Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: nicla on August 11, 2008, 06:00:44 PM

Title: Unauthorised SCAN activated.
Post by: nicla on August 11, 2008, 06:00:44 PM
I am hoping someone can help me with this one.

Today checking over my Visa statement I noticed a charge made at the end of July to a company that I don't recognise.  The company name is THG Enterprises INC.  I googled the company name and the following came up:--

Thg enterprises inc
Software may wholly compile permitted in an thg enterprises inc language, ... One thg enterprises inc for which annual inventors suffer is the msx. ..
bellipolitica.altervista.org/free/db/_images/thermal-snap-switch/thg-enterprises-inc.html

I clicked on it and instantly something was activated with the following URL address:--
http : //scan.av2008check.com/11006/3/   (NB I have inserted spaces either side of the colon so that there is no hyperlink)

The window that this scan opened up is now awaiting instructions as clicking the cancel button and the close button causes nothing to happen.  I don't wish to procede as I don't know how or why this was activated without my conscious consent ie there was no option to refuse or cancel the scan action.

As a result of this unsolicited action a report was formed advising me that "harmful and malicious software detected" and the following high alert file names listed:--

ipexewin.exe
audiopitusr.exe
exeiptransfer.exe

Finally there is another window saying that "serious security and privacy threats found on computer.  It may damage files or steal personal and financial information.  Click OK to start downloading CRITICAL security software update."  NB the "cancel" button doesn't accept any clicking NOR does the window close.

I still don't know what the company is and I don't recall subscribing to additonal security services.  The only way that I can see to close the window is boot the machine.

I suppose that this is not associated with avast! but I am hoping that forum members well versed in matters of security, malware, spyware etc can tell me what is going on and why.  And more importantly what is and where is the real security threat.


Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 11, 2008, 06:10:45 PM
UPDATE

I am now 99.9% convinced that what ever I am talking about in the previous post IS BAD.

I repeated my actions (through google etc) and this time pressed several cancels/ignore before the scan action finished.  When I clicked ignore it actually activated something which sent avast! into major warning mode.  I clicked the correct button generated by avast and the window closed. 

So now what do I do?  How did this happen?  Who are THG?  And how can I stop them?  What do I need to stop a repeat.

Please help.



Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 11, 2008, 07:28:13 PM
Antivirus 2008 is a rogue program, scum/scamware that is associated with fake alerts to trick people into purchasing the product.

However, I can't see how they could make a charge against your Visa inless you visited the site and entered your details. You should however contact Visa and the police if you didn't do this.

It isn't a virus as such but rogueware but these programs should hopefully be able to deal with it.

Start with the programs in order:
Try this tool first, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php)

If you haven't already got this software (freeware), download, install, update

MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml (http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml).

SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.

Report the findings, they should product a log file, etc.
Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 11, 2008, 07:58:39 PM
nicla,

Look in this thread for the images attached to see if they look like what you were seeing.  If so, it is a rogue AV like David said.

Can Avast stop this virus or adware?
http://forum.avast.com/index.php?topic=37714.0

The link that I used for Antivirus 2009 (might be the exact same utility that David linked you to) was this one:

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

Hope this helps.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 11, 2008, 08:13:51 PM
I think we may be dealing with anti-virus 2008 "scan.av2008check.com" and hopefully not the 2009 variant which is more of a pig to remove.
Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 11, 2008, 08:26:33 PM
Yeah, you're right.  From what I've read in the past 4 or 5 days the 2009 version is a newer or later version of the 2008 crapware.  From his mentioning of 'pop-ups', I was just wanting to share that other thread to see if he was seeing the same thing.

BTW David,

I'm no longer getting email alerts when a post I'm subscribed to in the forum gets a followup post.  I've check my personal preferences and all seems in order.  Is there a problem with that feature?  Thanks.
Title: Re: Unauthorised SCAN activated.
Post by: sanctuaryforever on August 11, 2008, 08:51:17 PM
sorry to pop a question in here but is Avast going to cover these rogue anti-malware programs via definitions or has Alwil team mentioned anything about them?

the reason being these can be just as dangerous as other malware if people stumble upon them
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 11, 2008, 08:55:36 PM
Thanks everyone for the information and instructions. 

There is no way that I purchased this product or filled in my details for something other than what I normally buy -- namely books and the odd DVD for my kids.  Because of my location (remote Panama) I have to rely on internet shopping to acquire items that keep my kids happy.

Things are a bit distracting now that school is finished for the day so I am better off looking at the "how to eliminate guides" later at a quieter time.


Many thanks


Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 11, 2008, 11:40:31 PM
<snip>
BTW David,

I'm no longer getting email alerts when a post I'm subscribed to in the forum gets a followup post.  I've check my personal preferences and all seems in order.  Is there a problem with that feature?  Thanks.


I no longer use that function so I don't know if there is a problem with it, the only emails I get are notification of PMs.

I much prefer to use the 'Show new replies to your posts' function, from your profile. So when I use firefox I have two tabs that are started, The main index.php page showing all Forums and my Profile.

I use the Babylon theme as I like the layout of the header which is at the top of every page, giving easy access to the 'Show new replies to your posts,' which displays a list of all topics that I have either started or contributed to that have new posts since my last visit, very handy.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 11, 2008, 11:42:14 PM
sorry to pop a question in here but is Avast going to cover these rogue anti-malware programs via definitions or has Alwil team mentioned anything about them?

the reason being these can be just as dangerous as other malware if people stumble upon them

It does detect some of the fake alerts stuff, but lets not loose sight of the fact that they aren't viruses but scum/scamware.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 11, 2008, 11:55:30 PM
There is no way that I purchased this product or filled in my details for something other than what I normally buy -- namely books and the odd DVD for my kids.  Because of my location (remote Panama) I have to rely on internet shopping to acquire items that keep my kids happy.

Things are a bit distracting now that school is finished for the day so I am better off looking at the "how to eliminate guides" later at a quieter time.

Then you need to beef up your security as somehow they have obtained your card details, most commonly it can be phishing tricking you into giving your details at what you think is a known site, bank, store, when in fact it is a fake site designed to collect your details. There could also be a possibility that a keylogger could capture this type of input. Rapidly use those other tools suggested so as to be sure there isn't a key logger at work.

Now change your passwords as if one is compromised more could be, ensure they are a little more difficult to guess at least 8 characters, mixed upper and lower case and numbers.

