Something strange is happening while I run Overnet. My PC-cilin pops up a window which states "virus detected JS_IESTART.PS" Then windows media player pops up (without me doing anything which would cause this) with an error window saying it cannot open a file. The only program running at this point besides Overnet of course is PC-cilin. Nothing else is listed as starting up when the computer does. And I've scanned for spyware, adware, etc... with the latest Ad-aware file. Anyone else experienced this, or know why it happens? Thanks!

Adidas

Remove/reinstall some programs that might be infected like WMP then locate that virus to find out more... your anti-virus should quarantined that. I had issue with WMP before but it's a little different. I was using KLR and my WMP won't load then I found out that KLR v007 homepage loads cab file (contains malicious program) and then some of my WMP system have been replaced. I solved this problem using GoBack. After that, I used Overnet but I replaced it with a new version of eDonkey.

Yeah, PC-cillin quarantined JS IESTART.PS when it found it Simon. I'll try to uninstall/reinstall WMP. Well I have more info. This happens at the same time windows media player pops up. PC-cillin finds and quarantines object-c002.cgi saying it is the following virus: JS IESTART.PS. It also finds this CHM_Psyme.Y, but does not pop up a window for it because it's detected as the preceeding (JS IESTART.PS). And it finds them both here: C:\Documents and Settings\Your Name\Local Settings\Temporary Internet Files\Content.IE5\. But I don't even use Internet Explorer. And I'm not surfing when this happens. It quarantines them both, so it's no biggie. I'm just curious as to why it's happening. Is this stuff perhaps being downloaded because of Overnet's banner ad? Or is it something else? If it is I can't figure out what. Undetected adware/malware perhaps? I opted out on all the junk when I installed Overnet. I just scanned with the new Ad-aware SE Personal Edition with latest reference file and it found nothing but tracking cookies. I found the following info on Trend Micro's site:

JS IESTART.PS

Virus type: JavaScript
Destructive: No

This malicious Java script is known to be downloaded and executed from the following URL:

http://209.50.251.182/vu083003/object-c002.cgi

On execution, it modifies the Internet Explorer start page and search bar and redirects them to certain Web sites.

CHM_Psyme.Y

Virus type: Others
Destructive: No

When opened, this Compiled HTML (CHM) malware executes the scripts found in its embedded HTML file called EXPLOIT.HTM. Trend Micro detects the extracted scripts as JS_PSYME.Y.

The script downloads a file named EXPLOIT.EXE from the same Web site that hosts the .CHM file and saves it on the affected machine.

The script also executes a CGI script which downloads yet another script detected as JS_IESTART.PS.

I also did a virus scan and got nothing. I can't rap my head around why media player keeps opening either. Is it actually trying to play some media file? I think it must just accidently be opening as a side effect of the going ons. Any info on this would be helpful. I'll try uninstalling WMP and let you know if it fixes the problem. Thanks!

Adidas

I forgot I don't think you can uninstall WMP. But you can delete at least some, if not all, of the files in the WMP folder. They will however come back lol. I was going to do just that (since anything that shouldn't be in there would hopefully not come back) and ran across these: npdrmv2.zip & npds.zip. Two compressed files that I do not believe belong there. When I unzipped them these .class files where in them npdrmv2.class, npDSEvtInterface.class, npDSEvtObsProxy.class, & npDSJavaPeer.class. Microsoft's site says this:

Handling Events

Netscape Navigator employs a different event-handling mechanism from that of Microsoft Internet Explorer. While Internet Explorer communicates with the Windows Media Player control directly to handle events dispatched to and from the control, Netscape Navigator requires a proxy applet to send events to and from the plug-in. Additional coding is therefore required to load the applet into an HTML page, using the APPLET tag. The required proxy applet for the Windows Media Player plug-in is packaged in the Npds.zip file that contains the npDSEvtObsProxy class...

So are these files part of my problem? I don't use Netscape Navigator. But I do use Mozilla (Firefox), which if I'm correct is what came out of Navigator after they went open source??? I'm really lost on what all this means. If you can help I would appreciate it. Thanks!

Adidas

Does this only occour when the computer boots?

>Nothing else is listed as starting up when the computer does.

How have you checked? There are lots of places that stuff can start from as well as the startup folder
on the start menu. There may be a malicious media file set to play at startup that uses one of the
security holes in media player to get control.

Run hijack this and see if it reports any windows media files.

