locked
OneCare Cannot Clean "exploit" RRS feed

  • Question

  •  

    Live OneCare seems unable to remove an unwanted program called "Exploit:HTML/Repl.B.  I have asked program to clean 4 times and Live OneCare states it was successful, yet 30 minutes later I get a message saying Live OneCare has detected an unwanted program called "Exploit:HTML/Repl.B" and asked me to clean it again. 

     

    Suggestions?

     

    Thank you.

    Tuesday, December 18, 2007 8:23 PM

Answers

  •  

    I suspect that the infection is within your System Restore points as it comes back in 30 minutes. You may want to try turning off System Restore and then turning it back on again - this will delete all Restore Points. Note that this also means you will be unable to use System Restore to go back to a time before this reset.

    You can also contact support for help since OneCare is not completely removing the threat and preventing its return.

    How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If it fails to validate your subscription, select the option that you are using a trial or beta copy and you can proceed to email support without validation once you've signed in.

     

    -steve

     

    Wednesday, December 19, 2007 1:14 AM
    Moderator

All replies

  •  

    I suspect that the infection is within your System Restore points as it comes back in 30 minutes. You may want to try turning off System Restore and then turning it back on again - this will delete all Restore Points. Note that this also means you will be unable to use System Restore to go back to a time before this reset.

    You can also contact support for help since OneCare is not completely removing the threat and preventing its return.

    How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If it fails to validate your subscription, select the option that you are using a trial or beta copy and you can proceed to email support without validation once you've signed in.

     

    -steve

     

    Wednesday, December 19, 2007 1:14 AM
    Moderator
  •  

    One Care keeps telling me I have a problem with Exploit:HTML/Repl.B and that it has cleaned it, but it keeps coming back.  What's up?
    Wednesday, December 19, 2007 6:08 PM
  • This is the best we can get?  What terrible support.  I've liked One Care, but if this is all we get for support I think I am going to change my mind.

    Wednesday, December 19, 2007 6:09 PM
  • I've been getting the same problem. In the past half hour, Windows Live OneCare has warned me perhaps a half dozen times to clean Exploit:HTML/Repl.B. It listed the threat as severe. Each time, I chose to clean, but it pops up again after a few minutes.

     

    I get the warning each time I try to access various ubuntu.com and related Web sites (home page, forums, etc.).

     

    (I don't know if there is a connection or not, but I'll run this by you for FYI: I run PC virtualization. My host is XP and my guest is Ubuntu 7.10.) Until this afternoon, I have had no problems connecting to the internet from the guest OS. For as yet unexplained reasons, my guest OS cannot connect this afternoon through the virtualized ethernet adapters. The virtualized ethernet adapters (which run as XP adapters) indicate that they are connected OK, however. In trying to troubleshoot the problem, I visited ubuntu.com from the host (Windows XP). When connected to any ubuntu.com Web page, I got these Exploit:HTML/Repl.B warnings.)

     

    I don't get the warning when visiting other Web sites (knock on wood).

     

    Thursday, December 20, 2007 12:23 AM
  • Exploit:HTML/Repl.B has appeared repeatedly in my system also with OneCare successful removal in about the same 30 minute time frames. What got my attention was your mention of Ubuntu 7.10. I have not ran the program on my system, I don't have it yet, but I did visit the Lenux site and all the links there 4 which I bookmarked many & ordered 7.10. Perhaps there is a connection. Could Exploit be hiding in Bookmarked/Favorites? or is each attack a new infection from a server?

     

     

    Thursday, December 20, 2007 8:24 AM
  • I wasn't using bookmarks to access ubuntu Web sites. That is, I had typed them in the Address bar. I am using Internet Explorer 7.

     

    Since I posted my initial message (above), I set up a new, separate virtualized Linux session with an early "fresh" Ubuntu 7.10 clone, and it runs and accesses the Internet fine.

     

    The message starter of this thread did not mention anything about specific Web sites. I would be curious which Web site  might be suspect.

     

    Still, it's a concern that Live One Care cannot permanently prevent and fully clean Exploit:HTML/Rep.B.

     

    Hmmm. I just noticed that this message thread has been marketed as "Answered". Clearly it is not. How do we "unanswer" it? It is unresolved. We need to catch the attention of those who help us with these problems.

    Thursday, December 20, 2007 1:15 PM
  •  

    I  have had the same spyware found at start up three different times.  The source file of the spyware is in my temporay internet files.

    The first time it was found, I asked OneCare to quarantine it.  It took quite a while to finish the task, then came back and said it needed to do a full system scan, which hung up at about 28%.


    The next time on Boot-up, Exploit was found again.  I asked it to be removed this time around and everything seemed fine.  Until this morning, when it was found on Boot-up once again.

