3.org/check?uri=referer">
    </a>
    Testing!!!!!!!
    </p>
    </div>

    </body>
    </html>

    <script language='javascript'>postamble();</script>











    IE6 Infecyed
     
    Eric, Oct 22, 2004
    #1
    1. Advertising

  2. Eric

    Jan Il Guest

    Hi Eric :)

    There are several types of warez that can also infect your system other than
    a virus. Actually, the most common types are hijackers, malware and
    parasites, all of which can cause a variety of problems. If you have more
    than one of these types, you may have a series of problems. Most anti-virus
    programs can not detect these types of warez as they don't have those types
    of definitions.

    The warning for the HiJackThis as being meant to be used by advanced users,
    does not mean that you have to be an expert to *use* it, but, as it can deal
    with removing files in the Registry, and if you really are not sure what
    files are what, then it is best to have it analyzed by an expert at one of
    the forums that will do this for you and can make recommendations for the
    proper corrections needed, if any, and the proper procedures to do so
    without compromising your system. Running the program to create the log for
    the experts to analyze is not at all difficult, so there is no need to tarry
    to use it.

    I have provided the link of a few forums that have experts to analyze the
    HJT logs for you and provide instructions to make any necessary corrections.
    They will see you through the process and make sure your system is fully
    clean. You should also download the other programs, such as AdAware SE,
    SpyBot S&D and CWShredder, to make sure your system is free of any malware,
    spyware, adware and parasites as well. Below is information to obtain the
    proper programs and instructions for scanning your system for the various
    warez.

    Although you may have already run one or more of the programs, please do so
    again according to the instructions below. Some variants of malware can
    replicate themselves over and over if not removed properly. Please follow
    all instructions carefully to be sure your system is thoroughly cleaned:

    Dealing with Unwanted Spyware and Parasites:
    http://mvps.org/winhelp2002/unwanted.htm
    Be sure to run CWShredder, Ad-aware and Spybot.
    Also be sure to use the HijackThis. Please do not post your log to this
    newsgroup, but to the SpywareInfo or the Aumha HiJackThis forums
    http://forum.aumha.org/viewforum.php?f=30, to allow the experts there to
    evaluate your log and advise you of the necessary steps to clean your
    system.

    AdAware SE: Free
    http://www.lavasoft.de/software/adaware/

    New CWShredder version: Free
    http://www.intermute.com/spysubtract/cwshredder_download.html

    CAUTION!!!!! Before you try to remove spyware using any of the programs
    below, download a copy of LSPFIX from any of the following sites:
    http://www.cexx.org/lspfix.htm
    http://www.spychecker.com/program/winsockxpfix.html
    (if your OS is Win2k or XP) The process of removing certain malware may kill
    your internet connection. If this should occur, this program, LSPFIX, will
    enable you to regain your connection.

    Also, get a copy of WINSOCKXPFIX available at:
    http://www.spychecker.com/program/winsockxpfix.html
    and
    WinsockXP Fix- WinXP
    http://www.spychecker.com/program/winsockxpfix.html
    Also, with instructions, at
    http://www.iup.edu/house/resnet/winfix.shtm
    also
    From LavaSoft- all versions of Windows-
    http://digital-solutions.co.uk/lavasoft/whndnfix.zip
    also ....
    (NOTE: It is reported that in XP SP2, the command netsh winsock reset
    will fix this problem without the need for these programs.)

    or ........

    Winsock Fix Utility
    http://www.dfwonline.net/files/WinsockFix.zip

    Also.........

    Courtesy of Jim Byrd -

    Download Sysclean.com, from Trend Micro, here:
    http://www.trendmicro.com/download/dcs.asp along with the latest pattern
    file, here:
    http://www.trendmicro.com/download/pattern.asp
    Be sure to read the "How-to" info here:
    http://www.trendmicro.com/ftp/products/tsc/readme.txt
    You might also want to get Art's updater, SYS-UP.Zip, here for future
    updating of these: http://home.epix.net/~artnpeg/.
    (If you download and use the updater from the beginning, it will
    automatically handle downloading the other files. Place them in a dedicated
    folder after appropriate unzipping, and then run. This scan may take a long
    time, as Sysclean is VERY extensive and thorough

    and......

