usa-bestshop - almost cert malware

Viruses and worms
1

Okay here’s a live email that I was sent. Almost cert malware.

I saved email in plain text but you can see website - I’ve already done the hxxp changeover. Let me know anything you want me to do.

Subject:
Good day!!!
Sender:
Margot van Breda
Date:
Sat 20:36

Good day!!!
i saw a electronics website last week . they have the electronics such as iphone many kind of laptop also TV …i thought you guys will like it so i sent you guy the email .
Just have a look at this web page : hxxp://www.usa-bestshop.com/ Can send items to all over the world
I am sure you will could save a lot of money!
Best regards!

Twee keer zo leuk. Deel foto’s terwijl je chat met de nieuwe Messenger

Also a link at “Deel…Messenger” most likely to malware

2

Im turning this computer off and running scan.

Shifting internet connect to a different computer.
My defence has has identified link to usa-bestshop as almost 100% malware.

Dont know if its much. maybe just small fry. I wait and see.

3

This site is hacked with an iframe exploit.

DANGEROUS: LinkScanner Online has found
(Exploitive iframe collection)

4

hey thanks Jtaylor83

I just sit it out. Let me know if you want or there is way to do something with email package. I think its ok where it is until I delete or whatever I do with it. Defence picked up malware straight away.

Let me know if I simply delete email.

mkis

5

Dont open any email that u dont trust ! Remember that friend

6

Hi there Mr. Agent. I generally open email like this. But open to any further advice.

I get email all the time from sources that are unknown to me, just a part of daily life. Sometimes with transmission of personal details, any also transaction exchanges - sometimes data - sometimes buy / now - such as with local exchange market trademe. (Sorry bout promo plug but good example - lots of traffic - multiple transaction options). Email and trademe are regular fodder for much of New Zealand. Some of my clients use little else.

If I do open the email, as I have done, can the action by itself trigger malware or do I need to click something on the page. For example, on this page, the link to usa.bestshop. If so, then there would appear to be few other options outside open or don’t open. Don’t seem to be able to move the email to quarantine, or plug in a diagnostic. I don’t know what my local ISP or mail service (ihug.co.nz) provides in the way of the tools outside of setting security of main gateway. But I’m looking up these things. I know emails are hot target for malware, but this is first time I’ve had a live one – and I am sure that its malware at play. Correct me if I’m wrong.

Also, I deleted the email. And then did full clean of OS. I presume this is what you do? I’m checking up other avenues now.
I was already halfway through revamp of security and offline / online software configuration anyway.
So good timing for me, bad timing for malware perp.

Still don’t know much about instance / live, because I just pushed on with cleaning system.
Here is my HJT log from the time (after deletion and clean) just in case.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:02 AM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
F:\PhoneConnectorVMC.exe
F:\vmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [ISUSPM] “C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe” -scheduler
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229077383846
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} -
O17 - HKLM\System\CCS\Services\Tcpip..{6AFF6A08-9E6B-43BA-AF39-2E995F694B83}: NameServer = 202.73.206.16 202.73.198.16
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 5594 bytes

7

An analysis of your HJT log shows the following :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

There are also questionable and BAD entries :

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
Bad entry that must be fixed with HJT.
http://www.spyandseek.com/Search.php?search=Search&search_for=srchastt

O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
Bad entry that must be fixed with HJT.
http://www.spyandseek.com/Search.php?search_for=00A6FAF1-072E-44cf-8957-5838F569A31D&search=SAS-Search

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
Bad entry that must be fixed with HJT.
http://www.spyandseek.com/Search.php?search_for=07B18EA1-A523-4961-B6BB-170DE4475CCA&search=SAS-Search

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
Bad entry that must be fixed with HJT.
http://www.spyandseek.com/Search.php?search_for=07B18EA9-A523-4961-B6BB-170DE4475CCA&search=SAS-Search

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
Questionable ActiveX-Object entry that could be a possible problem.
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22669

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
Questionable ActiveX-Object entry that should be OK.
http://www.spyandseek.com/Search.php?search_for=8FFBE65D-2C9C-4669-84BD-5829DC0B603C&search=SAS-Search

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} -
Questionable ActiveX-Object entry that should be OK.
http://www.spyandseek.com/Search.php?search_for=FFB3A759-98B1-446F-BDA9-909C6EB18CC7&search=SAS-Search

O17 - HKLM\System\CCS\Services\Tcpip..{6AFF6A08-9E6B-43BA-AF39-2E995F694B83}: NameServer = 202.73.206.16 202.73.198.16
Questionable entry that could be your ISP provider. Do you know the IP or Domain ‘202.73.206.16 202.73.198.16’? If not, fix this entry.