     

    I meandered my way to live chat through OneCare and the only solution they could give me was to provide a two hour window at which they could call me back in order to fix the problem.  When I told him between 6 and 8pm tonight, he said technical support would call me back in the next 72 hours?  Huh?  What happened to 2 hours.  I don't really want a person calling me to fix my PC at 3am, although I do need to get it fixed.

     

    I haven't had any other serious issues.  On friday, my external hard drive (just for storing photos) encountered a failure.  So everything was pulled back onto the C drive.  Now the exernal hard drive seems to be doing its job (access files, back up files, open files etc), although it still says it needs the warranty to be redeemed (will have to be replaced). 

     

    Help please, has anyone actually gotten rid of Exploit:HTML/Repl.B  and HOW?

     

     

    Thursday, December 20, 2007 3:58 PM
  •  Tahi_Kiwi wrote:

    Hmmm. I just noticed that this message thread has been marketed as "Answered". Clearly it is not. How do we "unanswer" it? It is unresolved. We need to catch the attention of those who help us with these problems.

    The reason that I marked this as answered is that my previous reply advised that the best way to resolve this issue is to contact support. This forum is for discussion of OneCare. While we can help each other with common problems and even find and report solutions for uncommon ones, it is still not technical support, nor is it a forum for virus and spyware removal information. If you are using Windows Live OneCare and it is not removing malware completely from your system (which will certainly happen as malware is constantly morphng and all of the a/v products are playing catch-up for removal), support is your path to report the problem and to get help with removal.

    There are several FAQ posts at the top of this forum topic folder for how to report an infection to Microsoft and also one for how to scan in Safe Mode, which may help remove this threat.

    -steve

    Thursday, December 20, 2007 5:14 PM
    Moderator
  •  webstel wrote:

    This is the best we can get?  What terrible support.  I've liked One Care, but if this is all we get for support I think I am going to change my mind.

    This is a forum for customer to customer discussions of OneCare - it is not technical support. My other reply in this thread explains a possible solution and provides the path to support -

    How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If you have not already read the FAQ posts at the top of this topic folder for how to report an infection to Microsoft and how to scan in Safe Mode, you may want to check them out now.

    -steve

    Thursday, December 20, 2007 5:17 PM
    Moderator
  • kgaw, I've merged your post into the thread discussing this exploit. Since you are working with support, please continue to do so. If you provided a time frame for them to call, it is not likely that they will call you at 3:00 am your time.

    -steve

     

    Thursday, December 20, 2007 5:21 PM
    Moderator
  • Steve:

     

    Thank you for explaining this forum. I had jumped directly into the discussion through a Web search. I have contacted Tech Support through the One Care Help flow. The online form did not ask for a time for anyone to call me, but I left my phone number.

    Thursday, December 20, 2007 5:30 PM
  •  Tahi_Kiwi wrote:

    Steve:

     

    Thank you for explaining this forum. I had jumped directly into the discussion through a Web search. I have contacted Tech Support through the One Care Help flow. The online form did not ask for a time for anyone to call me, but I left my phone number.

    You're welcome. I suspect that the first step with support, via the email form, will be some information from support on what steps to try to remove the infection based on whatever they have on file. It should get to you within 24 hours. Be prepared for a little frustration if it continues via email for a bit, but you can ask for the problem to be escalated. Since the threat is being repeatedly blocked by OneCare, though it comes back, I believe that despite the annoyance of the regular infection warning, your system is not seriously compromised at this time.

    Have you tried a Safe Mode scan and/or looked into the OneCare support logging to see where the infection is being found?

    -steve

    Thursday, December 20, 2007 5:37 PM
    Moderator
  • My thanks also Steve for explaining the forum. I did not request OneCare help, rather I used a registry cleaner which aslo dumps the temporary files that OneCare had not been able to do in two separate tuneup runs. I discovered that when running the MS Safety Scanner when Exploit first started. I have been online now for 2+ hours with no Exploit showing, knock on wood please. I also backed up registry with the standalone program & dumped the restore points as you had suggested. Thanks.

    cadoc

    Thursday, December 20, 2007 9:40 PM
  • Well, knockin' on wood didn't help, IT'S back. This time I was visiting LIve365.com when it appeared & reappeared each time I clicked a page. Sooo, here I go to support. Thanks 4 the link Steve.

    Thursday, December 20, 2007 10:34 PM
  • Yep, this thing is definitely out there in the wild.  Cleaning only works for a short time, which begs the question has it actually been cleaned or not...

     

    I can't find any details on what the exploit causes to occur.... are there any details on what this does?  Thanks!

    Friday, December 21, 2007 4:49 PM
  •  chamberc wrote:

    Yep, this thing is definitely out there in the wild.  Cleaning only works for a short time, which begs the question has it actually been cleaned or not...

     

    I can't find any details on what the exploit causes to occur.... are there any details on what this does?  Thanks!