    NOTE: If you can not download these programs from the Internet, if your PC
    has CD read capabilities, go to another computer with CD-ROM burning
    capabilities. Create a folder on the hard drive of the other computer called
    HOLD, download the programs to that folder, then burn that folder to a CD.
    Copy the HOLD folder to your HD and then install the programs from there
    and run them. After you have IE access again, update all programs where
    possible to get the latest definitions and run them again in Safe Mode to be
    sure there are no lingering items on the system.

    If these steps do not resolve your problem, please post back to this thread
    with the details and any error messages.

    Hope this helps

    Jan :)
    Smiles are meant to be shared,
    that's why they're so contagious.

    Please reply to the newsgroup so others may benefit.
    Replies are posted only to the newsgroup for the benefit or other readers.

    How to make a good newsgroup post:
    http://www.dts-l.org/goodpost.htm




    "Eric" <> wrote in message
    news:B17ed.56$...
    > I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for

    anti-virus
    > checking. ZoneAlarm is set to automatically check for updates. Updating

    AVG
    > is usually the first thing I do every time I go online. I also

    automatically
    > check for & immediately install updates to IE6, Win 98 & other Microsoft
    > products.
    >
    > My PC seems to have some sort of infection. Web pages I view with IE6

    appear
    > to have JavaScript inserted. This script is not actually in those web
    > pages & when I use a non-Microsoft browser I can see them as they should

    be,
    > This problem does not manifest itself when I create a web page myself and
    > examine it on my hard drive. However once that page is placed in my

    webspace
    > the Javascript problem manifests itself (see example below: first original
    > file, then file with inserted Javascript).
    >
    > I have tried doing a free PestScan offered by ZoneLabs, but it just opens

    a
    > blank IE window. It doesn't seem to do anything.
    >
    > Some one suggested using "HijackThis" but the blurb for this says its
    > "Intended for advanced users". I don't think I know enough to use it. Can
    > anyone suggest a course of action which doesn't involve spending money on
    > new software or re formatting my disc& re-installing the operating system?
    >
    > --------------------------------------------------------------------------

    --
    > ---------------------------
    > <?xml version="1.0" encoding="utf-8"?>
    > <?xml-stylesheet type="text/css" href="standard.css" ?>
    >
    > <!DOCTYPE html
    > PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    >
    > <html xmlns="http://www.w3.org/1999/xhtml">
    > <head>
    >
    > <title>Testing NTL webspace</title>
    > </head>
    > <body>
    > <div class="footer">
    > <p>
    > <a href="http://validator.w3.org/check?uri=referer"><img
    > src="vxhtml-basic10.png"
    > alt="Valid XHTML Basic 1.0!"
    > height="31"
    > width="88" /></a>
    > Testing!!!!!!!
    > </p>
    > </div>
    >
    > </body>
    > </html>
    >
    > --------------------------------------------------------------------------

    --
    > ---------------------------
    > <?xml version="1.0" encoding="utf-8"?>
    > <?xml-stylesheet type="text/css" href="standard.css" ?>
    >
    > <!DOCTYPE html
    > PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    >
    > <html xmlns="http://www.w3.org/1999/xhtml">
    > <head>
    >
    > <title>Testing NTL webspace</title>
    >
    >
    > <script language='javascript'
    > src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>
    >
    > </head>
    > <body>
    > <div class="footer">
    > <p>
    > <a href="http://validator.w3.org/check?uri=referer">
    > </a>
    > Testing!!!!!!!
    > </p>
    > </div>
    >
    > </body>
    > </html>
    >
    > <script language='javascript'>postamble();</script>
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > IE6 Infecyed
    >
    >
     
    Jan Il, Oct 22, 2004
    #2
    1. Advertising

  3. 1) Download the following three items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Adaware SE (personal free version)
    http://www.lavasoftusa.com/

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download sysclean.com and place it in that directory.
    Dowload the signature files (pattern files) by obtaining the ZIP file.
    For example; lpt210.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    sysclean.com.