If you don't already use it, I would suggest firefox as it has an anti-phishing function and also blocking known attack sites. You could also use www.OpenDNS.com as your DNS server as this too will be able to alert you to the fact that the site you are visiting isn't the one you expected.

What is your firewall ?
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 01:09:58 AM
I don't know if this is related but Firefox is not working.  It was working fine up until 3 hours ago but now every new link clicked produces nothing.  Actually I have just checked with my husband and Firefox on his computer is operating normally. 

I am currently on explorer (a facility for emergencies only)

Rick F - I have looked at the link you provided.  What I have looks like it comes from the same stable but it is not identical.  It is not the 2009 version. What I have also differs in that there is another window on top of the Warning window which says the following.................

________________________________________________________________________________
The page at http : //scan etc etc etc says:

Serious security and privacy threats found on your computer.  It may damage your files or steal
your personal and financial information.

Click "OK" to start downloading CRITICAL security software update.

                                           OK                          Cancel
________________________________________________________________________________

I am not clicking on the OK button and clicking on Cancel one produces no result. Repeatedly no results regardless of number of times it is consecutively clicked.

My question here is how can I close the window that is jammed open and if there is a way to close it before I do implement all the suggestions made in this thread do I jeopardise my vital information? 

Should I disconnect my computer now and pick this up on my husband's computer when he gets home?  Have I already risked everything by not disconnecting instantly? 

I am quite scared now. 


UPDATE :  The uncloseable window is gone.  I went to options in the Firefox tools drop down box to look at security options there but before I could do anything further Firefox went into not responding mode and I closed it.  and opened it anew. 










Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 12, 2008, 01:37:38 AM
first do download the fake security software

what can you run?
some choices
A safe mode scan with avast
Malware Bytes Rogue Remover
F-Protect on line scan

can you kill the process with task manager ctl alt del

ps - there has been no scan- they're jerking your chain

could you run the Scans that DavidR mentioned in his first post?

Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 12, 2008, 01:40:14 AM
<snip>

Rick F - I have looked at the link you provided.  What I have looks like it comes from the same stable but it is not identical.  It is not the 2009 version. What I have also differs in that there is another window on top of the Warning window.

Should I disconnect my computer now and pick this up on my husband's computer when he gets home?  Have I already risked everything by not disconnecting instantly? 

I am quite scared now. 

You can close any active window by holding down the 'Alt' key and then press 'F4'. The 2008 and 2009 version are similar, but both should be able to be handled by running "MalwareBytes" that David recommended.

Here's that link again:
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

A link to get rid of AV2008:
http://www.bleepingcomputer.com/malware-removal/antivirus-2008

You can block your computer from trying to access any of those addresses by using avast's 'Webshield'.

Click avast blue ball near your clock, click 'webshield', then 'customize'.  When that window opens, click the 'URL Blocking Tab'.  Click 'enable URL blocking' and then click the 'add' button and type in the URL that application is trying to go to... For me it was

http: //*power-antivirus* (added a space to break hot link)
http: //scan.power* (added space to break hot link)

- see image below -
http://forum.avast.com/index.php?action=dlattach;topic=37714.0;attach=26201;image

Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 12, 2008, 01:41:51 AM
first do download the fake security software

WHAT!?  Don't download that!! Close the window if you can.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 01:48:46 AM
UPDATE :  The uncloseable window is gone.  I went to options in the Firefox tools drop down box to look at security options there but before I could do anything further Firefox went into not responding mode and I closed it.  and opened it anew.  



Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 01:52:54 AM
UPDATE :  The uncloseable window is gone.  I went to options in the Firefox tools drop down box to look at security options there but before I could do anything further Firefox went into not responding mode and I closed it.  and opened it anew. 


UPDATE NUMBER 2.  I have also just verified the charge on my credit card.  It is legitimate.

So now that the window is closed and "IT" is not active (really don't know what I am saying here) am I to understand that I can proceed with the remedies without problem (though of course I am sure that I will be resorting to the wonderful assistance found here again if I am not clear about something).

Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 12, 2008, 01:58:12 AM
I would suggest you download and run the "MalwareBytes" for sure.  There are a number of folks that report that it does in fact remove it all.  Depends on whether or not this 'scumware' has morphed (changed).

Follow the instructions in this link:

http://www.malwarebytes.org/forums/index.php?showtopic=5178

Or this one.

http://www.bleepingcomputer.com/malware-removal/antivirus-2008

Here's a link to a video on how Antivirus 2008 infects a user's PC.  This is by Enigma Software - so they're trying to sell their product SpyHunter.  But you can see some of the screens and how they lure people into purchasing that scumware.

http://www.youtube.com/watch?v=TAVGe55j6YY&eurl=http://www.spywareremove.com/removeAntivirus2008.html

SpyHunter may work, but I've read some folks here don't care for it.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 05:14:20 AM
Apologies please for my clumsy posting style.  Participating in forums is still new to me. 

David, referring to part of your first post in this thread :
------------------------------------------------------------------------------------------------------------
Start with the programs in order:
Try this tool first, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php)

If you haven't already got this software (freeware), download, install, update

MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml (http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml).

SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.

Report the findings, they should product a log file, etc.
[/quote]
--------------------------------------------------------------------------------------------------------------------------------

It is great that you have all given me so much information.  However downloading is the easy part it is what to do next and how to manage these programmes and make them work for you.  I am not even remotely computer lit or savvy

David, You provided 2 different malware downloads.  I have only chosen one but let me know if I am wrong and need them both.  I chose RogueRemover which I downloaded --and got it to perform a scan - result ALL CLEAR.  Tell me is it normal for the bar at the bottom of the window to fill up with green and stay like that?
         
spyware pro version offers more than the home version and I am deciding between pro and home.  Am I right in assuming that the price is a one off cost and that there are no annual charges?
         
the Open DNS has stalled during the installation process. I get an "error opening file for writing message".  I then press abort.  I have activated my account. 

I should tackle this again in the cold hard light of day.
Title: Re: Unauthorised SCAN activated.
Post by: olddog on August 12, 2008, 11:02:36 AM
..... I chose RogueRemover which I downloaded --and got it to perform a scan - result ALL CLEAR.  Tell me is it normal for the bar at the bottom of the window to fill up with green and stay like that?

Nicla,

The attached shot shows two screens from rogue remover. The first is what it looks like after it has opened and before you click on the scan.

The second appears at the end of the scan.