    The information here - http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147368560 - is less than helpful. It is rated as a low threat, though.

     

    -steve

    Saturday, December 22, 2007 2:42 AM
    Moderator
  •  Stephen Boots wrote:
     chamberc wrote:

    Yep, this thing is definitely out there in the wild.  Cleaning only works for a short time, which begs the question has it actually been cleaned or not...

     

    I can't find any details on what the exploit causes to occur.... are there any details on what this does?  Thanks!

    The information here - http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147368560 - is less than helpful. It is rated as a low threat, though.

     

    -steve



    Well, the One Care message box specifically indicated that the threat was "Severe". I think it mentioned something about a privacy threat--something that I don't take lightley.

    I don't know exactly how the PC got this.

    That One Care cannot clean it up makes this all the more important to resolve!

    By the way, it's been well over 24 hours since I posted this problem to the One Care Support, but no one has replied.
    Saturday, December 22, 2007 3:32 AM
  • Interesting that it is classed as Severe in OneCare and Low in the portal, which is owned by the team that maintains the OneCare signatures....

    As for support, depending on your location, they should be getting back in 24 hours in most cases, but it can often be a little longer. be sure to check your junk mail or spam filters.

    Can you provide the case ID - SRXnnnnnn?

    -steve

     

    Saturday, December 22, 2007 3:45 AM
    Moderator
  • WOCL support doesn't seem to recognize me as being a subscriber, though I certainly am. I cannot get around this any way I try. I'm signed in, etc. The robotic "help" can't understand my problem with Exploit;HTML/Repl.B, so what do I do next. This is my 2nd post. Sorry. There is not enough time in my schedule to keep trying to reach support. Last time I had to reach support, I finally got through, and bookmarked the site, but it changed, along with the phone number. Can't seem to e-mail support either. Any advice?

     

    Saturday, December 22, 2007 5:25 AM
  • Just an update...

     

    Someone from OneCare support contacted me by e-mail. The support person instructed me to reboot the PC in Safe Mode, go to the Command prompt, and run a program to scan the PC from there.

     

    That process ran for quite a while, completed, and indicated that no viruses were found.

     

    I then rebooted PC into the normal mode of operation. Immediately upon accessing a Web site from IE7, I got the same warning about HTML/Repl.B.

     

    I ran another application to produce a new OneCareSupportData.file, and tried to e-mail that to the rep, but OneCare refused to scan that attached ZIP file because it contained too many embedded files!!! I was trying to send it from a Hotmail account to the support rep.

     

    I then had to send the ZIP from a non-Hotmail account. So now we wait. I'm very worried because I don't know what the virus is doing. It could be logging keystrokes, passwords, or something. Or it could be just a minor pest. Someone at some point at OneCare did mark this virus as a privacy threat and severe.

     

    SRX is 1053083922

     

     

     

    Saturday, December 22, 2007 12:08 PM
  • Hi,

    Just wanted to mention that I'm seeing this warning quite a lot too. Whenever it comes up, I am able to clean it away via OneCare, but the "infection" recurs with great frequency when I access any number of Web sites.

    Quigley

     

    Saturday, December 22, 2007 6:22 PM
  • Tahi_Kiwi thanks for the update. I ran the OneCare support log also and every instance of Exploit was (is?) couched in the same place - local settings Temporary internetfiles\content.IE5\75JG31Q2\urchin[1].js. This is all very curious to me because I run IE7. I know XP keeps folders of early versions of all sorts of programs available in the event of user wishing to roll back. As a precaution I ran the OneCare scanner (offline) then another application to delete all temp files. When I was certain the system was clean and still offline I ran fresh backups to a newly formatted external disk.

     

    As to what Exploit maybe doing you're in good company with worry, for which I got an unhealth dose of yesterday when the darn thing popped up while I was on my banking site. If I understand OneCare properly then as soon as tech can write a counter to Exploit we will all be updated automatically. I certainly hope that will be the case soon. In over two years of relying on OneCare for AV this is the first time it has had repeated infections from the same source.

     

    I don't know nearly enough about any of this stuff.

    Saturday, December 22, 2007 7:07 PM
  • I've been having this issue, too.  It has only occured on two specific web sites.  The first time was last night on www.wfaa.com and then again a few minutes later on www.krld.com.  Both are news/radio station sites in Dallas.

     

    I left my IE 7 browser sitting on www.krld.com last night and when I got up this morning, a OneCare dialog box was open showing that it had cleaned the exploit around 20 times (just a guess since I didn't count).  It's almost like some process on that page was running repeatedly at some interval.  I've been on several sites this morning and haven't had the issue again.  I've been hesitant to go back to krld, though.  Maybe the OneCare team could check that site out and see what they find.

