TechSpot

my kaspersky has detected exploit.html

By ejames82
Oct 20, 2006
  1. two days ago i received an alert from my AV that malware was detected in C:\...\Content.IE5\QFUJ1AR\pus-practices[1].htm and could not be removed. exploit.html. the first option available to me was to quarantine, and that is what i chose. apparently this malware has not done any damage, but i don't like the idea of malware being quarantined on my system. can i delete the entire content.IE5 folder, or is it essential to me? thanks, Ed James
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    First, delete the file in quarantine. Then go to the IE5 folder and delete whatever you can. Don`t try and delete the folder itself. Run a fresh scan and see if anything turns up.

    You might also want to read this thread HERE and post a HJT log as an attachment.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i have already tried to find the file by going down this path: start>my computer>c drive>WINDOWS>temp>temporary internet files>content.IE5. after i click on content.IE5, none of the folders are entitled QFUJQ1AR. i have used the search feature to try to find QFUJQ1AR, to no avail. so i haven't deleted anything as of yet. neither spy sweeper or kaspersky finds anything in the scans, and i run them in safe mode. i keep getting alerts from kaspersky saying that exploit.html has been quarantined.
    i know that i am capable of running a hijackthis, but the attachment will be the tricky part for me. it may be possible now, though, since i have changed firewalls. so i am getting right on this, and i will keep you informed. thanks again for the help, Ed James
     
  4. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i hope this works. the attachment is there, under additional options. thanks again, Ed James
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I can find nothing particularly nasty in your HJT log. However, you didn`t rename HijackThis.exe as per the instructions, so it`s possible you have something on your system that is hiding from HJT.

    Rename HJT and post a fresh log.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    will do. this should be easier than the last one. will keep you informed. thanks again, Ed James
     
  7. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i renamed everything i could hijackthis1991.exe before i ran the scan. i hope this is right. if not, at least i have the attachment problem solved. if this is not right, could you please let me know exactly what i should be doing? thanks again, Ed James
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCXMNTR.EXE

    Close task manager.


    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [EarthLink Installer] " /C

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    ALCXMNTR.EXE Search your system for this file and delete all instances of it.

    Reboot your computer.

    Other than the above, your HJT log is clean.

    Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i have read hundreds of your posts and you instruct the people that you help to run hijackthis with no other programs open.
    when you say, no other programs open, i think you mean; you're not allowed to have an ebay webpage stashed in the taskbar.
    if you're also saying that i need to shut down my kaspersky, spy sweeper, and kerio firewall, please let me know. i don't want to shut them down if there's no need to, and i have never had this explained to me.
    on a side note, apparently i cought the alert from kaspersky AV at the right time and there's a very good indication that i used it to clean the expliot.html, but it's too soon to tell for sure. i will continue to follow through with your instructions as if that nasty is still in there. thanks again, Ed James
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    By run HJT with no other programmes open, I mean don`t run it with any unecessary programmes open. This does not include your antivirus programme or firewall etc.

    Sorry if I wasn`t clear.

    I think your antivius programme has caught and killed the infection. Unless you have any more alerts from your antivirus programme, I don`t think you`ve anything to worry about.

    If you`ve actually read 100`s of my posts, you must be very patient, or very bored lol.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    most people on this site have more than 8 months computer experience. i am definitely a newbie.
    i am fascinated with how you are able to take a persons computer that is badly infected, these infections that could trash their computer, and fix their computer to a state that they didn't have an infection in the first place. i felt awful when you had to tell the person that they had a rootkit. i had no idea how bad a rootkit was. sony DVD's infected computers with a rootkit and i doubt that they even came close to taking responsibility for it.
    it was this morning that i received the alert from kaspersky and i jumped right on it. it looks like i cleaned it. i would feel better if you checked my hijackthis. i will post it like you instructed me to. i didn't want to shut down my security, that's like throwing out the baby with the bath water. thanks again, Ed James
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    By all means, post a fresh HJT log if you want to.

    However, I seriously doubt whether it will show anything nasty. The reason I say this, is because your last HJT had nothing particularly nasty in it either.

    Of the two items I advised you to fix, only one is known as spyware and even that isn`t particularly nasty. The ALCXMNTR.EXE file belongs to Realtek and phones home frequently with info about your computer usage. That`s why it`s classed as spyware. I know that fixing that entry has no impact on your sound and can be safely deleted.

