Summary: the site adxtend.net through kontera.com, and (possibly) fc.webmasterpro.de / miislita.com / doubleclick.net / atdmt.com
attempts to install the Ad PopUp Generator " Outerinfo " without your knowledge or approval.
WEBSITES TO BLOCK (use security settings or hosts file ):
*? = suspicious -- not confirmed offenders, but block anyway because one of these allowed the ad file from adxtend.net to load!
Summary: Offenders (find and delete if new to your system) : Files created:
is67678.exe , xrun.exe , MBDownloader_876919.exe , MBDownloader*.exe , snapsnet.exe ,wr-1-2000219.exe , chvdct.exe
C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe
C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe
C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\CAWQ4V3H.exe
C:\Documents and Settings\LUSER\Local Settings\Temp\xrun.exe
C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe
:: This virus requires Windows Scripting Host
and the interpreter file "MSHTA.EXE" in order to execute. ::
C:\WINDOWS\system32\mshta.exe
:: This virus utilizes C:\WINDOWS\system32\MSINET.OCX :: (" Microsoft Internet Transfer Control" for Visual Basic 5 or 6.")
| MBDownloader_876919.exe
| http://adxtend.net/MBDownloader_876919.exe
| Application
| 100 KB
| 2007-06-07 06:31 AM
| 2007-06-25 06:25 PM
|
| wr-1-2000219.exe
| http://adxtend.net/wr-1-2000219.exe
| Application
| 31 KB
| 2007-06-21 02:45 AM
| 2007-06-25 06:25 PM
|
| is67678.exe
| http://adxtend.net/is67678.exe
| Application
| 38 KB
| 2007-06-18 02:44 PM
| 2007-06-25 06:25 PM
|
| const.php
| http://adxtend.net/code/const.php
| HTML Document
| 1 KB
| None
| 2007-06-25 06:25 PM
|
| Outerinfo-1281.exe
| http://adxtend.net/Outerinfo-1281.exe
| Application
| 942 KB
| 2007-06-12 01:12 AM
| 2007-06-25 06:25 PM
|
| snapsnet.exe
| http://adxtend.net/snapsnet.exe
| Application
| 108 KB
| 2007-06-12 03:20 AM
| 2007-06-25 06:25 PM |
? associated with/ identified as 'Trojan-Downloader.Win32.VB.axa' ?
- [2007-06-25 18:19:39.125] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'Warning - The process C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE is attempting to modify a potentially dangerous file, C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe. Do you wish to allow this?' The user was queried and a 'No' response was received.
- [2007-06-25 18:19:39.281] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xrun[1].exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:19:44.640] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\CAWQ4V3H.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:19:48.625] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temp\xrun.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:19:54.984] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\xpre[1].exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:19:58.843] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temporary Internet Files\Content.IE5\AR4RK983\CA27GHO5.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:20:02.859] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access 'C:\Documents and Settings\LUSER\Local Settings\Temp\xpre.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:20:06.890] [PID=4044] [Csamanager]: Event: The current application 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to execute the new application 'C:\WINDOWS\system32\mshta.exe'. The operation was denied.
- [2007-06-25 18:20:06.890] [PID=4044] [Csamanager]: Event: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'The process C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE is attempting to invoke C:\WINDOWS\system32\mshta.exe. Do you wish to allow this?' The user was queried and a 'No' response was received.
- [2007-06-25 18:20:12.015] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\xpre.exe' (as user DOMAIN\luser) attempted to call the function QueryDebugFilterState from a buffer (the return address was 0x4010f6). The code at this address is '4000ff25 20104000 ff250010 4000ff25 50104000 00006898 4e4000e8 eeffffff 00000000 00003000 00004000 00003800 00003947 57aeed37 e24899fd 587460c3' This either happens when a process uses self-modifying code or when a process has been subverted by a buffer overflow attack. The operation was denied and process terminated.
- [2007-06-25 18:20:12.015] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\xpre.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'The process C:\Documents and Settings\LUSER\Local Settings\Temp\xpre.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?' The user was queried and a 'Terminate' response was received.