8

Information about … usa.bestshop … is not good. See the image below. Click image to enlarge.

9

Hey CharleyO, thanking you, keeping me on a good bearing ;D. I use Defender with WinPatrol and avast. I took WinPatrol off (registry and all) when I loaded HJT just in case they didn’t mix. I used HJT because I’ve seen posted it regularly on the forum. The WinPatrol scan actually turned up a lot more active X entries, but I don’t want to go into that now because I can post a WinPatrol log after I have re-installed it. In fact, there’s a lot of stuff I can post now about what I’ve done recently to revamp the computer, but I will put in a following post because I’ve kinda moved on. And better thanks to your post.

Bad entries I deleted direct from the registry as I’m used to doing that when removing unwanted programs. I removed - 03 Toolbar: My Web Search - {07B1…} from registry and this other one popped up on the next scan with same key. I have located the key in the reg and will delete, but thought I would post it back here first just in case someone interested.
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

I used fix checked feature on the Active X questionable entries. As you can see HJT deleted the entries.
I removed the Adobe suite just prior to the HJT scan but Flash apps are necessary to view some of the entries in the local paper. I’ll re-install Adobe suite when I’m happy all is well.

I just want to vet this HJT log now and put it to one side.
03 - Toolbar will be deleted. Otherwise I should be okay for now?

I had a real feeling about that email, that I was due for it. But as yet I still don’t get detail of how it worked. Anyway, here’s today’s log. Should be better.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:51 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [ISUSPM] “C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe” -scheduler
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229077383846
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 5060 bytes

10

Yes, a much better HJT log. :slight_smile:

The only entry worth mentioning is the 03 toolbar that you say you will fix. After that, your computer should be OK. Be more careful with those unknown emails.

11

I’ve made myself more familiar with HJT and tidied up my log quite considerably. Enough to be happy with the PC for now. There were already historic issues with the OS prior to recent problems. I loaded it 2006 and upgraded last year sometime so lots of stuff spread through the system over the years. Add to that the flotsam from program and update uninstalls. I had to search through knowledge base articles for MS installer to reset the .NET framework. All of which may have been exacerbated by a try to compress old files - a 57,927kb which I finally had reduced to 266kb.

Defender updates had faltered a couple to times despite genuine advantage succeeding, the Adobe reader then failed to open so I dropped all else and starting rolling back the system. All in all, my info and data work files barely made up 3gb and were not affecting performance. Much deadweight was in old unused files with $ntuninstall… prominent amongst compressed files in Windows, as well as a complete uninstall of Office 2000. I can’t remember all. And the infected email turned up of course. But now all seems fine. WinPatrol seems to work okay with HJT.

I find that save target as…works in all my different email services, so I can scan emails from unknown sources as html files. I dont know how certain is detection by this means. I’ve had a few unknown emails, one from the US, but have turned out to be legit. I wont post the HJT log. It looks very much improved. The PC has become noticeably quicker, very snappy, over the last day or so.

12

I am glad to know your computer is now running better. :slight_smile:

13

I think good enough for now. Still not quite right. My two regular computers are better running. I keep thinking back to midway 2008 and possibly a few problems back then - maybe the new conficker gestation phase. So maybe some delay effect then return when I start reconfigure my software. So I keep working and see what happens. So far so good.

I wanted to keep this OS running because with recent hardware upgrading Microsoft made me re-activate and ran license checks - I think on basis that xp has been around long enough. The OS is the only license I have with Office 2003 and same activation procedure there with product key checks. I doubt if good licenses for either xp or offfice 2003 are easily found at the moment. And both of these are pro licenses. So it made sense to put in the extra work and set the computer up for another life. :slight_smile:

14

Sorry I’ve been a bit busy and overlooked a few things.

Here is an ID for malware email. I copied the following from my avast event viewer.

Sign of "HTML:Iframe-inf" has been found in "hxxp://tejary.net/h.js" file.
15

Quote format does not help the reading. Here is malware ID.

        hxxp://tejary.net/h.js

Should I have looked for this first instead of sending out post on usa.bestshop since that site may have been bona fide until infected by malware. And then you cant give virus a second chance either.

Also from event viewer - 2008 reports. I dont have time to take this to a new thread.

23-6-08
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005

17-6-2008
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005.

The computer was on courtesy service at the time and the OS was on P3 mainboard, now upgraded. I think I may have removed a virus but I cannot remember. Most likely. I recall a lot of malware occuring at that time. People who were not on the web were getting infected - so flash drives! I just wonder if maybe the start of the conficker spread. But long time before Microsoft reports:

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

I can start a new thread if I should. I don’t want to continue this post title.

much thanks avast forum