    Saturday, December 22, 2007 7:12 PM
  • Thanks 4 the site names; are you running v1.6 or the new 2.0 release? I have 1.6 and even though on the advanced tab OneCare says it will take automatic action against software rated high or severe it always gives me a message window with a clean programs button to clk before it starts cleaning/removing. I have the box checked to take auto action against moderate threats also. So I'm wondering if 1.6 has always required a manual intervention or if my copy is damaged.

    thanks

    cadoc

    Sunday, December 23, 2007 12:56 AM
  • Looking in the about box:

    Version: 2.0.2500.14

    Virus and Spyware definition: 1.24.4919.0

     

    I haven't done anything special to my settings that I'm aware of.  Where do I find the check box you talk about.

     

    Sunday, December 23, 2007 1:37 AM
  • Never mind I found it.  The check box is checked.

    Again, my versions are:

    Version: 2.0.2500.14

    Virus and Spyware definition: 1.24.4919.0

     

    in case you miss the prior post
    Sunday, December 23, 2007 1:39 AM
  • Also, while looking for that check box I saw the Logging tag and generated the log report.  Clicked the Virus and Spyware section.  In that I see the following.  Not sure what to make of it, though.  I tried to post all of it here, but there's a 50000 character limit to a post apparently.

     

    Basically between 7:19 pm and 10:38 pm on 12/21 I get the following message 35 times

     

    Windows Live OneCare found potentially harmful or unwanted software on your computer Threat Name: Exploit:HTML/Repl.B Detection Date and Time: 12/21/2007 7:19 PM File Name: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRDN0G8O\urchin[2].js Threat Severity: Severe Threat Category: Exploit Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED) Threat Status: Detected

     

    During that interval I also have the following three additional events:

    At 10:03 pm 12/21

    Virus and spyware scan was completed Scanned Items: -
    Scan Type: Custom Scan Scan StartTime: 12/21/2007 10:00 PM Scan EndTime: 12/21/2007 10:03 PM Total Number of Files Scanned: 12019 Total Number of Files Not Scanned: 0 Total Number of Threats Found: 0 Total Number of Threats Cleaned: 0 Total Number of Threats Removed: 0 Total Number of Threats Quarantined: 0 Total Number of Threats Still Present But Suspended: 0

     

    At 9:10 pm 12/21

    Successfully updated signatures from: AV Delta (1.24.4898.0) AV Base (1.24.4710.0)  AS Delta (1.24.4898.0)  AS Base (1.24.4710.0)  AM Engine (1.1.3109.0) to: AV Delta (1.24.4919.0)  AV Base (1.24.4710.0)  AS Delta (1.24.4919.0)  AS Base (1.24.4710.0)  AM Engine (1.1.3109.0) 12/21/2007 9:10 PM

     

    At 8:10 pm 12/21

    Successfully updated signatures from: AV Delta (1.24.4865.0), AV Base (1.24.4710.0), AS Delta (1.24.4865.0), AS Base (1.24.4710.0), AM Engine (1.1.3109.0) to: AV Delta (1.24.4898.0), AV Base (1.24.4710.0), AS Delta (1.24.4898.0), AS Base (1.24.4710.0), AM Engine (1.1.3109.0) 12/21/2007 8:10 PM

     

    Then at 11:14 am this morning 12/22 I get the following message repeated 35 times:

    Windows Live OneCare was not able to clean a threat as the threat no longer exists. Threat Name: Exploit:HTML/Repl.B(8A12010A)

     

    Sunday, December 23, 2007 2:02 AM
  • I'm still getting the problem.

     

    Problem for me occurs when I visit ubuntu.com.

     

    Because of the problem, I haven't been visiting many Web sites from this Windows PC.

     

    Sunday, December 23, 2007 5:01 AM
  • Same stupid problem here. Someone please help. Also, is this a real exploit? Do I have to stop using my secure sites, etc. while this gets sorted out?

     

    Sunday, December 23, 2007 5:09 AM
  • @eslaydog

    That's a good point. We don't really know how safe it is to use secure sites. Some viruses are "harmless"; others are dangerous. Today it might look harmless, but a certain event might trigger something really bad.

    We're thinking of reformatting the drive and reinstalling everything from scratch, but I will likely wait... I expect some follow-up from OneCare support staff.

    Sunday, December 23, 2007 2:38 PM
  • drowl - Hello from California

      It appears Exploit targets the same place. I did notice that it is in your administrator account whereas in mine it was in the user account. Ms says not to use administrator account to surf online because it's a security risk in remote access/control attacks. That has always twisted my head a bit 'cause OneCare & the Windows update site won't download manually unless I'm signed in as the administrator, which I occasionally do when an automatic update fails.

    Interesting how OneCare said it was not able to clean a threat as the threat no longer exists. That's a wee bit ambiguous.

    I havn't seen Exploit yet this morning, but it's about time to get my internet radio going and it's been there every time. One can hope.