    2) Update Adware with the latest definitions.
    3) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    4) Reboot your PC into Safe Mode
    5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
    platform and clean/delete any infectors/parasites found.
    (a few cycles may be needed)
    6) Restart your PC and perform a "final" Full Scan of your platform using both the
    Trend Sysclean utility and Adaware
    7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
    8) Reboot your PC.
    9) If you are using WinME or WinXP, create a new Restore point

    You can also try some of the below online scanners.

    Trend:
    http://housecall.antivirus.com
    http://housecall.trendmicro.com

    F-Secure:
    http://support.f-secure.com/enu/home/ols.shtml

    McAfee:
    http://www.mcafee.com/myapps/mfs/default.asp

    Panda:
    http://www.pandasoftware.com/activescan/

    Kaspersky:
    http://www.kaspersky.com/de/scanforvirus

    Symantec:
    http://security.symantec.com/

    BitDefender
    http://www.bitdefender.com/scan/license.php

    Freedom Online scanner
    http://www.freedom.net/viruscenter/index.html

    * * * Please report your results ! * * *

    Dave





    "Eric" <> wrote in message news:B17ed.56$...
    | I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
    | checking. ZoneAlarm is set to automatically check for updates. Updating AVG
    | is usually the first thing I do every time I go online. I also automatically
    | check for & immediately install updates to IE6, Win 98 & other Microsoft
    | products.
    |
    | My PC seems to have some sort of infection. Web pages I view with IE6 appear
    | to have JavaScript inserted. This script is not actually in those web
    | pages & when I use a non-Microsoft browser I can see them as they should be,
    | This problem does not manifest itself when I create a web page myself and
    | examine it on my hard drive. However once that page is placed in my webspace
    | the Javascript problem manifests itself (see example below: first original
    | file, then file with inserted Javascript).
    |
    | I have tried doing a free PestScan offered by ZoneLabs, but it just opens a
    | blank IE window. It doesn't seem to do anything.
    |
    | Some one suggested using "HijackThis" but the blurb for this says its
    | "Intended for advanced users". I don't think I know enough to use it. Can
    | anyone suggest a course of action which doesn't involve spending money on
    | new software or re formatting my disc& re-installing the operating system?
    |
    | ----------------------------------------------------------------------------
    | ---------------------------
    | <?xml version="1.0" encoding="utf-8"?>
    | <?xml-stylesheet type="text/css" href="standard.css" ?>
    |
    | <!DOCTYPE html
    | PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    |
    | <html xmlns="http://www.w3.org/1999/xhtml">
    | <head>
    |
    | <title>Testing NTL webspace</title>
    | </head>
    | <body>
    | <div class="footer">
    | <p>
    | <a href="http://validator.w3.org/check?uri=referer"><img
    | src="vxhtml-basic10.png"
    | alt="Valid XHTML Basic 1.0!"
    | height="31"
    | width="88" /></a>
    | Testing!!!!!!!
    | </p>
    | </div>
    |
    | </body>
    | </html>
    |
    | ----------------------------------------------------------------------------
    | ---------------------------
    | <?xml version="1.0" encoding="utf-8"?>
    | <?xml-stylesheet type="text/css" href="standard.css" ?>
    |
    | <!DOCTYPE html
    | PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
    | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    |
    | <html xmlns="http://www.w3.org/1999/xhtml">
    | <head>
    |
    | <title>Testing NTL webspace</title>
    |
    |
    | <script language='javascript'
    | src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>
    |
    | </head>
    | <body>
    | <div class="footer">
    | <p>
    | <a href="http://validator.w3.org/check?uri=referer">
    | </a>
    | Testing!!!!!!!
    | </p>
    | </div>
    |
    | </body>
    | </html>
    |
    | <script language='javascript'>postamble();</script>
    |
    |
    |
    |
    |
    |
    |
    |
    |
    |
    |
    | IE6 Infecyed
    |
    |
     
    David H. Lipman, Oct 22, 2004
    #3
  4. Eric

    Robin T Cox Guest

    Robin T Cox, Oct 23, 2004
    #4
  5. Eric

    ... et al. Guest

    Eric wrote:

    > I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for anti-virus
    > checking. ZoneAlarm is set to automatically check for updates. Updating AVG




    >
    > My PC seems to have some sort of infection. Web pages I view with IE6 appear
    > to have JavaScript inserted. This script is not actually in those web
    > pages & when I use a non-Microsoft browser I can see them as they should be,
    > This problem does not manifest itself when I create a web page myself and
    > examine it on my hard drive. However once that page is placed in my webspace
    > the Javascript problem manifests itself (see example below: first original
    > file, then file with inserted Javascript).
    >


    Added code in the <head> section...

    > <script language='javascript'
    > src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>


    and after the </html>

    > <script language='javascript'>postamble();</script>


    Incidentally i just came across this when sorting out some
    doublettes of various webpages i have saved to my harddiskdrive.

    It was in pages saved during a few days in january. At that time
    i had reloaded Windows and was, from memory, possibly using the
    combination of Internet Explorer, ZonAlarm Pro-Trial with
    Popup-blocker activated.

    But, i had also comment-code added before the two insertions:
    <!-- ZoneLabs Privacy Insertion -->
    and
    <!-- ZoneLabs Popup Blocking Insertion -->

    see also <http://forums.devshed.com/archive/t-77135> for another
    example of the same.

    Now i use Zonalarm free (containing no inherent popupblocker) and
    Mozilla Firefox (containing a popupblocker) and the insertions
    are not there anymore.

    The strange thing is you saying that you are using Zonalarm free,
    and still have the codeinsertions ...

    --
    Please followup in newsgroup.
    E-mail address is invalid due to spam-control.
     
    ... et al., Oct 24, 2004
    #5
  6. Eric

    ... et al. Guest

    .... et al. wrote:
    > Eric wrote:
    >
    >> I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for
    >> anti-virus
    >> checking. ZoneAlarm is set to automatically check for updates.
    >> Updating AVG

    >
    >
    >
    >
    >>
    >> My PC seems to have some sort of infection. Web pages I view with IE6
    >> appear
    >> to have JavaScript inserted. This script is not actually in those web
    >> pages & when I use a non-Microsoft browser I can see them as they
    >> should be,
    >> This problem does not manifest itself when I create a web page myself and
    >> examine it on my hard drive. However once that page is placed in my
    >> webspace
    >> the Javascript problem manifests itself (see example below: first
    >> original
    >> file, then file with inserted Javascript).
    >>

    >
    > Added code in the <head> section...
    >
    >> <script language='javascript'
    >> src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>

    >
    >
    > and after the </html>
    >
    >> <script language='javascript'>postamble();</script>

    >
    >
    > Incidentally i just came across this when sorting out some doublettes of
    > various webpages i have saved to my harddiskdrive.
    >
    > It was in pages saved during a few days in january. At that time i had
    > reloaded Windows and was, from memory, possibly using the combination of
    > Internet Explorer, ZonAlarm Pro-Trial with Popup-blocker activated.
    >
    > But, i had also comment-code added before the two insertions:
    > <!-- ZoneLabs Privacy Insertion -->
    > and
    > <!-- ZoneLabs Popup Blocking Insertion -->
    >
    > see also <http://forums.devshed.com/archive/t-77135> for another example
    > of the same.
    >
    > Now i use Zonalarm free (containing no inherent popupblocker) and
    > Mozilla Firefox (containing a popupblocker) and the insertions are not
    > there anymore.
    >
    > The strange thing is you saying that you are using Zonalarm free, and
    > still have the codeinsertions ...
    >


    Explanation.
    You are using some popupblocking program that uses the same
    technique as ZoneAlarm, but does not identify itself in the
    inserted code.
    Right?

    --
    Please followup in newsgroup.
    E-mail address is invalid due to spam-control.
     