If you are talking about the green "progress bar" then it is normal for it to go to full width and then stay there until the scan is started

Hope that helps.

 
Title: Re: Unauthorised SCAN activated.
Post by: ruthie on August 12, 2008, 12:06:14 PM
Have never posted on anything anywhere before so please bear with me. I had the same problem as you yesterday, Nicla. I was just browsing when had the alert that
ipexewin.exe
audiopitusr.exe
exeiptransfer.exe
had infected my computer. I've never heard of anything like it before - red,green,blue and yellow security centre shield etc made it seem really authentic. So I downloded something showing in download box as
setup_100562_3_(2)
setup_100562_3_
setup_100562_3_(3)
I was then suspicious and think I pressed remove instead of open, and then deleted them from recycle bin.
I ran spybot search and destroy - removed lots of things - I think they were all cookies.
Thanks for all postings - I used malwarebytes.org/rogueremover.php and got all clear like Nicla. 
Feel v stupid and worried.
I think we both have the same worry - is there anything lurking on our computers (also was it there before yesterday). When I googled ipexewin.exe found the same post on several sites telling you to run Spyhunter - which I'm not sure if we should trust. Any more help really really gratefully received.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 02:21:28 PM
Excellent, Oddog,  many thanks.

Were your attached images sourced from your screen or cut and pasted from the rogueware website.  I am wondering is it possible to capture an image of what a computer screen looks like (like for instance what mine looked like yesterday with the scumware jamming it) and immerse it in a file or in a forum, for example?  If it is possible how does one do it?
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 12, 2008, 04:00:44 PM
@ nicla
It wasn't a choice of which to use
Quote from: DavidR
Start with the programs in order:

Rather, run the first one then in order of being listed one after the other, step by step. Run one and report the findings (and hopefully get feedback from us to help), run the next and report the findings, etc. This way it isn't trying to do everything at once which might feel daunting.

olddog has answered your question relating to RogueRemover, so now you need to proceed to the next step, the MalwareBytes AntiMalware (MBAM) and report your findings. Then the next step, a

You don't need the SuperAntiSpyware Pro version (if you did we would say), we are only interested in its on-demand scan, which is in the free version, don't spend any money during this investigation. Afterwards if you thing the additional features of the Pro paid version are what you want then make a choice when you are not under pressure.

With OpenDNS there is no need to register (that is optional) and there shouldn't be any need to install anything.

From this URL, https://www.opendns.com/start (https://www.opendns.com/start) from the Get Started link on the first page, it gives a number operating system options, click on your OS and it shows how to setup your computer to use the OpenDNS servers. This gives instructions and pictures of how to do it, you can also click the Print Ready Instructions that displays a more printer friendly page that you can print out and use off-line.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 12, 2008, 04:39:26 PM
Start with the programs in order:
Try this tool first, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php)

I downloaded the above from Malwarebytes.org.  This worked successfully.


Quote
MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml.

apologies but I am not shouting.  I RAN THE ABOVE INSTANT SCAN AND THE FOLLOWING INFORMATION CAME UP?????..........

"QUOTE---
        This XML file does not appear to have any style information associated with it. The document tree is shown below.

<Error>
<Code>InternalError</Code>

   <Message>
We encountered an internal error. Please try again.
</Message>
<RequestId>167AC9DB1044A3AF</RequestId>

   <HostId>
ZI+vLqmhPiKJFQ/GKMH6OMpkuQuCoSplT2qbtd/ttnVRzZJkOYUi2st9E+H69RNK
</HostId>
</Error>


END OF QUOTE

I guess there is a next step, David, so I will standby.  Thank you
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 12, 2008, 06:28:02 PM
I'm somewhat confused by the 'Instant Scan' you mention as that link should just be to download the installation file, it should be saved to your computer from where you run the 'installation' file.

So are you saying you downloaded the installation file, installed, ran it and had the error (which I doubt) ?

Another link to try to get the program, http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Title: Re: Unauthorised SCAN activated.
Post by: olddog on August 13, 2008, 01:49:56 AM
Excellent, Oddog,  many thanks.

...I am wondering is it possible to capture an image of what a computer screen looks like (like for instance what mine looked like yesterday with the scumware jamming it)

Nicla,
There has already been a couple of screen shots relating to the rogue antivirus 2009, see
http://forum.avast.com/index.php?topic=37714.0;topicseen
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 03:39:10 PM
David, looking back over what I did yesterday I can see that I was beguiled by a banner ad from uniblue registry booser which led me to the following webpage  http://www.liutilities.com/products/campaigns/ppc/ppa/rb/lp/?gclid=CKnC-pv3ipUCFRSO1QodlWhorA

The result of that link was the error message and an option to download an application called "registryboostergogppa.exe" which I cancelled because it wasn't mentioned in your post. 

I have just tried the bleeping computer link (both clicking link you gave & copying and pasting the URL) but I am not guided to a web page as only a blank page comes up.  However an opening application box appeared for an application called " mbam-setup.exe " from download.bleepingcomputer.com!  I am not happy that this box appeared without the bleepingcomputer webpage to authenticate it.

David,  I am sorry as I realise that this should not be so difficult.

Going back to the softpedia link I clicked on Secure Downloads are files hosted and checked by Softpedia    Softpedia Secure Download (RO) {I hate that there were 4 choices confronting me} and mercy me the same "mbam-setup.exe" window came up.  So I will proceed and report back.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 13, 2008, 04:01:08 PM
You have to right click the link and choose Save As or Save File As, which I mentioned.

Another link to try to get the program, http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

The reason nothing is displayed is you are effectively clicking on an executable file, which won't open in your browser. I gave you a direct link to the file because of your previous problems in getting the file. The mbam-setup.exe it the installation file, see image of it in my downloads folder.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 04:45:10 PM
Apologies David for not reading thoroughly your instructions.  As I write the malewarebytes' Anti-malware is scanning.  So far there is one infected object.

Olddog,  I am sorry I got your name wrong before.  I did see the your links thanks but what I was after was the facility/ability to copy bits of my screen for my own purposes.  Anyway I discovered the snipping tool quite by chance earlier this morning to I am sorted.  I hope to be sorted on the scum/scamware too before this day is out. ;D  Thanks David for your patience here.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 13, 2008, 04:51:22 PM
You're welcome.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 08:59:25 PM
OK, David.......the scan is finished.  I imagine I go ahead, close all my other applications and evict the invaders according to the instructions on the report.  I will await your confirmation on this as I am not sure whether viewing the results is  necessary to this clean up process.

