Open Site

[BHJ]

Let me try this one more time...Anyone know of "Open Site"? Every time I
boot my machine I get a Security Warning asking if I want to download
install "Open Site" from some outfit called Page Access. I click NO
everytime...and it keeps on coming and coming....I have used spybot, adaware
and some registry cleaner to try to delete whatever is making this pop up
incessently to no avail. Any advice?

--
BHJensen
================================================== =====
"Even the swap meets around here are getting pretty corrupt"
-Brownsville Girl -Bob Dylan

[Roy]

In article <fk%pb.1780$j91.1639@twister.rdc-kc.rr.com>, NOSPAMbjensen5
@wi.rr.com says...

> Let me try this one more time...Anyone know of "Open Site"? Every time I

A little impatient, aren't we? Read part of your headers.

First Posting

From: "BHJ" <NOSPAMbjensen5@wi.rr.com>
Newsgroups: alt.privacy.spyware
Subject: "Open Site"
Lines: 13
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <oc%pb.115252$%C5.83215@twister.rdc-kc.rr.com>
Date: Tue, 4 Nov 2003 22:44:50 -0600
NNTP-Posting-Host: 24.211.28.6
X-Complaints-To: abuse@rr.com
X-Trace: twister.rdc-kc.rr.com 1068007316 24.211.28.6 (Tue, 04 Nov 2003
22:41:56 CST)
NNTP-Posting-Date: Tue, 04 Nov 2003 22:41:56 CST


Second Posting

From: "BHJ" <NOSPAMbjensen5@wi.rr.com>
Newsgroups: alt.privacy.spyware
Subject: Open Site
Lines: 14
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-ID: <fk%pb.1780$j91.1639@twister.rdc-kc.rr.com>
Date: Wed, 05 Nov 2003 04:50:19 GMT
NNTP-Posting-Host: 24.211.28.6
X-Complaints-To: abuse@rr.com
X-Trace: twister.rdc-kc.rr.com 1068007819 24.211.28.6 (Tue, 04 Nov 2003
22:50:19 CST)
NNTP-Posting-Date: Tue, 04 Nov 2003 22:50:19 CST
Organization: RoadRunner

I don't know the answer, and I wouldn't now be much inclined to say if I
did.

[BHJ]

I sent it the second time because as I hit enter on the first one the news
reader closed completely and I presumed it was "not" posted...don't be so
quick to judge the honest mistakes of a newbie...:-)

"Roy" <z.5.RoyDent@spamgourmet.com> wrote in message
news:MPG.1a12f2c0ff20d5af9896de@usenet.free-online.net...
> In article <fk%pb.1780$j91.1639@twister.rdc-kc.rr.com>, NOSPAMbjensen5
> @wi.rr.com says...
>
> > Let me try this one more time...Anyone know of "Open Site"? Every time I
>
> A little impatient, aren't we? Read part of your headers.
>
> First Posting
>
> From: "BHJ" <NOSPAMbjensen5@wi.rr.com>
> Newsgroups: alt.privacy.spyware
> Subject: "Open Site"
> Lines: 13
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Message-ID: <oc%pb.115252$%C5.83215@twister.rdc-kc.rr.com>
> Date: Tue, 4 Nov 2003 22:44:50 -0600
> NNTP-Posting-Host: 24.211.28.6
> X-Complaints-To: abuse@rr.com
> X-Trace: twister.rdc-kc.rr.com 1068007316 24.211.28.6 (Tue, 04 Nov 2003
> 22:41:56 CST)
> NNTP-Posting-Date: Tue, 04 Nov 2003 22:41:56 CST
>
>
> Second Posting
>
> From: "BHJ" <NOSPAMbjensen5@wi.rr.com>
> Newsgroups: alt.privacy.spyware
> Subject: Open Site
> Lines: 14
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Message-ID: <fk%pb.1780$j91.1639@twister.rdc-kc.rr.com>
> Date: Wed, 05 Nov 2003 04:50:19 GMT
> NNTP-Posting-Host: 24.211.28.6
> X-Complaints-To: abuse@rr.com
> X-Trace: twister.rdc-kc.rr.com 1068007819 24.211.28.6 (Tue, 04 Nov 2003
> 22:50:19 CST)
> NNTP-Posting-Date: Tue, 04 Nov 2003 22:50:19 CST
> Organization: RoadRunner
>
> I don't know the answer, and I wouldn't now be much inclined to say if I
> did.
>
>

[NEMO ME IMPUNE]

Well said!!!