    ... et al., Oct 24, 2004
    #6
  7. Eric

    Eric Guest

    "... et al." <> wrote in message
    news:i%Sed.107252$...
    > ... et al. wrote:
    > > Eric wrote:
    > >
    > >> I use free versions of ZoneAlarm for firewall & AVG 6.0.779 for
    > >> anti-virus
    > >> checking. ZoneAlarm is set to automatically check for updates.
    > >> Updating AVG

    > >
    > >
    > >
    > >
    > >>
    > >> My PC seems to have some sort of infection. Web pages I view with IE6
    > >> appear
    > >> to have JavaScript inserted. This script is not actually in those web
    > >> pages & when I use a non-Microsoft browser I can see them as they
    > >> should be,
    > >> This problem does not manifest itself when I create a web page myself

    and
    > >> examine it on my hard drive. However once that page is placed in my
    > >> webspace
    > >> the Javascript problem manifests itself (see example below: first
    > >> original
    > >> file, then file with inserted Javascript).
    > >>

    > >
    > > Added code in the <head> section...
    > >
    > >> <script language='javascript'
    > >> src='http://127.0.0.1:1025/js.cgi?pcaw&r=21726'></script>

    > >
    > >
    > > and after the </html>
    > >
    > >> <script language='javascript'>postamble();</script>

    > >
    > >
    > > Incidentally i just came across this when sorting out some doublettes of
    > > various webpages i have saved to my harddiskdrive.
    > >
    > > It was in pages saved during a few days in january. At that time i had
    > > reloaded Windows and was, from memory, possibly using the combination of
    > > Internet Explorer, ZonAlarm Pro-Trial with Popup-blocker activated.
    > >
    > > But, i had also comment-code added before the two insertions:
    > > <!-- ZoneLabs Privacy Insertion -->
    > > and
    > > <!-- ZoneLabs Popup Blocking Insertion -->
    > >
    > > see also <http://forums.devshed.com/archive/t-77135> for another example
    > > of the same.
    > >
    > > Now i use Zonalarm free (containing no inherent popupblocker) and
    > > Mozilla Firefox (containing a popupblocker) and the insertions are not
    > > there anymore.
    > >
    > > The strange thing is you saying that you are using Zonalarm free, and
    > > still have the codeinsertions ...
    > >

    >
    > Explanation.
    > You are using some popupblocking program that uses the same
    > technique as ZoneAlarm, but does not identify itself in the
    > inserted code.
    > Right?
    >


    No, but I did recently have a free trial of the ZoneAlarm Pro version. Thiis
    supposed to have uninstalled itself but maybe that is the origin of my
    problem.
     
    Eric, Oct 25, 2004
    #7
  8. Eric

    Eric Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:%231hCJ$...
    > 1) Download the following three items...
    >
    > Trend Sysclean Package
    > http://www.trendmicro.com/download/dcs.asp
    >


    Trend give a MD5 checksum for this download. They don't tell you how to use
    it, but I found some instructions at
    http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
    tell you how to verify the checksum for a zip file. What is downloaded is
    not a zip file, so how can I verify the checksum?
     
    Eric, Nov 7, 2004
    #8
  9. That's right !

    This is a a self extracting EXE file that was renamed to a COM file.
    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    This is a ZIP file and it is now at revision 2.238.

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Dave



    "Eric" <> wrote in message news:8Itjd.181$...
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | news:%231hCJ$...
    | > 1) Download the following three items...
    | >
    | > Trend Sysclean Package
    | > http://www.trendmicro.com/download/dcs.asp
    | >
    |
    | Trend give a MD5 checksum for this download. They don't tell you how to use
    | it, but I found some instructions at
    | http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
    | tell you how to verify the checksum for a zip file. What is downloaded is
    | not a zip file, so how can I verify the checksum?
    |
    |
     
    David H. Lipman, Nov 7, 2004
    #9
  10. Eric

    nemo outis Guest

    In article <8Itjd.181$>, "Eric" <> wrote:
    >"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    >news:%231hCJ$...
    >> 1) Download the following three items...
    >>
    >> Trend Sysclean Package
    >> http://www.trendmicro.com/download/dcs.asp
    >>

    >
    >Trend give a MD5 checksum for this download. They don't tell you how to use
    >it, but I found some instructions at
    >http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately, these
    >tell you how to verify the checksum for a zip file. What is downloaded is
    >not a zip file, so how can I verify the checksum?