Also reading back over your original post I can see that I have one step left to go - the SuperAntiSpyware. 
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 13, 2008, 09:28:49 PM
Before you do that copy and paste the report so we can have a look at what you have found.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 10:17:31 PM
David,  I am sure that there is a better way to copy the results to here but I don't know what it is -- so I saved it to notepad then copied and pasted it here (in its entirety)

Malwarebytes' Anti-Malware 1.24
Database version: 1047
Windows 6.0.6000

13:40:07 13/08/2008
anti malware results  mbam-log-8-13-2008 (13-38-35)

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 197674
Time elapsed: 2 hour(s), 24 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9869efa6-18e9-11d3-a837-00104b9e30b5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9869efb4-18e9-11d3-a837-00104b9e30b5} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll (Trojan.Agent) -> No action taken.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 13, 2008, 11:16:25 PM
Wow that took some time, very thorough.

You can run it again, just a Perform quick scan, should cover the areas where infection was found. In the report there are boxes which are checked and you can right click on the entrie and select Quarantine, etc. so let MBAM deal with all three.

However, before you do that, add this file CmdLineExt02.dll to the User Files section of the Chest it can do no harm there. Then we/you can send it to avast for analysis, but lets not worry about sending it just yet, having got a copy into the chest proceed with the MBAM actions.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 11:35:11 PM
David, whoa.  The first paragraph I reckon I can manage but the second needs a good second, third and mmmmmmore looking!!!!   

Firstly I accidently closed the application after copying the stuff and I then ran a scan on the C drive only.  The results are exactly the same as those for the full scan.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 13, 2008, 11:48:52 PM
Before I posted the last post I had a look for the "chest" you were talking about but I drew a blank.   I am sorry I need clearer instuctions on how to add  "CmdLineExt02.dll to the User Files section of the Chest."

Just for your amusement I should say why things are taking a bit of time  ::)  in a nutshell it is my kids.   I had to play a game with them just before  ;D and soon it will be bath time tea time and bed time which is going to ensure that this saga continues tomorrow!!!!


Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 13, 2008, 11:59:33 PM
I though it would be closed or that you took no action, both would require you to run it again. Seeing the areas reported as infected I knew those would be found with the quick scan saving you a couple of hours. That is why I suggested it ;D

First Open the avast chest, right click the avast icon, select Start avast antivirus.
Once the memory scan is done the simple user interface is opened, right click in the middle of it.
Select Virus Chest.
Click the User Files section.
At the top of the window you will see File, click that.
From the drop down list select add.
From the Explorer like pop-up navigate to the location of the C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll file.
Highlight (select) the file and click Open (this doesn't actually run or open the file) but will copy the file to the chest.
Ignore the avast pop-up and Close (button) the window.

You should now see the file copied into the user files section of the chest.

MBAM
You should have your report screen in front of you (scanner tab of MBAM), I'm trying to do this in the dark as I have only ever had to do it once before. All of the detected, infected items will be listed (and the box to the left ticked).

When you right click on one of the entries you should get a list of options, Quarantine, etc. that is by far the best option, select that.

That should hopefully get rid of those items.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 14, 2008, 12:04:18 AM
OK,  just letting you know that I am at my best in the mornings and all that you posted just now will better serve me if I am fresh.  So please bear with me some more and I will be on line again tomorrow.

Good night!!!   :)
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 14, 2008, 09:37:05 PM
Hello David,  super clear instructions, thanks, but guess what I am snagged again.  I can't locate the Cmd file.  In fact I can't locate the AppData folder.  I even ran an advanced search with the exact name and the tag (which I presume is .dll) NOTHING.  I ran a search on AppData ..  still nothing.  Not that I think it matters but my computer OS is Vista and the harddrive is partititioned (c&e).


Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 14, 2008, 10:15:43 PM
You start of using windows Explorer and navigate step through the path (C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll) from the C:\ Drive/folder, then Users, then Nicola, then AppData, then Local, then Temp, then find the file CmdLineExt02.dll in the Temp folder.

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 01:03:54 AM
Apologies for the delay but I got called away.  After I set the folder view it all was easy peasy until I looke for the blessed Cmd....dll file.  I couldn't find it  :o.  I even started another post with the bad news but I couldn't believe that it wasn't there so back I went and looked again and glory be there it was.

The file is now sitting in the avast! chest.

Just going to perform MBAM action now.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 01:11:30 AM
Back again -- right clicking gives the following options with "quarantine" not present

add to ignore list
jump to location
check all items
uncheck all items
check all items from this vendor
uncheck all items from this vendor
vendor information

There is a "remove Selected" button at bottom left and a quarantine tab which is not available whilst the scanner report is up. 
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 15, 2008, 03:40:40 AM
Yes as I said I was working in the dark as I couldn't recall it from the one time I had any results after a scam

Well I hacked around and created something that would trigger MBAM and there is no Quarantine option, but the entries you wish to take any action on, must be checked (box to the left of entries) I think they are all checked by default.

There are two buttons they are Remove Selected (as you found) or Ignore, in your case we are only going to use the Remove Selected (so ensure they are all selected/checked).

By clicking that button it should I believe actually quarantine it then the Quarantine tab would become active, though I don't know for sure (if it deletes it not problem you have the copy in the chest).

That should be you done for now, we can look at sending the file to avast later today (it is 2:40 a.m. here) as I'm about to call it a night.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 04:18:40 AM
For general information the following box popped up once I pressed the "remove selected" button.
-----------------------
Certain items could not be removed! The first few are listed below.  All items that could not be removed have been added to the delete on reboot list.  Please restart your computer now.  A logfile was saved to the logs folder.

C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll

Your computer needs to be restarted to complete the removal process.  Would you like to continue?
-----------------------

Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 15, 2008, 04:39:23 AM
the
C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll
is the command to take action on reboot
so reboot
then post up the log
It's only 7:30 here in So Cal
I think that DavidR wanted to try Superantispy next
so either that or an on line anti virus scan (I tend to alternate between Anti spyware and anti-virus)
but if you are up to it you could get at it
good luck
With SAS - it's been awhile but I think update and then select/ configure the depth of scan
hint- go for it

Wyrmrider
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 05:54:02 PM
I did the reboot last night and called it quits with the computer for the day

wyrmrider, is the log the same as what I posted in reply #32 two days ago?