    Sunday, December 23, 2007 5:37 PM
  • As I mentioned in another thread a little while ago, I still have not found any information on this threat, which is apparently an exploit for Javascript that is being detected by the latest OneCare engine and signatures. Also, it does appear to be cleaned out, but it does return and is blocked and removed again if you visit a web site where the threat resides.

    My feeling is that you are being protected by OneCare, if indeed this is not a false positive by OneCare.

    -steve

     

    Sunday, December 23, 2007 6:03 PM
    Moderator
  • What's curious is that I have two other PCs hooked up to the same network through the common router to the Internet. When those two other PCs access the same Web sites, I do not get the notification to clean up Exploit: HTML/Rep.B. Two of the Web sites are ubuntu.com and techspot.com. All three PCs use the OneCare subscription.

    Does that suggest or not suggest that those Web sites are hosting the virus? Why would it be triggered in one PC and not the other two?

    BTW, I have reset and restarted IE 7, per instructions that support requested that I follow. It made no difference. Notification for HTML/Rep.B still manages to pop up.



     Stephen Boots wrote:

    As I mentioned in another thread a little while ago, I still have not found any information on this threat, which is apparently an exploit for Javascript that is being detected by the latest OneCare engine and signatures. Also, it does appear to be cleaned out, but it does return and is blocked and removed again if you visit a web site where the threat resides.

    My feeling is that you are being protected by OneCare, if indeed this is not a false positive by OneCare.

    -steve

     

    Monday, December 24, 2007 5:41 AM
  • I tried the procedures that the support rep provided me.

    The net result was that I got the following error: "Windows could not start...File is missing or corrupt <Windows root>\system32\ntoskrnl.exe."

    Now I need to know how to restore this file...

    I'm wondering if the fix for this problem is worse than the virus itself...or if the virus itself was able to destroy the kernel file.

    There's no fix for this yet that I'm aware of.


    Monday, December 24, 2007 5:36 PM
  •  Tahi_Kiwi wrote:
    I tried the procedures that the support rep provided me.

    The net result was that I got the following error: "Windows could not start...File is missing or corrupt <Windows root>\system32\ntoskrnl.exe."

    Now I need to know how to restore this file...

    I'm wondering if the fix for this problem is worse than the virus itself...or if the virus itself was able to destroy the kernel file.

    There's no fix for this yet that I'm aware of.


    What procedure did support provide you that potentially led to this?

    In order to resolve this, I believe you will need to do a repair install of Windows. Is this XP or Vista? In Vista, boot from the Vista CD and select the repair install option. In XP, the repair option may require manual efforts to recover your Windows installation - http://www.michaelstevenstech.com/XPrepairinstall.htm

    You should get back in touch with support to resolve this, in any event.

    -steve

    Monday, December 24, 2007 10:30 PM
    Moderator
  • Thank you, Stephen, for the link to repair XP.

    I did not provide details about the steps that the support rep offered me when I wrote my preceding message because I did not want anyone else trying them in case those procedures were faulty.

    I have been viewing some of the procedures for repairing or restoring the corrupt file, but I have found that the procedures do not apply because all I have are the system setup CDs that the manufacturer provided and not the  stock Microsoft XP setup disks.

    I did reply to support about my results, and I await their response.

    I may need to reformat and reinstall everything from scratch.


    Monday, December 24, 2007 11:38 PM
  • Ouch. On the other hand, formatting and starting over with the OEM disks will allow you to start fresh with no infection. Is it possible that your OEM restore CD will allow you to perform a repair install anyway?

    -steve

     

    Tuesday, December 25, 2007 12:40 AM
    Moderator
  • Would it be reasonable to expect Live OneCare to prevent this type of infection?

     

    There must be something on my system that is allowing this because the problem does not show up on two other Windows PCs.

     

    For the record, the Exploit:HTML/Rep B. virus appears when I accessed at least these three Web sites:

     

    • ubuntu.com
    • tvguide.com
    • techspot.com
    Tuesday, December 25, 2007 3:32 AM
  • I think that the issue is that OneCare is currently the only program detecting this exploit. It may even be a false positive based on everything I'm reading here. The code appears to be javascript that is coming from Google ads.

    -steve

     

    Tuesday, December 25, 2007 9:15 PM
    Moderator
  • Wow. JavaScript coming from Google ads? Oh my, what pain.

    But this does open one important difference between the one PC in my household that had been getting these Exploit warnings and the other PCs and OS's that are not getting them: On all except that one PC, I use Hosts files to block exploitive *** that marketers and other underworld scum have deployed to trespass:

    http://www.mvps.org/winhelp2002/hosts.htm

    On the other two Windows PCs, I do not get the Exploit warning, but I do deploy the Hosts files means to block most access to ads and other ***. All three Windows PCs use the same licensed (three unit) OneCare subscription.