- [2007-06-25 18:20:12.500] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\xpre.exe' (process id 316) has been dumped into 'C:\Program Files\Cisco Systems\CSAgent\log\xpre.dmp' on the agent system. This dump file may be useful to technical support to determine whether a previous event was a true positive or a false positive.
- [2007-06-25 18:25:28.890] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\MSINET.OCX'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:28.921] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:28.921] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:28.937] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'The process C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe is attempting to modify the system file C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe. Do you wish to allow this?' The user was queried and a 'No' response was received. The response was the default taken because the maximum number of concurrent queries has been exceeded.
- [2007-06-25 18:25:29.578] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.578] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\tuvwxvt.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.609] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.609] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\tuvssqp.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.640] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.640] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\xxyvspp.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.640] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.671] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\awtturo.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.671] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.671] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.671] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\ddcdcbb.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.687] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\nnnnopq.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.687] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.687] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\fccawus.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.718] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.718] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\gebbyvs.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.718] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.718] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\xxyayab.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.750] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.750] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\efccdbx.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.781] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.781] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' has triggered too many log records in the last few minutes. Further messages will be logged at a decreased rate for 10 minutes.
- [2007-06-25 18:25:29.781] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\efcccdd.dll'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:29.781] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.843] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.859] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.906] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.906] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:29.937] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\WINDOWS\system32\cmd.exe'. The operation was denied.
- [2007-06-25 18:25:30.031] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.046] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\MBDownloader_876919.exe' (as user DOMAIN\luser) attempted to access the registry key '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', value 'NBInstall'. The attempted access was a write (operation = WRITE/VALUE). The operation was denied.
- [2007-06-25 18:25:30.046] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\MBDownloader_876919.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'The process C:\Documents and Settings\LUSER\Local Settings\Temp\MBDownloader_876919.exe is attempting to modify the registry key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBInstall. Do you wish to allow this?' The user was queried and a 'No' response was received. The response was the default taken because the maximum number of concurrent queries has been exceeded.
- [2007-06-25 18:25:30.093] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.093] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\Program Files\Outerinfo\OinFP.exe'. The operation was denied.
- [2007-06-25 18:25:30.093] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'A process is attempting to invoke C:\Program Files\Outerinfo\OinFP.exe, which has not previously been seen on this system. Do you wish to allow this?' The user was queried and a 'No' response was received. The response was the default taken because the maximum number of concurrent queries has been exceeded.
- [2007-06-25 18:25:30.156] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.156] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'A process is attempting to invoke C:\Documents and Settings\LUSER\Local Settings\Temp\OinADInst.exe which has been recently downloaded and may be dangerous. Do you wish to allow this?' The user was queried and a 'No' response was received. The response was the default taken because the maximum number of concurrent queries has been exceeded.
- [2007-06-25 18:25:30.156] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\Documents and Settings\LUSER\Local Settings\Temp\OinADInst.exe'. The operation was denied.
- [2007-06-25 18:25:30.468] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.468] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.468] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to access the registry key '\REGISTRY\USER\S-1-5-21-1708537768-1303643608-725345543-209453\Software\Microsoft\Windows\CurrentVersion\Run', value ''. The attempted access was a write (operation = CREATE/KEY). The operation was denied.
- [2007-06-25 18:25:30.500] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\Outerinfo-1281.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\Program Files\Outerinfo\OuterinfoUpdate.exe'. The operation was denied.
- [2007-06-25 18:25:30.718] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:30.718] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\wr-1-2000219.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\retadpu2000219.exe'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
- [2007-06-25 18:25:32.250] [PID=4044] [Csamanager]: Num of pending queries reached max=4. Will respond with default action.
- [2007-06-25 18:25:32.250] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\MBDownloader_876919.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\Documents and Settings\LUSER\Local Settings\Temp\NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe'. The operation was denied.
- [2007-06-25 18:25:38.656] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\is67678.exe' (process id 2720) has been dumped into 'C:\Program Files\Cisco Systems\CSAgent\log\is67678.dmp' on the agent system. This dump file may be useful to technical support to determine whether a previous event was a true positive or a false positive.