    There are a zillion hash-checking programs out there (md5, sha
    family, ripemd, etc.) - many of them free. I prefer the ones
    that will recurse through subdirectories as this lets you
    validate whole chunks of your system against tampering, is the
    very best way to compare/synch directories, etc.

    Some names:

    fsum
    iside
    m5sum
    m5deep
    filecheckmd5
    winmd5

    If you google you'll find these and many more.

    Regards,
     
    nemo outis, Nov 7, 2004
    #10
  11. Eric

    Eric Guest

    Does that mean I should use the given checksum to check the pattern file
    rather than the .COM file?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:M1ujd.3414$DB.3363@trnddc04...
    > That's right !
    >
    > This is a a self extracting EXE file that was renamed to a COM file.
    > Trend Sysclean Package
    > http://www.trendmicro.com/download/dcs.asp
    >
    > This is a ZIP file and it is now at revision 2.238.
    >
    > Latest Trend signature files.
    > http://www.trendmicro.com/download/pattern.asp
    >
    > Dave
    >
    >
    >
    > "Eric" <> wrote in message

    news:8Itjd.181$...
    > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    > | news:%231hCJ$...
    > | > 1) Download the following three items...
    > | >
    > | > Trend Sysclean Package
    > | > http://www.trendmicro.com/download/dcs.asp
    > | >
    > |
    > | Trend give a MD5 checksum for this download. They don't tell you how to

    use
    > | it, but I found some instructions at
    > | http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately,

    these
    > | tell you how to verify the checksum for a zip file. What is downloaded

    is
    > | not a zip file, so how can I verify the checksum?
    > |
    > |
    >
    >
     
    Eric, Nov 8, 2004
    #11
  12. I'm not going to say one or the other. Just download the .COM and ZIP files, and follow the
    directions I provided.

    Dave



    "Eric" <> wrote in message news:GWMjd.133$%...
    | Does that mean I should use the given checksum to check the pattern file
    | rather than the .COM file?
    |
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | news:M1ujd.3414$DB.3363@trnddc04...
    | > That's right !
    | >
    | > This is a a self extracting EXE file that was renamed to a COM file.
    | > Trend Sysclean Package
    | > http://www.trendmicro.com/download/dcs.asp
    | >
    | > This is a ZIP file and it is now at revision 2.238.
    | >
    | > Latest Trend signature files.
    | > http://www.trendmicro.com/download/pattern.asp
    | >
    | > Dave
    | >
    | >
    | >
    | > "Eric" <> wrote in message
    | news:8Itjd.181$...
    | > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | > | news:%231hCJ$...
    | > | > 1) Download the following three items...
    | > | >
    | > | > Trend Sysclean Package
    | > | > http://www.trendmicro.com/download/dcs.asp
    | > | >
    | > |
    | > | Trend give a MD5 checksum for this download. They don't tell you how to
    | use
    | > | it, but I found some instructions at
    | > | http://www.openoffice.org/dev_docs/using_md5sums.html. Unfortunately,
    | these
    | > | tell you how to verify the checksum for a zip file. What is downloaded
    | is
    | > | not a zip file, so how can I verify the checksum?
    | > |
    | > |
    | >
    | >
    |
    |
     
    David H. Lipman, Nov 8, 2004
    #12
  13. Eric

    nemo outis Guest

    In article <GWMjd.133$%>, "Eric" <> wrote:
    >Does that mean I should use the given checksum to check the pattern file
    >rather than the .COM file?


    Checksums are easily forgeable (they're linear in the
    coefficients). MD5, SHA-* or RIPEMD are better choices.

    Regards,
     
    nemo outis, Nov 9, 2004
    #13
  14. Eric

    Eric Guest

    I've run Sysclean & Adaware SE. Neither seems to have found the source of my
    problem. Running Sysclean in Safe mode seems to cause problems.

    Details below.


    WinPatrol says I have a browser object called Related.htm. I can't find any
    info on this in the list of known browser objects at
    http://www.sysinfo.org/bholist.php. It has also twice reported that the
    file associations for .CAB have changed, but doesn't specify what's changed
    it.