David, I went back to C:\Users\Nicola\AppData\Local\Temp and checked that the Cmd..etc..file had gone.  It has.... Is this correct? 
The quarantine tab now has those 5 items which were in the scan result tab.

Does this mean the computer is ready to go onto the SuperAntiSpy stage? 
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 05:59:30 PM
I had SAS downloaded from the other day but not installed.  It is now installed and the updates performed and I have gone through the wizard steps.  Do I go ahead and activate the "scan your computer" button now?
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 06:06:48 PM
Oops that was rude of me David.  Hello to you and I hope that it is a good day where you are.  Until last year I lived 8 years in East Anglia and summer of 2002 is burned forever in my memory of as the perfect UK summer with 2003 not far behind.
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 15, 2008, 06:19:11 PM
I did the reboot last night and called it quits with the computer for the day

wyrmrider, is the log the same as what I posted in reply #32 two days ago?

David, I went back to C:\Users\Nicola\AppData\Local\Temp and checked that the Cmd..etc..file had gone.  It has.... Is this correct? 
The quarantine tab now has those 5 items which were in the scan result tab.

Does this mean the computer is ready to go onto the SuperAntiSpy stage? 

1. Yes the reboot was required to clean-up.
2. The log would be the same as there were no new/different detections.
3. Yes, the file is moved on the reboot which it said was required, that is why I had you move a copy to the chest first.
4. That is what I thought would happen, though there is no help file or anything that confirms the 'Remove Selected' copies them to the Quarantine, leave them there.
5. Yes, run SAS now and report what it finds.

We can send the file to avast for analysis also, as an undetected malware, but this isn't urgent and can wait until we are relatively sure your system is clean.

Oops that was rude of me David.  Hello to you and I hope that it is a good day where you are.  Until last year I lived 8 years in East Anglia and summer of 2002 is burned forever in my memory of as the perfect UK summer with 2003 not far behind.

Your very fortunate we don't get that many perfect summers here ;D So far this years summer has been a veritable washout. Some very good days, but not too many strung together and interspersed with lots of rain, typical British weather. It is nice today though after three days of moderate rain.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 07:26:33 PM
Fifty minutes down the track and the scan is done.

388 threats in total

Adware.Tracking Cookie [388 items]
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 09:28:21 PM
I clicked the next button and the application processed the threats which are a window now says is quarantined and removed.  I am not sure if you wish to review the list (which when I clicked on description of items came up as cookies -- so I guess reviewal is not necessary) Iif I don't accept the reboot now button am I to understand that the next time the computer shuts down and retstarts that those items will be gone.

Or should I just reboot now.  I guess what I am trying to find out is  -- is this stuff to be copied like those files found by MBAM.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 15, 2008, 09:46:02 PM
388 that's a bunch
go ahead and reboot
great news that nothing serious was found

There is a debate about running something like CCLeaner or ATF Cleaner Plus Clear Prog
on one hand it removes a lot of clutter - like tracking cookies
on the other it removes logs and other things which could prove useful
so best NOT till you're through and ready to reset restore points and do a defrag

what to do next?
DavidR should be along shortly
I'm thinking either an on line AV scan
or
VUNDOFIX - which will search for several hundred CLSID strings known to be bad and used by similar infections
Or Dave may have some other ideas

how does your system seem to be working?
388 tracking cookies
start thinking about how to keep this from happening again
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 15, 2008, 10:59:28 PM
wyrmrider... I would love to be thinking how to stop this from happening again but the thing is I am not really versed in that aspect of computer care.  Which makes me all the more grateful that chaps like David and you make yourselves available in times of stress and disaster and also for general help and guidance.

I will reboot now.

ps will running SAS on a regular basis keep the cookie tracking under control OR are you alluding to something different.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 15, 2008, 11:18:27 PM
I do not know where DavidR is
usually I would recommend a Kaspersky AV scan at this point however JeanInMontana at the Malwarebytes forum recommends a Panda active scan to help with the fakeAV2008 infection had has posted a detailed how to here
ow To Do a Panda Active Scan and Save The Log, Complete With Illustration
http://www.malwarebytes.org/forums/index.php?showtopic=2306
in addition Panda will remove what it finds for free (after asking you to buy)
I am hoping that you will be comfortable with this

then we can talk about prevention

It seems as if most of the folks at Malwarebytes are refugees from the Ad-Aware user forums- many years of experience
(Ad-Aware had a forum disaster many years ago- we all left and/or they shut down the forums)
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 15, 2008, 11:47:42 PM
Fifty minutes down the track and the scan is done.

388 threats in total

Adware.Tracking Cookie [388 items]

Many anti-spyware programs make a big deal of tracking cookies (virtually all cookies could be regarded as tracking cookies), they aren't a security threat, more of a minor privacy issue.

In fact I disable the tracking cookie part of the scan (Preferences, Scanning Control tab). However, what this does show is that you don't do any house keeping in regard of cookies and periodically clear them out.

Common sense is a huge part of staying clean, e.g. when you first got a notification of 'your system is at danger' or similar wording, ask yourself 'how do they know.' The simple answer is unless the alert/message comes from applications that you have installed, then they don't know and it is a scan. Having scared the person, given them a headache they offer them a headache tablet in the form of a scan, etc.

There are some real sneaky things out there that use social engineering (read scare the pants of people) to get them to do what they want, e.g. download software, visit a site, etc.

Second you need a good firewall that provides outbound protection to stop any malware that manages to get past your defences having free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc. see below ####) or open a backdoor to your computer, so outbound protection is essential.

Use Firefox or Opera as your default browser as they are effectively more secure than IE as they aren't integrated into your OS, they don't use BHOs nor do they use activX (so an exploit of IE is effectively an exploit of the OS).

If you can run your system as a limited user and not an administrator account, this won't stop you possibly getting infected, but it will limit the potential for damage.

Running, Updating and scanning with SAS and MBAM once a week (fortnightly at the least) I would say it time well spent.

####
This is why I told you to change your passwords, essential now we are reasonably confident your system is clean.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 12:55:04 AM

Second you need a good firewall that provides outbound protection to stop any malware that manages to get past your defences having free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc. see below ####) or open a backdoor to your computer, so outbound protection is essential.

I think I mentioned Windows Defender is my firewall but I think you are probably suggesting a firewall other than that.  If this is the case then I need suggestions.

