Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

Several problems to solve

by darkdestiny7 / July 7, 2007 2:30 PM PDT

The first problem is with one of the computers my family have been using. My brother happened to be using that computer a few seconds when suddenly, the screen has darkened a little and a message appeared in the middle. I didn't get what it exactly say; one half of it is in chinese (can't type chinese here Sad ), while the other in english. Switched off the computer immediately when I saw the message.

All I can remember is that the message asks the user to "Get a cup of coffee".

Anyway, switch to Safe Mode and left the computer scanning with Spybot.

Is this the work of a virus or spyware?

Second:

I've been using IE6 very seldom these days (used it only when I want to access my Hotmail and School E-learning website. However, every time after I used IE, I've been noticing a registry change on the security settings of IE. NOTE: Before I used IE I have its Advanced settings in the Options window Restored to Default.

This is what Spybot had found:

Microsoft.Windows.Security.InternetExplorer
Settings
HKEY_USERS\S-1-5-21-1487884451-4009603759-282749768-1005\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplorerexe!=W=1
Problem: Registry Change

The data of that particular registry is 0x00000001(1), but before the scan it was 0x00000000(0).

Do anyone knows how to fix the problems?

Discussion is locked
You are posting a reply to: Several problems to solve
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Several problems to solve
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I May Be Mistaken but.... I Suspect That.....
by tobeach / July 7, 2007 5:28 PM PDT

Spybot has noticed that there has been the change you created by setting IE properties from Advanced (when configured properly= More secure) to
Default (normally LESS secure). Hence some lock-down controls were disabled (1 at end of string means active, 0 means disabled).

If you used S&D's Tea Timer, it would prevent this action until you ok'd it in TT's pop-up request for approval. This is because it's not sure whether YOU created this change or if the change was instituted by a trojan or malware. Basically it's saying:
Your IE security has been reduced, are you sure you want to allow this?

The following page at Wilder's will give several listed suggested
secure setting links for IE including one for a free, small utility that will make some changes for you.

http://www.wilderssecurity.com/showthread.php?t=134886&highlight=settings+IE+advanced

Hope this helps. Good Luck! Happy

Collapse -
Thanks a lot about my second problem
by darkdestiny7 / July 7, 2007 6:06 PM PDT

I've gone to 2 of the sites given in the forum link to provided below. Though both had different opinions and tricks, I decided to use the first one given in the site. Changing the settings according to that right now.

As for the first problem, a scan by Trend Micro Internet Security 2007 had shown the following things found:

Spyware: Cookie_SpecificClick (bad internet browser cookie)
Virus: VBS_ATTA.A (File Monitor) (Quarantined)

The thing is, the virus had been found in my one and only THUMB DRIVE! Despite it having a pre-installed antivirus (Avast! U3 Edition). Anyway, it's removed by TMIS2007.

Collapse -
Possible Misspelling? I Entered VBS_ATTA.A @ TM's....
by tobeach / July 8, 2007 5:29 PM PDT

search engine and came back as unknown/not found. Tried w/Caps & small case & some variants. If not Spelling then possible false positive?

I'm sure you've deleted cookie by now.

If thumb drive virus (vbs) is quarantined, you should be ok but you should be able to delete it from both HD & thumb.

The following link has link to Flash_Disinfector.exe for cleaning flash thumb drives:

http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=238250&messageID=2429856#2429856
Good Luck. Happy

Collapse -
Possibly...
by darkdestiny7 / July 8, 2007 9:39 PM PDT

I can't really confirm if I got the spelling wrong. All I can say is, when I check out the virus at the Knowledge Base, it's there.

Although I've literally deleted the file itself, I come across one problem:

I can't open my thumb drive through the My Computer window. I have to click on the menu in the desktop to open it.

NOTE: If you're wondering why I have this "menu" thing in my thumb drive, the portable thing has the latest U3 system, which means I can lock it up with a password safely. It also has several free programs (some though limited) like Avast! U3 Edition (free pre-installed license that ends in early September. Only function missing once expired is that I won't be able to update anymore). Perhaps next time I'll switch on that antivirus shield/scanner program to block viruses in the future.

I wonder: should I renew my subscription with Avast! U3 Edition ($23.95 for 2 years while $14.95 for 1 year) just to keep it up to date?

Collapse -
Your Choice. The Price Doesn't Seem Extortionate......
by tobeach / July 9, 2007 4:27 PM PDT
In reply to: Possibly...

I'm a freebie type myself. Don't know/ haven't used U3 to give a valid opinion. I know many like Avast in general. AV without update defs is useless BUT if license is only for tech fixes of bugs in product (U3)I would wonder how buggy can it be?

Possible that you can't run Thumb from >My Comp< because there would be no password entry point?? Happy

Collapse -
Just to correct the spelling...
by darkdestiny7 / July 10, 2007 11:01 PM PDT

The virus name is VBS_ATTAS.A. Below is the information from the TM knowledge base.

Overview

Malware Type: VBScript
Aliases: Virus.VBS.Attas.a, VBS/IE-Title, HEUR/Exploit.HTML, Troj/Achi-A
In the wild: No
Language: English

Overall risk rating: Low
Reported Infections: Low
Damage potential: Low
Distribution potential: Low

Description:
Scripts are generally written code that are interpreted and implemented by another application. In contrast, compiled programs can run on their own, but are often harder to produce as they have to be compiled.