    It is valid, important, and expected that any anti-virus application should detect and prevent any ad-sensing technologies! There are true parallels to the functional tactics that marketers deploy and what the underworld scum and thugs deploy: they both strive to violate and trespass upon one's privacy. Both intend to make money off of the privacy of others, although in different ways. I know. I used to work for a marketing software company.

    UPDATE: That's curious that a word liek c r a p gets sensored with asterisks. It's not a swear word and it duly applies to unethical marketing tactics...


    Wednesday, December 26, 2007 2:22 PM
  • I agree. I will be going back to Norton in March when my OneCare subscription expires. I understand that the New Norton 2008 is much improved.

     

    Sunday, December 30, 2007 5:01 AM
  • I don't trust Norton products. I had very bad experience with them.
    Sunday, December 30, 2007 5:53 AM
  • I have been locked out of this forum for more than a week so this is a test post following an email message to forumsupport last week. The lockout occured on directed response to Tahi_Kiwi and to one other forum member. I violated no rules, but either Exploit was/is preventing my posting here or there are OneCare police filtering critical views. Both scenarios are unacceptable.

    cadoc

    Sunday, December 30, 2007 7:26 PM
  • Thank you for the host file link. It will take some time for me to digest. I'm glad to be able to post again. Q: has Exploit slowed it's appearrance with anyone else?. Live365.com <internet radio> has elliminated it.

    cadoc

     

    Sunday, December 30, 2007 7:38 PM
  • I haven't made any progress in resolving the Exploit problem. In the course of trying to troubleshoot the problem, the NT kernel file got trashed. I am awaiting a CD that contains a replacement kernel file.

    In the meanwhile, I have read or heard a number of things about Exploit: that is, it may be a false positive, or it may be related to Google adsensing, or it might have been responsible for the kernel file getting messed up, and so on.
    Monday, December 31, 2007 2:51 AM
  •  cadoc wrote:

    I have been locked out of this forum for more than a week so this is a test post following an email message to forumsupport last week. The lockout occured on directed response to Tahi_Kiwi and to one other forum member. I violated no rules, but either Exploit was/is preventing my posting here or there are OneCare police filtering critical views. Both scenarios are unacceptable.

    cadoc

    I can assure you that you were not blocked for anything you may have posted. Last week I had all kinds of issues with logging into the forum that usually meant I needed to delete temporary Internet files and cookies in order for it to let me log in.

    -steve

    Monday, December 31, 2007 4:25 AM
    Moderator
  • Thanks Steve. I assure you I have been deleting temp files & cookies on a regular basis since finding Exploit in my temporary folder with the js extension.  OneCare had been unable to clear the temp folder so I switched to Spotmau WinCares, which is a maintenance/recovery Suite.(Incidently, Spotmau does boot crashed systems, even from the dreaded fatal error blue screen). Be that as it may, OneCare gave me two new problems today. In the very early AM of the 31st I retired to bed and left Tuneup running, as is my general practice. It's set up to go into standby after tuneup completes, but when I checked it this morning OneCare and the system was hungup. Long-story short, I had to shut the power off to reboot then use restore from my administrator account as the user account would not respond. The only evident clue was the dimmed "Checking for Updates" on OneCare and that backup had failed. I went into the backup zip files and lowandbehold the only thing OneCare backup has backed-up in the last 2 months is Favorites and Desktop, niether of which are particularly important to me.

    This is the old v 1.6 as I recall, not the new release. Back in the summer I moved My Documents, the print spooler and the pagefile off the primary C disk to an external drive. There are actually two external drives, one of which has a partition dedicated to OneCare backups, with the two drives having 10 partitions total. OneCare had been set to back up each partition if any changed files presented.

     In an earlier post, or perhaps somewhere else, I've read that the new OneCare release was not an automatic update because of some issue or the other so that's my guess at why I havn't received it.  It's likely that my current OneCare installation is damaged in some way so the evolved question is do I try to reinstall 1.6 or a new install of the recent release? Any insight would be appreciated.

    cadoc

     

     

    Tuesday, January 1, 2008 7:57 AM
  • Tahi_Kiwi: Back in the summer I found a very interesting system recovery program called Spotmau. It has done all it promised. It is able to recovery deleted files,  as the only thing deleted on the disk is the address, not the information, as you probably know.  In any event, it's downloadable  as a zip.file and immediately available for use. I ordered the CD also. I don't know enough about this stuff to know whether or not a kernel file is ever backed up as part of the system state/registry. I do know this program is used by law enforcement to reconstruct disk info seized from freakos and by the US military for encryption. It is a source of comfort in the current and I suppose never ending battle against mad programmers of the underworld. I would really like to see OneCare expanded and refined to provide similar capablilities as Spotmau. All in good time I guess or maybe not if the balance of power tips to open source. I've been to ubantu once since your post, got infected and withdrew. Happy New Year.

    cadoc

    Tuesday, January 1, 2008 8:42 AM
  • After over 1200 posts, I would think that OneCare would have a specific way to deal with that HTML/Repl:B exploit.