Also examine any html files in the overnet directory, I seem to recall they have a few for the adverts.

Have you clicked the check for updates button in adaware?
When you scan with adaware tell it to scan the whole of your drives instead of using smartscan.

damn your registry is messed up for sure.. It's not from Overnet ads.. probably you visited some of those malicious websites before like cracks and some P2P scammers with malware on their scripts. If you know how to fix your registry, you can use HijackThis (http://www.download.com/HijackThis/3000-8022-10307556.html) then...

Clean temporary internet files/cookies/temp folder
Uninstall your IE and choose repair (instead of remove)
Download WMP9 software at microsoft.com then install it to rewrite those infected files and registry
Use RegCleaner (http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm) if want to remove some softwares that you don't have. (it has backup on it so it's easy for you to restore some)

zaphodiv

"Run hijack this and see if it reports any windows media files."

I already did. =) I was just reading about it somewhere in a forum or something and decided to try it out of the blue.

"Have you clicked the check for updates button in adaware?"

Yep, I'm using the latest update file, and the latest version of Ad-aware (SE).

"When you scan with adaware tell it to scan the whole of your drives instead of using smartscan."

Yep, it's checking all of the files on all three of my drives.

"Also examine any html files in the overnet directory, I seem to recall they have a few for the adverts."

I checked and you were correct, there were some .html files in there. Five of them to be exact. I took them out! =)

Simon

"Clean temporary internet files/cookies/temp folder"

I cleaned out my cookies, history, temp, and temporary internet folders. I usually clean them out manually (vs. using disk cleanup) regularly, but it's been awhile.

"Uninstall your IE and choose repair (instead of remove)"

Not really sure how you do this. I can check/uncheck IE in add remove programs-windows components. But it doesn't really appear to actualy install/uninstall it. I hate Windows...

Download WMP9 software at microsoft.com then install it to rewrite those infected files and registry

I did this and afterwards it looked like there was all together too many files in there. So I just deleted every file out of the folder, then WMP classic & 9 series files came back after I emptied recycle bin. Both players work, so a lot of the files in there were junk. Those compressed files I told you about with the .class files didn't come back, which only confirms my belief they are not part of WMP, and may have been part of my problem. Then I reset everything so WMP classic and not 9 series is playing all my movies by default. =)

Use RegCleaner if want to remove some softwares that you don't have. (it has backup on it so it's easy for you to restore some)

I've never used this program before. But it looks sweet. Have you ever restored a change and had it work out for you? Or know that it works for sure? I'm just scared to screw with my registry too much and mess it up. I removed some stuff that was already supposed to have been uninstalled, and a toolbar entry that was already supposed to have been removed by ad-aware, or maybe I just manually deleted some of it's files (can't remember). But that's it for now. There's a lot of stuff I am curious about in my registry. Possibly stuff that needs to be taken out. But I'll have to look into those further...

Thanks for all your help guys!
Hopefully now that I've eliminated some possible candidates for this occurence it will stop happening!
=)

Adidas

RegCleaner saved my PC since 2001 until now. I've tried to restore my registry before and it never screwed up.. and also when you restore some entries, your backups will ramain so it's up to u if you want to delete them but you have to make sure that you don't need them anymore. This final version is kinda old but stable unlike those new ones with fancy features.

Anyway have you try the new eDonkey1.0 (http://edonkey2000.com)? It's awsome.. and more faster than before.

"RegCleaner saved my PC since 2001 until now. I've tried to restore my registry before and it never screwed up.. and also when you restore some entries, your backups will ramain so it's up to u if you want to delete them but you have to make sure that you don't need them anymore. This final version is kinda old but stable unlike those new ones with fancy features."


Cool Simon I will add Regcleaner to my arsenal of appz. Thanks for suggesting it, and explaining a bit about it!

"Anyway have you try the new eDonkey1.0? It's awsome.. and more faster than before."

I was kind of debating it. I was reading about how the people in the edonkey forum liked it and some people seemed to not like it. They were saying that it doesn't get sources checked out nearly as fast, etc... and that they were going to switch back to Overnet 0.53. I think Jed or whoever is in charge of it set it back a bit to not use up the CPU so much. But others seemed to think it way better than the older versions of eDonkey/Overnet. I'll try it out myself and see. But generally it seemed liked people either love it or hate it. Some of those who hate it couldn't figure out something or were doing something wrong though and that led to their reaction. It changed so people are adjusting to the new.