Malware authors have taken advantage of relative ease of producing scripts and have produced significant numbers of script malware - many of which are written using Visual Basic Script, JavaScript, and HTML.

Many scripts can run on most systems without the installation of a special interpreter program. For example, certain Windows systems have Windows Scripting Host, which can interpret different script types. Also, HTML scripts are loaded by Web browsers, which are commonly installed on most computers.

Solution

For Trend customers:
Keep your pattern file and scan engine updated. Trend Micro antivirus software can clean or remove most types of security threats. Certain malicious programs, such as Trojans, scripts, overwriting viruses, and joke programs that are identified as "uncleanable", should simply be deleted.

For all Internet Users:
For a quick check-up of your PC, use HouseCall - Trend Micro's online virus scanner. This will check for security threats, which may already be on your PC.

OR

To keep your computer healthy by preventing possible security attacks against your PC or network, get the best antivirus solution available today. Trend Micro offers antivirus and content security solutions for home users, corporate users, and ISPs. To look through our entire product line, click here.

Anyway, no worries. It won't infect again.

Collapse -
I would like to ask though...
by darkdestiny7 / July 10, 2007 9:20 AM PDT

After changing the security settings of IE, I noticed that I'm not able to log into my Windows Live Hotmail. Any suggestions to what can be done?

Collapse -
"& Thar Be The Rub"...Hotmail Insists You .....
by tobeach / July 10, 2007 3:34 PM PDT

allow it to pollute your machine to their hearts desire with cookies from themselves & whatever 3rd party will pay them for access. I've, on several occasions, have had machine crash when leaving HM; I believe due to poorly written script in ads.
Lately they try to forcefully re-direct your browser to MSN site for an additional batch of unwanted cookies when you try to sign out to "Home Page"(if not MSN). This is EVEN when using Mozilla not IE.
You want the product, you lower security for that site "& takes yer chances"...Daughter suggests security medium & privacy at medium high (if your version allows that much variance). or else medium in IE Options.
Don't have Firefox so not sure what highest possible settings will let you in. Sad

Collapse -
Huh? Logout?
by darkdestiny7 / July 10, 2007 10:46 PM PDT

I don't usually log out from my accounts in Windows Live Hotmail. Usually I would close the Window after I've viewed all of my (new) messages.

Come to think of it, long before I even joined CNET Forums, I've got the problem of "Bad Internet Browser Cookies" (according to TMIS2007) that causes IE to pop up with the same Hotmail link for a long time. Usually the problem's solved with disinfection by TMIS2007 or Spybot, or I recover the entire system to square one. (I'm not asking for any discussions here, as this problem is already solved).

However, I've been constantly receiving the same indication of registry change even after changing the security settings. I still think it's the Advanced tab in the Internet Options, which I've already defaulted it (under AOL Security Monitor's suggestion)

Collapse -
Just a question
by darkdestiny7 / July 24, 2007 10:03 PM PDT

By now I have already edited the Security settings and set the Privacy settings to Medium-High. But what I wonder is: is there a need to change the Advanced settings, or has it already been configured during the first boot?

Anyway, I'm still constantly receiving the same notice from a scan from Spybot that the security settings for IE is disabled. I'm checking the forums for the answer.

Collapse -
How will you avoid the next threat?
by R. Proffitt Forum moderator / July 24, 2007 10:10 PM PDT
In reply to: Just a question

I see months have passed and you are not taking the good advice offered here. How do I know? If you had you would not been hit with said scripts.

What is it going to take for you to take the great advice from the forums and stop having to battle pests and just use your machine?

Bob

Collapse -
Not quite right here
by darkdestiny7 / July 24, 2007 10:25 PM PDT

I've followed some of the advices offered to me during the past few months. But some I can't really remember for unknown reasons. As for some of the more recent posts focused more on questions relating to fixing my cousin's laptop.

I didn't want this problem to constantly recur over and over again during my scans with Spybot, and thus the new post in this thread. Hopefully a similar request in the safernetworkings forum will be able to clear the problem for good.

Collapse -
If you posted the same question at
by roddy32 / July 24, 2007 11:29 PM PDT
In reply to: Not quite right here

the Spybopt forum you should wait for an answer there instead of posting the same question here. Posting in multiple forums is frowned upon EVERYWHERE. Also many of the people at one forum will also help out at the others. That is why is is called a security community. If you get the same reputation there that you have here you will find that you will get help NOWHERE. You never seem to follow the advice that you are given anyway.

Collapse -
The problem about Spybot is solved...
by darkdestiny7 / August 12, 2007 10:30 PM PDT

I've managed to catch the "culprit" that has been changing my registry (look at the 1st post) which was detected by Spybot. ASMonitor.exe (known as Active Security Monitor) has been changing the registry on startup. Thanks to the Spybot Team at their forums, I downloaded and used the Registry Monitor (RegMon) to run a boot log and found what had caused the problem.

But I don't quite get it. Active Security Monitor is a tool to detect what is affecting a computer's security, but why is it checking the IE Advanced option, "Allow active content to run in files on My Computer"? Perhaps it's checking if the IE settings are configured for excellent security?

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!