    Downloaded Adaware & Sysclean.com. Ran MD5 checksum verification on
    Sysclean.com - checksums matched. Unzipped sysclean, downloaded latest
    pattern file, unzipped it & copied lpt$vpn.246 to the same folder as
    Sysclean.exe. Rebooted while holding down F8. During boot up sequence got
    the
    message:

    CMOS/GPNVChexcksum bad!

    Continued & started up in Safe Mode. Ran Sysclean by double-clicking on
    Sysclean.exe in Windows explorer. Twice (before & after starting Sysclean)
    got a message saying "
    If you run a text-based program in safe mode, you risk corruption of the
    video display or experiencing other anomalies...". Closed all other
    application before
    starting scan with automatic clean/delete of infected files. Sysclean ran
    for about 25 minutes before a message came up saying vscantn (might be wrong
    spelling, I forgot to write it down) had performed an illegal operation &
    would be shut down This happened while it was scanning the root directory
    (C:*.*). Had to use button on the PC casing to perform a hardware shut down.
    While rebooting held down F8 again & again got the message:

    CMOS/GPNVChexcksum bad!

    Also, mouse was not detected.

    Again continued & started in Safe mode. Mouse not working.

    Scandisk log said "Log file generated at 06:10PM on Friday, January 04,
    1980....There was one lost cluster."

    Sysclean.log was empty.
    TSCDebug.log said "Debug Information Level=0"

    Ran Sysclean as before. After about 30 minutes got windows message saying
    Pstores had pergformed an illegal operation & would be shut down. When I
    closed that, got the same message for vscantm. Sysclean finishefd & produced
    a liog, but when I exited I saw a Windows message saying Sysclean had
    performed an illegal operation.

    TSCDebug.log said "Debug Information Level=0"

    SYSCLEAN.log was as follows:

    /--------------------------------------------------------------\
    | Trend Micro Sysclean Package |
    | Copyright 2002, Trend Micro, Inc. |
    | http://www.trendmicro.com |
    \--------------------------------------------------------------/


    1980-01-04, 18:37:24, Auto-clean mode specified.
    1980-01-04, 18:37:24, Running scanner "C:\MY
    DOCUMENTS\SECURITY\TSC.BIN"...
    1980-01-04, 18:42:09, Scanner "C:\MY DOCUMENTS\SECURITY\TSC.BIN" has
    finished running.
    1980-01-04, 18:42:09, TSC Log:

    Damage Cleanup Engine (DCE) 3.6(Build 1120)
    Windows 98

    Start time : Fri Jan 04 1980 18:41:37

    Load Damage Cleanup Template (DCT) "C:\MY DOCUMENTS\SECURITY\tsc.ptn"
    (version 449) [success]

    Complete time : Fri Jan 04 1980 18:42:09
    Execute pattern count(1391), Virus found count(0), Virus clean count(0),
    Clean failed count(0)

    1980-01-04, 18:46:08, An error occurred while scanning file
    "C:\WINDOWS\WIN386.SWP": Access is denied.
    1980-01-04, 19:12:29, Running scanner "C:\MY
    DOCUMENTS\SECURITY\VSCANTM.BIN"...
    1980-01-04, 19:13:07, Files Detected:
    1980-01-04, 19:13:07, Files Clean:
    1980-01-04, 19:13:07, Clean Fail:
    1980-01-04, 19:13:07, Scanner "C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN" has
    finished running.
    --------------------------- end of SYSCLEAN.log ------------------------

    Booted up in normal mode. No checksum problem reported during boot-up
    sequence. Stopped anti-virus, firewall & other windows applications. Ran
    Sysclean. No illegal operation errors reported. Log file seems to have
    appended new report to old one. My system time needs to be reset, but
    Sysclean only detected one virus, in an email attachment I already
    suspected. However, it was unable to scan my swop file & reported an error.
    New report as follows:
    /--------------------------------------------------------------\
    | Trend Micro Sysclean Package |
    | Copyright 2002, Trend Micro, Inc. |
    | http://www.trendmicro.com |
    \--------------------------------------------------------------/


