Microsoft Internet Explorer | ||||||||||||
Warning! W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected comupter.
|
The warning was made to look like it was coming from an antivirus program, but it doesn't mention any specific infected file nor does it mention what files are placed in %Windir% nor specific registry values created in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Note, I did not misspell "machine" in HKEY_LOCAL_MNACHINE in the warning window. It actually appeared as "mnachine" in the warning window.
Behind that window was the Internet Explorer window. It had opened to http://aprotectservice.com/, with a window title of "Security Center". On the left side of that window, under "Official Parners" were a list of "security" products, as shown below. I would definitely recommend that any of the products listed below in the "Official Partners" section not be used.
Official Partners | ||
|
SpyCrush | spycrush.com | aggressive, deceptive advertising (1,2); same app as SpyDawn, SpyHeal, SpywareQuake, VirusBurst, & VirusBursters [A: 3-7-07 / U: 3-7-07] |
Brave Sentry | bravesentry.com | aggressive advertising, desktop hijacking (1, 2); false positives work as goad to purchase; inadequate scan reporting; same app as DIARemover, MalwareAlarm, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop [A: 3-9-06 / U: 3-9-06] |
AntiVirus Gold / AntiVirus Golden |
antivirus-gold.com antivirusgolden.com |
aggressive advertising, desktop hijacks (1, 2, 3, 4, 5, 6, 7, 8); false positives work as goad to purchase; uses inadequate scan/detection scheme; same app as AdwareDelete, MalwareWiped, SpyAxe, SpyFalcon, SpyLocked, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast [A: 6-2-05 / U: 6-13-06] |
MalwareWipe / MalwareWiper / MalwareWiped | malwarewipe.com malwarewiped.com |
aggressive, deceptive advertising; uses flawed, inadequate detection scheme; same app as AdwareDelete, AntiVirus Gold, SpyAxe, SpyFalcon, SpyLocked, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast [A: 12-28-05 / U: 12-26-06] |
Problem | Kind |
---|---|
FunWeb | 15 entries |
FunWebProducts | 56 entries |
Microsoft.WindowsSecurityCenter.AntiVirusOverride | 1 entries |
MyWay.MyWebSearch | 66 entries |
MyWebSearch | 21 entries |
TagASaurus | 1 entries |
Zlob.VideoAccessActiveXObject | 1 entries |
Spybot listed a screensaver, f3PSSavr, as an executable for FunWebProducts. I found a FunWebProducts folder under C:\Program Files. The zipped contents of that folder are here.
When I switched to advanced mode in Spybot and looked at the BHOs, I saw details on the one for MyWebSearch Search Assistant BHO. I found a MyWebSearch folder under C:\Program Files. The zipped contents of that folder are here
Though TagASaurus was listed as a trojan, the only entry Spybot listed for it was a cookie.
When I attempted to open an HTML file on the PC from a link in a document without realizing that the filename was misspelled, I also saw a warning appear in Internet Explorer that "The page you are looking for is probably blocked by adware/spyware on your PC. Remove it with System Doctor software. CLICK HERE."
I had Spybot fix all of the problems, except the
Some problems couldn't be fixed; the reaon could be that the associated files are still in use (in memory).
This could be fixed after a restart.
May Spybot-S&D run on your next system startup?
I chose to restart the system. I then saw a message that 159 problems were fixed, but 1 problem could not be fixed. Spybot was apparently unable to delete C:\Program Files\MyWebSearch. When I looked in the folder, I found several DLL files still remaining in its subfolders.
When I checked on what process had the MWSBAR.DLL DLL file, which is located in C:\Program Files\MyWebSearch\bar\3.bin loaded, I found it was explorer.exe.
