HTML/Crypted.Gen Virus: [Windows XP]

Prev: System Restore question.
Next: Format with Recovery console

From: Navyguy on 15 Apr 2010 02:43

On Apr 14, 7:38 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
wrote:
> From: "Navyguy" <maginee...(a)yahoo.com>
>
> | I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
> | Spybot and Hive Cleanup and all the programs work well together and
> | are up to date. However, my computer recently became infected with a
> | HTML/Crypted.Gen virus.
>
> |http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_...
>
> | I ran Avira and Spybot and thought that it had corrected to problem
> | but today when I logged on I had the same virus alert. I would
> | appreciate any thoughts/suggestions on how to remove this virus from
> | my computer.
>
> It is not a virus and you can't get infected by it. However if the script it represents
> its successfully executed it may lead to the installation of some other malware.
>
> What this is is a generic detection for a cryptic HTML script.
>
> If you got alerted on it then Avira AntiVir did its job and blocked the malicious code in
> the HTML script.
>
> Perform a full scan of your system using AntoVir to make sure the script is not in a
> cache somewhere.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

I've already run Avria and Spybot and thought it had corrected the
problem but I guess it didn't since I got the same message agai today
with the same virus.

This is the infected file: Documents and Settings\user name\Local
Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
101.jsw

I tried looking for this file in the system but I can't seem to find
it under Documents and Settings.

Thanks,
Robert

From: David H. Lipman on 15 Apr 2010 06:11

From: "Navyguy" <magineer02(a)yahoo.com>

| I've already run Avria and Spybot and thought it had corrected the
| problem but I guess it didn't since I got the same message agai today
| with the same virus.

| This is the infected file: Documents and Settings\user name\Local
| Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
| 101.jsw

| I tried looking for this file in the system but I can't seem to find
| it under Documents and Settings.

Again -- It is NOT a virus !

That is your IE Teemp Internet Files cache or TIF.

Go to IE --> Tools --> Internet Options
Delete all files in the cache and set the cache to be no larger than 50MB.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: Navyguy on 16 Apr 2010 00:31

On Apr 15, 3:11 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
wrote:
> From: "Navyguy" <maginee...(a)yahoo.com>
>
> | I've already run Avria and Spybot and thought it had corrected the
> | problem but I guess it didn't since I got the same message agai today
> | with the same virus.
>
> | This is the infected file: Documents and Settings\user name\Local
> | Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
> | 101.jsw
>
> | I tried looking for this file in the system but I can't seem to find
> | it under Documents and Settings.
>
> Again -- It is NOT a virus !
>
> That is your IE Teemp Internet Files cache or TIF.
>
> Go to IE --> Tools --> Internet Options
> Delete all files in the cache and set the cache to be no larger than 50MB..
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Hello Dave,
Although the file in question isn't a virus it managed to 'infect' my
administrator's account's Internet temporary files as well as my User
account. I was under the impression that when using a User
account(which is what I use to surf the Internet) that the
Administrator account (Internet temporary files) are separate?

In any case I deleted all the files in both accounts in the Internet
temporary files folder. However with regards to the User account there
were (8) files it wouldn't let me delete ending with:

Cookie: Username @ c.msn
Cookie: Username @ bing
Cookie: Username @ Windows Marketing Plan
Cookie: Username @ c.Live
Cookie: Username @ atdmt
Cookie: Username @ MSN
Cookie: Username @ aplshuffle

Yet after I deleted all the files I went back to check and each time I
look there's more files to delete. Maybe I didn't get them all but
when I was doing this there were no other files that I saw to delete?

Lastly, the good news is that so far the annoying and apprehensive
alert for the last two days hasn't popped up. Hopefully this has
corrected the problem.

Thanks,

Robert

From: Navyguy on 16 Apr 2010 03:47

From: David H. Lipman on 16 Apr 2010 06:21

From: "Navyguy" <magineer02(a)yahoo.com>

| Hi Dave,

| Ok the User account seems to be alright but my Administartot account
| is infected with this non-virus. I have deleted all the Temporary
| Internet files and changed the disk spaced used to 50 yet every time I
| restart the computer and login as the Administrator the same infected
| file pops up. I only use the Administrator account to update my
| computer so I'm baffled how my Administartor account became corrupted?

| I'd appreciate any help or advice to remove this.

| Thanks,
| Robert

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

First | Prev | Next | Last
Pages: 1 2 3 4
Prev: System Restore question.
Next: Format with Recovery console