Quote
If you can run your system as a limited user and not an administrator account, this won't stop you possibly getting infected, but it will limit the potential for damage.

OK, I am switched to standard user but I think for it to be effected the computer needs to restart.  I had to creat a new account to assign it admin status.  I think this now means if I want to be admin again I have to go into Admin to make those changes. 

Quote
This is why I told you to change your passwords, essential now we are reasonably confident your system is clean.

David, I have so many things with passwords - from bank accounts, ebay, online stores, skype, emails, paypal, phone company, ISP,  etc.  Is your suggestion applicable to them all? I reckon you are going to say yes  but I need to hear it.


Title: Re: Unauthorised SCAN activated.
Post by: Lisandro on August 16, 2008, 01:24:42 AM
I think I mentioned Windows Defender is my firewall but I think you are probably suggesting a firewall other than that.  If this is the case then I need suggestions.
Windows Defender is not a firewall, it's a weak antispyware.
Probably you're using Windows Firewall itself.
Suggestions? PcTools and Comodo are good and free ones.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 01:37:14 AM
Quote
how does your system seem to be working?

I don't know if this is related but OS (vista) does not support more than 1 windows explorer open at a time.  Beforehand I could
open any number if I wanted.  When I started up the computer this morning and tried to run two explorers the second would freeze then a box popped up saying that Windows is not operating correctly (or words to that effect) and then instantly every windows application I had open would close.

Now I can only open one explorer window.  I checked in the new admin account and the same happens there.

Any thoughts on this?


I got 2 explorer windows opened but the second froze ("windows has stopped working") and then both closed (no other windows applications open at that stage.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 01:59:53 AM
Thanks Tech for the freebie information.  I have been looking at them but making a choice is not so easy.  I think Comodo might be the one I choose.
Title: Re: Unauthorised SCAN activated.
Post by: Lisandro on August 16, 2008, 02:53:40 AM
Thanks Tech for the freebie information.  I have been looking at them but making a choice is not so easy.  I think Comodo might be the one I choose.
PCTools is easier to begin.

Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 16, 2008, 03:11:44 AM
I think I mentioned Windows Defender is my firewall but I think you are probably suggesting a firewall other than that.  If this is the case then I need suggestions.
Tech has answered that and I agree, PC tools possibly being a little more user friendly for the newer complex firewall user.

OK, I am switched to standard user but I think for it to be effected the computer needs to restart.  I had to creat a new account to assign it admin status.  I think this now means if I want to be admin again I have to go into Admin to make those changes. 

There are times when you need to have administrator privileges but for most you don't but it can be a pain. But is handy for Kids accounts, etc. so they have limited permissions.

You can run some things as the administrator when necessary, right clicking on the file you want to run in windows explorer and selecting Run As Administrator (that option is only there if you aren't running as an administrator. I don't use Vista but if something needs Admin privileges you can enter the admin password and you are in business. I believe all Vista accounts are Standard even those with admin privileges as the UAC would still challenge some functions and you would still be prompted for the admin password (something which you should also consider changing). Unfortunately I can't be a lot of help in regard of Vista as I absolutely have been avoiding it like the plague, so yuo probably have more experience than I in that regard ;D

David, I have so many things with passwords - from bank accounts, ebay, online stores, skype, emails, paypal, phone company, ISP,  etc.  Is your suggestion applicable to them all? I reckon you are going to say yes  but I need to hear it.

Well you guessed right, my answer is yes, especially where is concerns money or the ability to pass themselves off as you, which I guess takes care of them all.

The reason I say this is because of the debit on your credit card, if you didn't get the details of you then somehow they got off your system and the most likely is a key logger. This can log all your keystrokes and sites you visit, etc. and can then pass that information to the crooks that place the key logger malware (why its important to have a firewall to challenge unauthorised outbound internet connections).

Though from the detections made in all the scans you did there didn't appear to have been a key logger, but I'm airing on the side of safety based on the unknown/unauthorised debit on your credit card.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 04:37:56 AM
Quote
UPDATE NUMBER 2.  I have also just verified the charge on my credit card.  It is legitimate.

Apologies David, I made what in hindsight is an unclear statement back in post #16.  I did, in fact, legitimately use my card for that amount with a trading company of another registered as THG Enterprises.  I went through my bookmarks sifting through some sites until I came to one I recognised (they never sent an email confirming purchase) and I called them.   Had I done that first rather than google the name then I would have coasted on not attending to my "housekeeping" until a real disaster happened.  The owner of the company said that they hadn't put their registered name on the internet and when asked if it could be possible that their security was comprised I got an emphatic NO.

So in the light of this it would be OK to assume that my passwords are uncompromised afterall (I have already changed some so no bad thing there).  Would you keep changing them, though?   

Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 16, 2008, 04:50:34 AM
GOOD that you got user accounts set up
Then the Firewall
there will be a learning curve but worth it
there are several other low impact steps we can take but let's walk before we try and run

We got a clean second opinion from SAS which is really good news
a second AV opinion can be done at any time

as to your credit cards and bank info
the 2008 virus is not known as a stealer
however it is hard to be sure nothing else was installed
you can either change all of your passwords
or monitor closely
some people overact and reformat their hard drive and reinstall their os
in your case, without getting a firewall in place, there would be no long term benefit in that

I'm going to list a few steps - for later
1   LOCK DOWN INTERNET EXPLORER- there are guides- after you do your firewall we can find one
2    install Javacool Spyware blaster
http://www.javacoolsoftware.com/spywareblaster.html
(Tony Kline maintains a list of CLSID- Active X baddies, several people use Tony's list plus their own to make blocklists.  The Atribune VUNDOFIX program I mentioned checks for the presence of several hundred as do many other programs
Spywareblaster sets a "Kill bit" in a list of ActiveX identifiers  If something tries to run them- well they Can't)
a reasonably foolprof tool

Enough already
I was not going to post the above till I saw your post about passwords
DAvidR may have additional info
but I do not see where we are in panic mode here


wyrmrider
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 16, 2008, 03:56:37 PM
Quote
UPDATE NUMBER 2.  I have also just verified the charge on my credit card.  It is legitimate.

Apologies David, I made what in hindsight is an unclear statement back in post #16.  I did, in fact, legitimately use my card for that amount with a trading company of another registered as THG Enterprises. 
<snip>
So in the light of this it would be OK to assume that my passwords are uncompromised afterall (I have already changed some so no bad thing there).  Would you keep changing them, though?  