C:\Documents and Settings\Administrator>tasklist /m /fi "modules eq mwsbar.dll" Image Name PID Modules ========================= ====== ============================================= explorer.exe 2696 ntdll.dll, kernel32.dll, msvcrt.dll, ADVAPI32.dll, RPCRT4.dll, GDI32.dll, USER32.dll, SHLWAPI.dll, SHELL32.dll, ole32.dll, OLEAUT32.dll, BROWSEUI.dll, SHDOCVW.dll, CRYPT32.dll, MSASN1.dll, CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll, NETAPI32.dll, WININET.dll, WLDAP32.dll, VERSION.dll, UxTheme.dll, ShimEng.dll, AcGenral.DLL, WINMM.dll, MSACM32.dll, USERENV.dll, comctl32.dll, comctl32.dll, appHelp.dll, CLBCATQ.DLL, COMRes.dll, cscui.dll, CSCDLL.dll, themeui.dll, Secur32.dll, MSIMG32.dll, xpsp2res.dll, msutb.dll, MSCTF.dll, SAMLIB.dll, ntshrui.dll, ATL.DLL, SETUPAPI.dll, msi.dll, NETSHELL.dll, rtutils.dll, credui.dll, WS2_32.dll, WS2HELP.dll, iphlpapi.dll, LINKINFO.dll, urlmon.dll, WINSTA.dll, webcheck.dll, WSOCK32.dll, stobject.dll, BatMeter.dll, POWRPROF.dll, WTSAPI32.dll, wdmaud.drv, msacm32.drv, midimap.dll, mwsoestb.dll, rsaenh.dll, IadHide5.dll, MPR.dll, drprov.dll, ntlanman.dll, NETUI0.dll, NETUI1.dll, NETRAP.dll, davclnt.dll, SXS.DLL, EuShlExt.dll, browselc.dll, MWSSRCAS.DLL, RASAPI32.DLL, rasman.dll, TAPI32.dll, AcroIEHelper.ocx, MWSBAR.DLL, SDHelper.dll, olepro32.dll, IMM32.dll, DUSER.dll, msohev.dll, MLANG.dll, gdiplus.dll, fsshext.8.1.0178.00.dll, MSVCR80.dll, shdoclc.dll, vpshell2.dll, gvimext.dll, MSVCRT40.dll, syncui.dll, igfxpph.dll, hccutils.DLL, zipfldr.dll, actxprxy.dll, sti.dll, CFGMGR32.dll, igfxres.dll, igfxress.dll, sendmail.dll, mydocs.dll, Audiodev.dll, WMVCore.DLL, WMASF.DLL, wiashext.dll
The MWSSRCAS.DLL file from C:\Program Files\MyWebSearch\SrchAstt\3.bin was also loaded by explorer.exe
After I rebooted, Spybot ran automatically and indicated it was able to fix the remaining problems. When I logged in afterwards, I saw the message below.
RUNDLL |
Error loading C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL The specified module could not be found. |
regedit
to search the registry for MWSBAR.
I found a reference to it in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
There was a value name of My Web Search Bar of type REG_SZ.
The value for it was rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S
. I deleted the value name from the Run key. I also deleted
another value name I found in that Run key. It was for a
value name of MyWebSearch Email Plugin of type REG_SZ with
the value C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe.
Still, after the above steps, whenever I opened Internet Explorer, it would immediately go to http://aprotectservice.com/. I set the home page to www.google.com, but it would still to to the aprotecservice site. I tried going to Tools, Internet Options, Programs, and clicking on Reset Web Settings, but it made no difference. Since it was about 11:00 P.M. at that point, as a temporary fix for the problem, I edited the hosts file in /windows/system32/drivers/etc. Since the file was read-only, I right-clicked on the filename and unchecked the read-only attribute. I then added the following line under the one for localhost.
64.233.161.103 aprotectservice.com
The 64.233.161.103
address is an address for one of the Google
webservers, so whenever I opened Internet Explorer afterwards, it would
show http://aprotectservice.com/
in the address bar, but would actually go to the Google website. I'll have
to return to the site where the system is located later to get rid of the
underlying problem, which I believe is related to the Zlob infection.
FunWebProducts has not brought fun to the user of the system and certainly hasn't made my life fun, either. Its free "funny icons or smileys" bring aggravation and removal may not be free. I removed this malware from the same system on September 3, 2006 (see FunWebProducts - September 3, 2006). I've also encountered it on another system previously where it had caused a great deal of aggravation for the user.