- [2007-06-25 18:25:51.234] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'The process C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe is attempting to modify the system file C:\WINDOWS\system32\MSINET.OCX. Do you wish to allow this?' The user was queried and a 'Terminate' response was received.
- [2007-06-25 18:25:51.234] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (as user DOMAIN\luser) attempted to access 'C:\WINDOWS\system32\MSINET.OCX'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied and process terminated.
- [2007-06-25 18:25:52.437] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\snapsnet.exe' (process id 3604) has been dumped into 'C:\Program Files\Cisco Systems\CSAgent\log\snapsnet.dmp' on the agent system. This dump file may be useful to technical support to determine whether a previous event was a true positive or a false positive.
- [2007-06-25 18:26:33.312] [PID=4044] [Csamanager]: Event: The current application 'C:\Documents and Settings\LUSER\Local Settings\Temp\adkseimop43855.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\WINDOWS\system32\wscript.exe'. The operation was denied and process terminated.
- [2007-06-25 18:26:33.312] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\adkseimop43855.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'A process is attempting to invoke C:\WINDOWS\system32\wscript.exe, which has not previously been seen on this system. Do you wish to allow this?' The user was queried and a 'Terminate' response was received.
- [2007-06-25 18:26:33.546] [PID=4044] [Csamanager]: Event: The process 'C:\Documents and Settings\LUSER\Local Settings\Temp\adkseimop43855.exe' (process id 284) has been dumped into 'C:\Program Files\Cisco Systems\CSAgent\log\adkseimop43855.dmp' on the agent system. This dump file may be useful to technical support to determine whether a previous event was a true positive or a false positive.
- [2007-06-25 18:26:52.328] [PID=4044] [Csamanager]: Event: The current application 'C:\WINDOWS\system32\mshta.exe' (as user DOMAIN\luser) attempted to execute the new application 'C:\Documents and Settings\LUSER\Local Settings\Temp\chdvct.exe'. The operation was denied and process terminated.
- [2007-06-25 18:26:52.328] [PID=4044] [Csamanager]: Event: The process 'C:\WINDOWS\system32\mshta.exe' (as user DOMAIN\luser) attempted to access a resource which resulted in the user being asked the following question. 'A process is attempting to invoke C:\Documents and Settings\LUSER\Local Settings\Temp\chdvct.exe which has been recently downloaded and may be dangerous. Do you wish to allow this?' The user was queried and a 'Terminate' response was received.
[update July 7 2007, regarding WebmasterPro.de ]
[ someone from webmaster pro contacted us to protest their inclusion on this page. The explanation given is that some other site (probably adxtend.net) is using a counter provided by webmasterpro.de. It might be that, or it might be the embedded advertising... In any case, I'm moving them from 'block absolutely' to 'unconfirmed but block anyway' ]
Temp Folder File Info, and McAfee/network associates Detedection/Nominclature
Method of Infection - Installs automatically and silently when visiting certain websites using Microsoft Internet Explorer.