Well that is much better news as it doesn't appear your credit card security was compromised by something like a key logger or phishing site. It has been quite a long topic so it is possible that you made it clear at that time, but I simply didn't remember it.

With the additional scans that you have done is also no bad thing as you can be reasonably confident your system is clean, so it isn't time wasted as you have to have confidence in your system.

Whilst there is not so much of a risk, it is worthwhile to change your passwords now and again, but now the urgency isn't such a high priority.

It has been a journey, but one that hopefully you have learned a lot.

Ready to try sending that file in the chest to avast ?
Open the chest, User Files section, Right click on the file and select email to Alwil Software.

You should get a pop-up window (leave any default settings), type 'Undetected Malware' in the text window, give a brief description that it was found by MalwareBytes AntiMalware and give the malware name given by MBAM.
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 04:17:12 PM
I downloaded PCTools Firewall Plus which came with ThreatFire.  I hope these are the correct selections.  Anyway both are now running

Learning curve statement is noted!!!??!! with the following query to which I couldn't find assistance in the quickstart help guide

A PCT Firewall Plus window has appeared with "bonjour service" is trying to act as a server and accept incoming connections.  I googled it (safely this time) and it appears it came with Photoshop CS3 and as I don't have version Cue I don't need it.  This link gives instructions to delete it http://www.ajuaonline.com/2007/10/02/how-to-remove-bonjour-service/     OR

if I OK the block offered by PCTFplus will that deal with it superficially so that it doesn't pop up again?

wyrmrider -- Even with a firewall in place I am really reluctant to reformat (knowing full well the benefits of the procedure) because I discovered recently that the Adobe CS2 programme I have is a forgery and Adobe have told me (kindly I might add) that if I ever need to do reformat it will be impossible to register the CS3 upgrade again.  I don't fully understand how their system allowed the upgrade registration in the first place but it works and of course now I don't want it not to work.

************************

David, I have just read your post and will perform the avast action and report back.  I agree it has been a journey and I really am grateful for the help I have received along it especially from you. 
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 16, 2008, 04:46:52 PM
wyrmrider, was not suggesting that you reformat, in fact the reverse.

Quote from: wyrmrider
some people overact and reformat their hard drive and reinstall their os
in your case, without getting a firewall in place, there would be no long term benefit in that

I have made bold the relevant parts of the statement.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 16, 2008, 04:52:14 PM
right
do not panic and reformat-
David and I are users like you- volunteers however he has been at avast much longer than I have
I have been doing Windows security for over 10 years but not avast.  It is really hard to keep up with all the latest threats when you are supposed to be retired

What I was trying to say was without a firewall you are so vulnerable that reformatting would be a big waste of time
The firewall will take some getting used to but it will settle down and be a background issue soon
grin and bear it
I like the way you google and ask questions
Like the Carpenter  measure twice -cut once
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 05:15:43 PM

I'm going to list a few steps - for later
1   LOCK DOWN INTERNET EXPLORER- there are guides- after you do your firewall we can find one

wyrmrider

wyrmrider : I googled Lock Down IE and perused a few sites.  Am I correct in thinking that this prodedure is specific to those who use IE as their browser?  My preferred browser is Firefox and until yesterday there was only one programme installed on my computer that defaulted to IE automatically - Picasa (to upload photos).  Now I notice that PCTFplus also defaults to IE when the upgrades tab is clicked.  What I would like to do is default these to Firefox if such a setup step is possible.


2    install Javacool Spyware blaster
http://www.javacoolsoftware.com/spywareblaster.html
(Tony Kline maintains a list of CLSID- Active X baddies, several people use Tony's list plus their own to make blocklists.  The Atribune VUNDOFIX program I mentioned checks for the presence of several hundred as do many other programs
Spywareblaster sets a "Kill bit" in a list of ActiveX identifiers  If something tries to run them- well they Can't) a reasonably foolprof tool

wyrmrider

I am a bit confused by further suggestions of anti spyware stuff.  On my system I currently have
avast!, SuperAntiSpyware, PCTools Firewall Plus (incl. ThreatFire), Malwarebytes and RogueRemover.  Some of which automatically run and others need regular activation to perform their tasks.  Are your suggestions for running in conjunction with the programmes insitu OR to replace the ones I have?

Can antispyware programmes like SuperAntiSpyware and SpywareBlaster run together, for example. 

As for CLSID - Active X baddies etc etc I confess that sounds way over my head even after a quick read on some google links.  I fear that that level of control/operation is way out of my league.

***************************************

my post here was in full composition while your posts came in....

Thank you for your compliment wyrmrider

I didn't mean to sound as though I was panicking (on the contrary I have felt in safe hands since this all began).  I just wanted to state my reasons upfront should it be suggested again now that the Firewall is in place.

--The email to AWIL went successfully.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 16, 2008, 05:47:57 PM
FREE super-antispyware, rogue remover,malwarebytes (and ad-aware et all) all are passive- the provide no prevention - they only scan when you run them

threat fire is active but I am not that familiar with it
Threat-fire- should compliment your Avast AV
let someone else speak on this  If it works fine on your system it could help

I did not know you were using firefox
Now you can Really lock down IE
Why?
because some malware will start IE and then exploit it
Most do not uninstall IE but keep it around for windows update and those programs that require it
(although ther are now work-arounds for firefox)
however spyware blaster it totally inert- works with everything else but we can discuss it later as IE is not your primary browser

Not right away, and I would like DavidR to comment on this
but I think the installation of a hosts file would be next after you have digested the Firewall experience
personally I would download Spybot Search and Destroy and use the built in Immunize feature
The Spybot Scanner is similar to the other passive ones
there are other hosts file -I use MVPS hosts but there is also HPHosts

Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 16, 2008, 08:43:11 PM
wyrmrider,

FREE super-antispyware, rogue remover,malwarebytes (and ad-aware et all) all are passive- the provide no prevention - they only scan when you run them


Well there is something else cleared up for me.  I thought SAS was on in the background.

..... download Spybot Search and Destroy and use the built in Immunize feature.
The Spybot Scanner is similar to the other passive ones
there are other hosts file -I use MVPS hosts but there is also HPHosts


Do SpywareBlaster and Spybot Search and Destroy do different things?  I have looked over them generally but I am not sure if they perform identical services or not.