    Anyway, I have some more input. After having the alert pop up too many times to count, I found that after I "fixed" it numerous times, and it would go away, only to come back after a reboot. Recently, I had occasion to remove Logitech Setpoint due to other problems, and found that the alerts went away (for now) and my computer runs faster! I just wonder how many people that are running Logitech mice/keyboards???

    Just a comment.................probably not a solution.

     

     

    Tuesday, January 1, 2008 9:06 AM
  • Hi all

    One web forum reports Exploit:HTML/Repl.B to be an "urchin script" if you google *urchin script* you arrive at

    http://www.google.com/analytics/ a program used by web masters to analyse where web traffic is coming from and where on their web site it is going to.

    Reading Analytics Blog :

    http://analytics.blogspot.com/

    It seems an update for Analytics was rolled out December 13, 2007 - just a few days before Exploit first started appearing.

    As Analytics is basically a tracking program, I would think it needs to download *something* to your computer to work.

    If it is connected to Analytics, its (almost) certainly not a virus and not a threat.  

     

    Or it may just be a coincidence that the update and Exploit appeared at similar times.

     


     

    Tuesday, January 1, 2008 9:14 PM
  •  Rosie2 wrote:

    As Analytics is basically a tracking program, I would think it needs to download *something* to your computer to work.

    If it is connected to Analytics, its (almost) certainly not a virus and not a threat.  

     

    Or it may just be a coincidence that the update and Exploit appeared at similar times.




    Well, if it is a tracking program, then it most certainly is a threat. It would be a threat to our rights to privacy. Oftentimes, marketing and advertising are behind tracking, and it is nearly always without users' knowledge, permission, or consent. Some marketers use Web beacons; some use 1-pixel GIFs; and some employ a scam racket called eTrust. If you look at the marketeering companies behind those initiatives, you know they cannot be trusted.

    It's little different than viruses and spyware. Analytics cannot be trusted! Devious, underhanded means cannot be trusted!
    Tuesday, January 1, 2008 11:16 PM
  •  cadoc wrote:

     In an earlier post, or perhaps somewhere else, I've read that the new OneCare release was not an automatic update because of some issue or the other so that's my guess at why I havn't received it.  It's likely that my current OneCare installation is damaged in some way so the evolved question is do I try to reinstall 1.6 or a new install of the recent release? Any insight would be appreciated.

    cadoc

    Any reinstall at this point will net you 2.0 as the installer always gets the latest bits from the server.

    -steve

    Wednesday, January 2, 2008 2:27 AM
    Moderator
  • I am running OneCare 2.0 on both Vista and XP systems and have been receiving these exploit messages sice I upgraded in December.

     

    I have concluded that OneCare cleans them but since they are part of a web pages content they reappear when another web page with some form of Google's analytics Javascript is included (which is in fact designed to track page usage not who is using a page).

     

    I have further found that there is a lot of hacked code being offered that is supposed to eliminate performance problems in the collection of this information (I.E. as designed it can cause a page to load very slowly).  These hacks are meant to take advantage of storing this urchin.js script in a local temp file (if you access the OneCare administrator info from the OneCare warning you will see the loaction it is being run from).

     

    I am wondering if it is this hacked code that is failing to be regonized by OneCare and is likely to never be able to be certified in a manner to stop the warning.

     

    I have concluded that since it is apparently well under the radar for most pros who ferret out threats that are being swept under the rug by the "Big Guys" that while annoying one can live with it.

     

    I would conclude with this bit of wisdom I am unsure of where I got "When two elephants are dancing in a room someones going to be unhappy".  Translated Microsoft is not going to race to get this Google generated issue cleared up if in fact that is where it is coming from.

     

     

     

    Wednesday, January 2, 2008 9:09 PM
  • I'm sorry that I don't quite understand what to do. This popup is very annoying. What is the consensus?

    Stop using OneCare? Remove and do not use google products? Stop using IE? Stop using Windows?

    It seems to affect only a minority of people.

    Thursday, January 3, 2008 1:39 AM
  •  hfhlt004 wrote:

    I'm sorry that I don't quite understand what to do. This popup is very annoying. What is the consensus?

    Stop using OneCare? Remove and do not use google products? Stop using IE? Stop using Windows?

    It seems to affect only a minority of people.

    My suggestion is to contact support and/or submit the infected files per the instructions here:

    http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2

     

    -steve

    Thursday, January 3, 2008 2:14 AM
    Moderator
  • As posted elsewhere, I followed OneCare support's suggestion and ran a scan in safe mode. The scan found no exploit, but as of Jan 8, I have noticed no further pop ups.