    1980-01-04, 13:49:02, Auto-clean mode specified.
    1980-01-04, 13:49:02, Running scanner "C:\MY
    DOCUMENTS\SECURITY\TSC.BIN"...
    1980-01-04, 13:49:54, Scanner "C:\MY DOCUMENTS\SECURITY\TSC.BIN" has
    finished running.
    1980-01-04, 13:49:54, TSC Log:

    Damage Cleanup Engine (DCE) 3.6(Build 1120)
    Windows 98

    Start time : Fri Jan 04 1980 13:49:02

    Load Damage Cleanup Template (DCT) "C:\MY DOCUMENTS\SECURITY\tsc.ptn"
    (version 449) [success]

    Complete time : Fri Jan 04 1980 13:49:54
    Execute pattern count(1391), Virus found count(0), Virus clean count(0),
    Clean failed count(0)

    1980-01-04, 13:49:56, An error occurred while scanning file
    "C:\WIN386.SWP": Access is denied.
    1980-01-04, 14:12:13, Running scanner "C:\MY
    DOCUMENTS\SECURITY\VSCANTM.BIN"...
    1980-01-04, 14:44:59, Files Detected:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 1/4/1980 14:12:15
    VSAPI Engine Version : 7.000-1004
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
    Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
    /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
    DOCUMENTS\SECURITY

    23338 files have been read.
    23338 files have been checked.
    15902 files have been scanned.
    54484 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 2 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 1/4/1980 14:44:58
    ---------*---------*---------*---------*---------*---------*---------*------
    ---*
    1980-01-04, 14:44:59, Files Clean:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 1/4/1980 14:12:15
    VSAPI Engine Version : 7.000-1004
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
    Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
    /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
    DOCUMENTS\SECURITY

    Success Clean [ WORM_NETSKY.P]( 1) from C:\My Documents\Hacker
    details\possible email with virus 1.txt,(message.scr)
    23338 files have been read.
    23338 files have been checked.
    15902 files have been scanned.
    54484 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 2 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 1/4/1980 14:44:58 32 minutes 39 seconds (1959.14 seconds) has
    elapsed.

    ---------*---------*---------*---------*---------*---------*---------*------
    ---*
    1980-01-04, 14:44:59, Clean Fail:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 1/4/1980 14:12:15
    VSAPI Engine Version : 7.000-1004
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 246 (75549 Patterns) (2004/11/11) (224600)
    Command Line: C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN /NBPM /S /CLEANALL
    /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\MY
    DOCUMENTS\SECURITY

    23338 files have been read.
    23338 files have been checked.
    15902 files have been scanned.
    54484 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 2 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 1/4/1980 14:44:58 32 minutes 39 seconds (1959.14 seconds) has
    elapsed.

    ---------*---------*---------*---------*---------*---------*---------*------
    ---*
    1980-01-04, 14:44:59, Scanner "C:\MY DOCUMENTS\SECURITY\VSCANTM.BIN" has
    finished running.

    --------------------------- end of SYSCLEAN.log ------------------------

    Ran a compl;ete scan of system using up to date AVG. No viruses found.

    Ran Adaware SE. It found 9 critical objects, all tagged "Alexa", which it
    says are low threat.
     
    Eric, Nov 19, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JM

    Re: Windows registry infected?

    JM, Jul 10, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    1,161
  2. °Mike°

    Re: What is infected file EGDHTML_1017.dll?

    °Mike°, Aug 15, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    544
    °Mike°
    Aug 17, 2003
  3. wylbur37

    How do you know you didn't get infected by Swen?

    wylbur37, Nov 17, 2003, in forum: Computer Support
    Replies:
    28
    Views:
    808
    M Mullen
    Nov 28, 2003
  4. Ockerr

    Bug in IE6 , cant remove ie6 to replace

    Ockerr, Jan 21, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    2,335
    Linda
    Jan 21, 2005
  5. Doug Fox
    Replies:
    10
    Views:
    733
    donutbandit
    Feb 28, 2004
Loading...

Share This Page