I am at a complete loss with the rest of your information, wyrmrider (even after a brief read on Wikipedia I could see "hosts" is a concept that needs more understanding than I have available).  I would love to be able to discuss moderately knowledgeably the steps necessary to safeguard my computer.  However I confess that I am increasingly seeing things in a very fuzzy befuddled manner.   

Quote
....I think the installation of a hosts file would be next after you have digested the Firewall experience

I am unsure about the above statement...

.....am  I to familiarise myself with Firewall first (oh boy I love reading manuals) before other steps like locking down IE, installing Spybot and/or SpyBlaster and all those other things referred to your last few posts are carried out.  I don't think you would mean that but I am confused as to where to go next (start?). 

I can see that I was actually delusional because I thought things were close to being sorted out.    :D


Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 16, 2008, 09:03:18 PM
They are close to being sorted out

lots of time for anything else

Take a break

Spybot Immunize and Spywareblaster are Complementary

Only the PAID version of SAS runs in background

Host file concept can take some time to understand
but you do not have to REALLY understand it
It just plain WORKS- the program loads a list of bad places into your C:\Windows\HOSTS file
your browser looks at HOSTS first before going out to the internet and since it's in hosts it NEVER goes to the internet- returns an empty file to whoever asked- SIMPLE
just watch for blank spots that say "site not found"  that's a clue your Hosts has blocked something
just remember that if something your really want wants to load and does not it might be HOSTS but most likely something else

If a bad program like- you know what- gets into your computer it can't phone home and invite all of its friends to the party- send off your personal info, etc
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 17, 2008, 12:30:19 AM
Thanks for that wyrmrider.

So to recap

1.  Download Spybot and Spywareblaster now so that I have the proper antispyware operating whilst I am surfing.

Then at leisure and in good time

2.  Lock down IE

3.  Set up Host File

4.  Do this? 
Quote
(Tony Kline maintains a list of CLSID- Active X baddies, several people use Tony's list plus their own to make blocklists.  The Atribune VUNDOFIX program I mentioned checks for the presence of several hundred as do many other programs Spywareblaster sets a "Kill bit" in a list of ActiveX identifiers  If something tries to run them- well they Can't)
a reasonably foolprof tool

And what about another weapon mentioned in post #10 by DavidR --

5.  OpenDNS

I think that covers all the (unused) suggestions made by contributors to this thread.

Is this a plan?    8)

Title: Re: Unauthorised SCAN activated.
Post by: Rick F on August 17, 2008, 01:29:44 AM
Nicla,

Congratulations on getting your PC cleaned.  It can be a lot of work.  I've been following this thread since I posted just once on the first page about the pop-ups you were seeing.  DavidR and wyrmrider have been really helpful.  (I just love this forum in how the user helps other users.)

When ever you get around to it and want to add a 'HOSTS' file, you can learn how they work by visiting this site:

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

I've been using the "MVPS Hosts file" for about 4 years now.  They update it about every two weeks and it's free. If you subscribe (also free), they'll send you an email telling you it's been updated and provide you with a few links.  One of which is a link for direct download with batch file so you can install it easily.  You can read how it works on that site which explains it pretty well.

Good luck, and happy and safe computing!
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 17, 2008, 03:32:03 AM
Thanks Rick F for your comments and good wishes.  It is comforting to know that my problems/progress have been under the watchful eye of other concerned and caring forum members albeit from the sideline.

Your link has been bookmarked for future use.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 17, 2008, 05:27:41 PM
www.OpenDNS.com   from first page of this thread

not familiar with this site but the idea is sound
there are several add ons which will alert if going to a bad site or in this case if a site is redirected

#1  great places to start- not perfect but easy to use
Spybot is not real time unless T-timer is turned on
when installing allow SD-Helper  T-timer is optional  try it and see if it is compatible with your system
how much memory did you say you have?

#4 Tony Klein is a comment on the Spywareblaster Technique of blocking Active X sites (since you are using fierfox as primary browser SPywareblaster is not as a high priority as Hosts

Another thing we have not mentioned is to check program updates
try the Secunia software inspector
http://secunia.com/software_inspector/

unpatched Java or having old versions of Java (even if disabled) is a major path for the bad guys
same with Word , Adobe , lots of programs

do these things one at a time then wait a couple of days that way if something hangs (unlikely but it does happen) you know what to uninstall
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 17, 2008, 08:48:48 PM
wyrmrider

I am suffering from information overload at present.  The firewall keeps asking me questions about programmes and I am clueless as to whether to allow them or not.  At present I uncheck the 'remember this setting' box then I click on "block" assuming that at the next start up the same question will be asked and that by then I will have discovered something new and can make an informed choice.

I would like to give it a rest, as you have suggested too, for a period and try to come up to speed.  This will probably include checking out the PCTFW forum for tips etc.  In this case to ensure safe surfing would my immediate priority be to download and install Spybot S&D (selecting the options you suggest)?  And then when I come back attend to the Hosts issue?

memory on C-drive  =  14.5 GB  (not an awful lot I know)  NB - hard drive is partitioned with 65.8GB free on E-drive


#1 .......... T-timer is optional  try it and see if it is compatible with your system
how much memory did you say you have


Leading on from the quote above what I am prompted to wonder is how the operating speed of the computer might be affected with the installation of the current safeguards combined with those suggested in previous posts? What I mean is should some slowing down be expected or should its normal operation continue. (I am very happy with its operation speed).  I ask this as some titles of forum threads (no necessarily at avast!)  have made me curious about this.  So far there has been no noticeable difference.
Title: Re: Unauthorised SCAN activated.
Post by: wyrmrider on August 17, 2008, 11:33:49 PM
Every time you try and use a new program or download your firewall is going to ask if it's ok
If you know what you are doing it's ok
if not click no and google whatever it is
there are people around who know that firewall better than I or try the firewall vendor forum

as to slowing your system down
you have
Avast
Firewall
so far nothing you are doing should matter

If you do the other suggestions one at a time you can see if they lead to unacceptable performance
(which must be balanced against having to clean your system again)

Right now getting your firewall into shape is enough
one thing at a time
Title: Re: Unauthorised SCAN activated.
Post by: nicla on August 18, 2008, 04:31:19 AM
Thanks wyrmrider and DavidR -- and see you soon........ish    :-*

Nicola
Title: Re: Unauthorised SCAN activated.
Post by: DavidR on August 18, 2008, 03:24:14 PM
You're welcome, hopefully not too soon ;D e.g. you don't have any problems.