    Tuesday, January 8, 2008 6:50 AM
  • Thanks for the update, Bob. Perhaps the OneCare signature files have been updated...and this was a false positive all along.... I'm only speculating, of course.

    -steve

    Tuesday, January 8, 2008 4:30 PM
    Moderator
  • Here's an update of a different sort. I have just gotten up & running again after opting for a new drive, fresh XP and the  2.0 OneCare.The interface is improved in my op from v1.6

    I found the earlier post on Google analytical very interesting as I am cynical about coincidences. Exploit has presented a number of times but not from the same sites as previously. However, awhile ago I got a Trogan, something I recall coming in only twice in the last 2+ years. OneCare removed it ...  havn't been to the list yet for info but here it is: Trogan:JS/Agent.FA

     

    Until Exploit showed up I didn't get intrusion alerts more often than once or twice a  month, and I'm online 4-6 hours daily. Not a day passes now without something, or so it seems.

     

    Question: When OneCare alerts that a threat is present what does it do if I happen to be away from the system as it is requesting to remove the threat? Is the threat operative until I click remove all? Why doesn't it remove/stop/quarrantine it and tell me about it later? Have I missed something in the setup?

     

    Question for the forum member who ran Speesbit: Do I disable OneCare Virus protection to run Speesbit? Thanks

    Doc

    Saturday, January 12, 2008 7:45 AM
  • Yes, some time back I remember OneCare alerting me to the fact they had cleaned a trojan. I was surprised, because I have used OneCare for two years (when it was in beta) and never got a trojan. I did not hear anything else about it until the exploit occurred. After cleaning the exploit, I kept getting it time after time. I inquired about it, but no one seemed to know what to do. Something happened eventually and I stopped getting the exploit alert about 2 weeks ago. I thought about getting rid of OneCare and getting the new Norton 360, but after a bit of reading, I figure OneCare is as good as any of the other suites.

     

    Sunday, January 13, 2008 2:43 AM
  •  cadoc wrote:

    Question: When OneCare alerts that a threat is present what does it do if I happen to be away from the system as it is requesting to remove the threat? Is the threat operative until I click remove all? Why doesn't it remove/stop/quarrantine it and tell me about it later? Have I missed something in the setup?

    OneCare will block, remove, quarantine, clean without any intervention from you. However, some threats are rather persistent and will keep coming back as the signatures in OneCare at the time do not remove every part of the threat, hence the advice to contact support if OneCare alerts you regularly that it has taken care of the same threat.

    -steve

    Sunday, January 13, 2008 8:19 PM
    Moderator
  • Thanks Steve. Threats have been mercifully absent the last few days, which must be the current trend given the fewer postings herein. I have a question on my recently installed v2.o OneCare: the old v1.6 provided a "System Check Point" in my XP Restore on a regular once a day schedule, something the 2.0 is not doing. Is this by design? or ? I know I can set that up as a task for XP, but if it is still a default action of OneCare then ... Any insight would be appreciated.

    Thanks,

    Doc

    Friday, January 18, 2008 6:30 AM
  • Hi, Doc. I don't know that OneCare was doing that. I just checked an XP machine that is not running OneCare of any flavor and it creates that System Check Point daily. I don't have an XP machine here running OneCare to verify that it is also doing this. If you go to System Restore Settings, I trust that you have System Restore enabled and that there is enough space allocated for Restore Points?

    -steve

     

    Friday, January 18, 2008 2:00 PM
    Moderator
  • OK, thanks. I'll try setting it up in task manager, maybe after a visit to MS knowledge base. Trouble with that place is it's like a grocery store ... I go looking for one thing and come back with a bag full {Smile. Restore is enabled with 1200 mb dedicated. Sure sounds like an XP thing, but my thinking the check point was a OneCare function kinda says how much I've relied on it.  The problem I had in Task Manager just a little while ago is instructing it to create a restore point and to not do a restore. All it asks for is what program to run and what to name it, but the name is not an instruction. I must have missed somethin', I'll go through it again. 

    Doc

     

     

    Saturday, January 19, 2008 4:30 AM
  • cadoc,

     

    When attempting to remove a piece of malware OneCare will first automatically create a restore point in case the removal goes badly. This has been a core part of the process with all of the MS antimalware products for as long as I can remember. You've probably gotten used to them due to the fact that OneCare was almost continually attempting to remove the piece of malware mentioned in this thread.

     

    Normally Windows will create it's own system restore point roghly once a day if one hasn't already been created. The fact that OneCare was regularly creating them probably suppressed this normal auto-creation. This also happens when either an MSI based application install or a Windows Update causes a restore point to occur. See the following MSDN article for more if you care to know.

     

    http://msdn2.microsoft.com/en-us/library/ms997627.aspx#windowsxpsystemrestore_auto

     

    OneCareBear

    Saturday, January 19, 2008 5:58 AM
    Moderator