    I had you fix the Earthlink entry because it looked suspicious and nothing more. Why did it look suspicious you may ask. Well, I haven`t seen that particular entry before and it doesn`t give any indication as to what`s being run. HKLM\..\Run: [EarthLink Installer] " /C tells me absolutely nothing, so that`s why I advised you to fix it with HJT.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i received another alert from kaspersky. that was just before i deleted the file ALCXMNTR.EXE. i did a search afterwards to make sure it's gone. the earthlink had no reason for being there. glad to kick them out.
    i received an error message from hijackthis when i fix checked the two entries that you instructed. i should have written down what it said. i clicked on the wrong thing and it disappeared. here's my hijackthis. thanks again, Ed James
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    Let me know if you have any more alerts from your antivirus programme.

    Also, if you do, try and tell me when it happens and what the filepath is to the infection.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    the computer works as good as ever. if any more alerts appear, i will let you know all that i can. thanks again, Ed James
     
  16. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i still get alerts, about every two hours, i think it's a courtesy feature. they say the same as they did before. malware quarantined. exploit.html. C:\...\ContentIE5\QFUJQ1AR\pus-practices[1].htm. the exact quote on the status board is "all threats are treated". no complaints about the way the computer is working. thanks again, Ed James
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Something`s not quite right here. Lets see if we can get to the bottom of this.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i will be glad to. thanks again, Ed James
     
  19. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i clicked on your first link and downloaded the avg free file avg 75 free 428a818.exe version 7.5.428. that was the only anti-virus program available from what i could see. the test results were clean, but when i click on test results, i am unable to get you a log. obviously i am a little bothered by this. if other people can get you a log, i should be able to get you a log. did i download the right program? apparently, i have had to keep either the kaspersky or avg free version shut down at all time because they are both real-time/residential AV programmes. also i needed to disable my kerio firewall in order to dowload this program. was this the program that you intended for me to use?
    i am able to make screenshots, so if you need a particular screenshot, just let me know and i will.
    i will now move on to your second link. thanks again, Ed James
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sounds like you`ve downloaded the AVG free Antivirus programme. Uninstall it.

    HERE`s the link to the AVG Antispyware programme.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i ran a scan with ewido. the option to save a report was greyed out. apparently a report can't be saved unless you have malware of some kind. i will continue with removal of trojan pakes and other nasties. thanks again, Ed James

    howard,
    when the ewido anti-spyware downloads the signature database, does it automatically apdate? thanks again, Ed James
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should manually check to make sure you have the latest updates for AVG Antispyware. Run the programme and click on the update button, followed by the startupdate button. If no update is available it will say "No update was available".

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    there's a lot here. i tried to load it all in one post.
    1. avg anti-spyware
    a. update failed to connect to server update.ewido.net.
    b. scanned in safe mode. i don't see any way to get you a log. it was clean.
    2. ccleaner. you instruct to "click the run cleaner button with no browsers open" does that mean don't have firefox stashed in the taskbar? i don't understand. i do use a built-in utility cleaner that my computer has, every day.
    3. smitfraud. i received an error message during update. it was in french. i proceeded with it anyway.
    4. virtumundobegone. found nothing. i ran it in normal mode. does it need to be run in safe mode?
    5. vundofix. no infected files found.
    6. look2me. removed infected files. i don't think that it removed the exploit.html from quarantine, however.

    i have been scanning with kaspersky almost every night on high, and in safe mode. it takes 3 hours. it is always clean.
    the computer still works fine. except for high winds that interrupted the internet connection yesterday. i have been plugging away at what you've told me to do. anything else that you think i should do, please let me know and i will be right on it. thanks again, Ed James
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    I can find no info on C:\...\ContentIE5\QFUJQ1AR\pus-practices[1].htm.

    I`m starting to wonder if it`s a false positive.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)

    This thread is for the use of ejames82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    howard,
    i am not sure that i did everything right, but i gave it a shot anyway. you're consideration about kaspersky making a false positive about the exploit.html is not too far off base, if at all. i think i recall them actually alerting on ismon.exe in a post i read on a tech site. i think i remember several people saying kaspersky was guilty of that particular false positive. i actually think fsecure is best for not giving false positives. of course, just my newbie opinion. i will be keeping an eye out for your post. thanks again, Ed James
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...