[Chuck]

On Wed, 05 Nov 2003 04:50:19 GMT, "BHJ" <NOSPAMbjensen5@wi.rr.com>
wrote:

>Let me try this one more time...Anyone know of "Open Site"? Every time I
>boot my machine I get a Security Warning asking if I want to download
>install "Open Site" from some outfit called Page Access. I click NO
>everytime...and it keeps on coming and coming....I have used spybot, adaware
>and some registry cleaner to try to delete whatever is making this pop up
>incessently to no avail. Any advice?

Try SWI Forums, and HijackThis. HijackThis searches for traces of
malware, not just signatures as AA and SSD do. You'll need expert
advice to interpret its output - don't just delete anything
immediately. Start with this article:
http://forums.spywareinfo.com/index.php?showtopic=5187


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

[Roy]

In article <bob25p$1coh9v$1@ID-205832.news.uni-berlin.de>,
pimpampoum@club-internet.fr says...

> Well said!!!
>

But a pity it wasn't said in the second posting.

[sponge]

On Wed, 05 Nov 2003 04:50:19 GMT, "BHJ" <NOSPAMbjensen5@wi.rr.com>
wrote:

>Let me try this one more time...Anyone know of "Open Site"? Every
time I
>boot my machine I get a Security Warning asking if I want to download
>install "Open Site" from some outfit called Page Access. I click NO
>everytime...and it keeps on coming and coming....I have used spybot,
adaware
>and some registry cleaner to try to delete whatever is making this
pop up
>incessently to no avail. Any advice?

Who/what is it trying to contact? What is the full message? Also, run
HiJackThis! and post the results here -- HiJackThis identifies most of
what's running on your system, hidden as well as visibleI may be able
to help. You can get it at http://tomcoyote.org/hjt

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

[BHJ]

Thank you for your interest and offer. What pops up is a "Security Warning"
that presents a Certificate (?) that says the following:

"Do you want to install and run "Open Site (By clicking yes you agree to the
terms and conditions of this program. Click here to view the terms and
conditions) signed on 10/17/2003 9:45PM and distributed by
Page Access
Publisher authenticating verified by Verisign Class 3 Code Signing 2001 CA.
Caution. Page Access asserts that this content is safe. You should only
install/view this content if you trust Page Access to make that assertion
Click Yes No More Info"

When you click on the "click here to view terms and conditions it takes you
to www.zuvio.com/terms.html

The high jack log from tonight appears below. What is interesting is that if
I boot this laptop w/o an internet connection, this does not apppear. If I
make internet explorer "work offline" (when not connected) and then boot it,
a screen pops up telling me the web page I am attempting to reach is not
available offline and do I want to connect. If I say yes, the above
certificate pops up. This is a laptop I use at home and work; this happens
both places and my IT guys looked at it and said "hmmm, never seen that
before.."

I just can't bring myself to trust anything named zuvio....
Thanks!
===========================
Logfile of HijackThis v1.97.3
Scan saved at 10:37:33 PM, on 11/5/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE
C:\Program Files\NoAds\NoAds.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PKWARE\PKZIPO\PKTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\System32\cidaemon.exe
C:\ZipDrive Files\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msnbc.com/news/default.asp?0ct=-34o
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy
Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PrinTray]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray. exe
O4 - HKLM\..\Run: [Msppkdp] C:\WINNT\system32\MSPPKDP.EXE
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program
Files\PKWARE\PKZIPO\PKTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window -
C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O12 - Plugin for .zip: C:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll



"sponge" <yosponge@yahoo.com> wrote in message
news:8d76ec03.0311051835.3e6e9bb@posting.google.co m...
> On Wed, 05 Nov 2003 04:50:19 GMT, "BHJ" <NOSPAMbjensen5@wi.rr.com>
> wrote:
>
> >Let me try this one more time...Anyone know of "Open Site"? Every
> time I
> >boot my machine I get a Security Warning asking if I want to download
> >install "Open Site" from some outfit called Page Access. I click NO
> >everytime...and it keeps on coming and coming....I have used spybot,
> adaware
> >and some registry cleaner to try to delete whatever is making this
> pop up
> >incessently to no avail. Any advice?
>
> Who/what is it trying to contact? What is the full message? Also, run
> HiJackThis! and post the results here -- HiJackThis identifies most of
> what's running on your system, hidden as well as visibleI may be able
> to help. You can get it at http://tomcoyote.org/hjt
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 att yahoo dott com

[Whiskers]

In alt.privacy.spyware on Thursday 06 Nov 2003 4:54 am, BHJ
<NOSPAMbjensen5@wi.rr.com> wrote:

snip

> The high jack log from tonight appears below. What is interesting is that
> if I boot this laptop w/o an internet connection, this does not apppear.
> If I make internet explorer "work offline" (when not connected) and then
> boot it, a screen pops up telling me the web page I am attempting to reach
> is not available offline and do I want to connect. If I say yes, the above
> certificate pops up. This is a laptop I use at home and work; this happens
> both places and my IT guys looked at it and said "hmmm, never seen that
> before.."

snip

Is Internet Explorer trying to complete a download? It's a long time since
I used it, but there is presumably a 'download manager' that you can use to
start, stop, queue, or resume, the download of any file. Have you looked
there to see if it's trying to download 'Open Site'?

It might be useful to Google "open site".

--
-- ^^^^^^^^^^ Interested in Citroens?
-- Whiskers <http://www.aacit.net>
-- ~~~~~~~~~~ <news:alt.autos.citroen>

[BHJ]

If it is internet explorer it is doing so without my initiation. I have no
clue what open site is and certainly have not selected this "program" or
whatever it is for downloading and installation. All I know is that if I do
accept the certificate it installs this Open Site program, the uninstall
feature does not work, and while AdAware and other programs ID it as
"malware" and allows me to delete it and the registry keys ..... sure
enough, next time I boot up while connected there it is
again....frustrating...
Apparently it is some sort of auction site...at least when I go to
www.zuvio.com it sure looks like it...
I am out of ideas...
BHJ
"Whiskers" <catwheezel@operamail.com> wrote in message
news:k58r71-jl6.ln1@ID-107770.user.uni-berlin.de...
> In alt.privacy.spyware on Thursday 06 Nov 2003 4:54 am, BHJ
> <NOSPAMbjensen5@wi.rr.com> wrote:
>
> snip
>
> > The high jack log from tonight appears below. What is interesting is
that
> > if I boot this laptop w/o an internet connection, this does not apppear.
> > If I make internet explorer "work offline" (when not connected) and then
> > boot it, a screen pops up telling me the web page I am attempting to
reach
> > is not available offline and do I want to connect. If I say yes, the
above
> > certificate pops up. This is a laptop I use at home and work; this
happens
> > both places and my IT guys looked at it and said "hmmm, never seen that
> > before.."
>
> snip
>
> Is Internet Explorer trying to complete a download? It's a long time
since
> I used it, but there is presumably a 'download manager' that you can use
to
> start, stop, queue, or resume, the download of any file. Have you looked
> there to see if it's trying to download 'Open Site'?
>
> It might be useful to Google "open site".
>
> --
> -- ^^^^^^^^^^ Interested in Citroens?
> -- Whiskers <http://www.aacit.net>
> -- ~~~~~~~~~~ <news:alt.autos.citroen>