| Attributes
| Name
| Description
| Size
| Type
| Date Modified
| Date Created
| File Version
| Product Name
| Company
| Product Version
|
| A
| ~DFD617.tmp
|
| 16 KB
| TMP File
| 2007-06-25 06:20 PM
| 2007-06-25 06:20 PM
|
|
|
|
|
| A
| snapsnet.exe
|
| 108 KB
| Application
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
|
|
|
|
|
| A
| Outerinfo-1281.exe
| Outerinfo.com AdWare Installer
| 942 KB
| Application
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
|
|
|
|
|
| A
| ~DFC0C6.tmp
|
| 16 KB
| TMP File
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
|
|
|
|
|
| A
| MBDownloader_876919.exe
| Mirar 1.0.0.5 Affiliate Downloader AD Setup
| 100 KB
| Application
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
| 1.0.0.5
| Affiliate Downloader AD Setup
| M i r a r
| 1, 0, 0, 5
|
| HSA
| removalfile.bat
| @echo off
:df
del %1
if exist %1 goto df
| 1 KB
| MS-DOS Batch File
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
|
|
|
|
|
| A
| mitDB.tmp
| Adware.Mirar
(Spyware Bar Plugin)
Includes:
BAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00075110.EXE
(Mirar Toolbar)
| 257 KB
| archive (compressed folders)
* Adware-Mirar (Adware)
| 2007-06-25 06:25 PM
| 2007-06-25 06:25 PM
|
|
|
|
|
| A
| adkseimop43855.exe
|
| 113 KB
| Application
| 2007-06-25 06:26 PM
| 2007-06-25 06:26 PM
|
|
|
|
|
| A
| chdvct.exe
|
| 216 KB
| Application
| 2007-06-25 06:26 PM
| 2007-06-25 06:26 PM
|
|
|
|
|
|
| is67678.exe
| Vundo (Trojan)
|
| * Vundo (Trojan)
|
|
|
|
|
|
|
|
| C:\Program Files\Outerinfo\OUTERINFOUPDATE.EXE
| Adware-ClickSpring (VARIANT: Outerinfo.com)
|
| Downloader-BCF (Trojan)
|
|
|
|
|
|
|
|
| wr-1-2000219.exe\wr-1-2000219.exe
|
|
|
|
|
|
|
|
|
|
= PER MCAFEE VIRUS SCAN ENTERPRISE: =
2007-06-25 11:32 PM Deleted
c:\Documents and Settings\luser\Local Settings\Temp\is67678.exe Vundo(Trojan)
2007-06-25 11:44 PM Deleted
c:\Documents and Settings\luser\Local Settings\Temp\mitDB.tmp.cab \NNBAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00075110.EXE Adware-Mirar (VARIANT = outerinfo)
2007-06-25 11:46 PM Deleted
c:\Documents and Settings\luser\Local Settings\Temp\mitDB.tmp.cab \NNBAR_VCSETUP_876919_LOG_IES_NODMY_AFF.EXE\00019110.EXE Adware-Mirar (VARIANT)
2007-06-25 11:46 PM Deleted
c:\Documents and Settings\luser\Local Settings\Temp\NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe\00075110.EXE Adware-Mirar (AdWare)
2007-06-25 11:46 PM Deleted
c:\Documents and Settings\luser\Local Settings\Temp\wr-1-2000219.exe\wr-1-2000219.exe Downloader-BCF (Trojan)
2007-06-26 12:08 AM Deleted
temp-internet-files_content.IE5-quarantined.rar\OUTERINFOUPDATE.EXE -- Adware-ClickSpring (AdWare); Adware-Outerinfo (AdWare)
2007-06-26 12:08 AM Deleted
temp-internet-files_content.IE5-quarantined.rar\IS67678[1].EXE -- Vundo (Trojan)
2007-06-26 12:08 AM Deleted
temp-internet-files_content.IE5-quarantined.rar\WR-1-2000219[1].EXE -- Vundo (Trojan)
Because Adware.Mirar functions as a Microsoft Internet Explorer plugin, it is necessary to close all open Internet Explorer windows to remove it.
More info: http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-091714-4329-99
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99&tabid=1
---
OinADInst.exe (found in 'Temp' directory: C:\Documents and Settings\luser\Local Settings\Temp)
Info from http://www.fileresearchcenter.com/O/OINADINST.EXE-10950.html :
| Summary : |
Adware.ClickSpring/Outer Info Network-Installer.Process |
| |
|
| Description : |
Outer Info/ClickSpring adware-releated process. May be deployed with/used by several applications distributed by or affiliated with ClickSpring.
Adware applications, toolbars and browser extensions may serve advertisements even while you are not surfing the Internet.
This application may serve various types of advertising, not limited to pop-up ads. |
| |
|
| Company : |
Outerinfo.com
(http://www.outerinfo.com) |
| |
|
| Threat Level : |
7 |
| Category : |
ADWARE |
| |
|
| Processes : |
OINADINST.EXE |
Posted/ Date Available: June 25 2007
Submitted to lyberty.com from "L.R. Miller"
Last Updated: July 8 2007
Related Links / Linkbacks:
http://msmvps.com/blogs/spywaresucks/archive/2007/12/08/1386804.aspx (link last checked 2008-06)
http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=7179 (last checked 2008-06)
index