Hi, I ran HouseCall virus scan and it found 2 infected files, both are ADW TENGET.A, non cleanable. I have no idea how to rid my computer of these files. Can someone help me with this? Thank you, Michelle

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_TENGET.AOverview Technical Details QUICK LINKS Solution ---------------------- Virus type: Trojan Destructive: No Pattern file needed: 594 Scan engine needed: 5.400 Overall risk rating: Very Low ---------------------- Reported infections: Low Damage Potential: Low Distribution Potential: Low ---------------------- Description: This spyware modifies Internet Explorer settings so that the browser is occasionally rerouted to a commercial Web site on the IP address: 216.177.73.139 The rerouting occurs when the follwoing strings are entered into the address bar: auto.search.msn.com search.netscape.com ieautosearch This spyware is a actually a browser helper program that is available as a download from the following Web site: www.igetnet.com This browser helper basically allows users to open a URL by simply entering registered keywords on the Address bar. The keywords can be downloaded from the same Web site. This spyware contains codes that can do any of the following based on user-browser interaction: Open files for reading Load files Open files for writing Open Internet connection Open URL Download and execute files from the Internet Create, edit, and delete registry values Delete and copy files Retrieve system information It arrives as an installer that does not display an End-User Agreement or prompt for user confirmation. This spyware runs on Windows 95, 98, NT, ME, 2000, and XP. TrendLabs has received reports that initial infections of this malware arrived via email as a link to the Web site that contains it. Solution: Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: WINSTART001.EXE = "%System%\WINSTART001.exe -b" or WINSTART.EXE = "%System%\WINSTART.exe -b" (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.) Removing Other Registry Entries This procedure removes the other registry entries created by the malware in the system. Still in Registry Editor, in the left panel, double-click the following: HKEY_CLASSES_ROOT>CLSID Still in the left, delete the following sets of keys: {676058E4-89BD-11D6-8A8C-0050BA8452C0} {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} or {676058E4-89BD-11D6-8A8C-0050BA8452C0} {730F2451-A3FE-4A72-938C-FC8A74F15978} Again, in the left panel, double-click the following: HKEY_CLASSES_ROOT>TypeLib Still in the left, delete the following sets of keys: {676058E4-89BD-11D6-8A8C-0050BA8452C0} {ACBA087F-1547-41DE-8E9E-3F0963CE4BEF} or {974CC25E-D62C-4278-84E6-A806726E37BC} {676058DB-89BD-11D6-8A8C-0050BA8452C0} Again, in the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>explorer>Browser Helper Objects Still in the left, delete the following key: {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} or {730F2451-A3FE-4A72-938C-FC8A74F15978} Close Registry Editor. Restoring HOSTS File Right-click Start then click Search… or Find… depending on your version of Windows. In the Named input box, type: HOSTS In the Look In drop-down list, select the drive that contains Windows, then press Enter. When found, right click the HOSTS file and click Open With. Select Notepad from the list and click OK. Delete the lines: 216.177.73.139 auto.search.msn.com 216.177.73.139 search.netscape.com 216.177.73.139 ieautosearch Close Notepad and click Yes when prompted to save. Restart the system Deleting Dropped Files Right-click Start then click Search… or Find… depending on your version of Windows. In the Named input box, type: BHO001.DLL;Install_All.DLL;RSP001.DLL;rules.dat; Update_com.DLL;BHO.DLL;RSP.DLL; WINSTART.EXE;WINSTART001.EXE In the Look In drop-down list, select the drive which contains Windows, then press Enter. Delete the malware files found. Note: If one of the dropped files cannot be deleted, restart the system and repeat this procedure. Additional Windows ME/XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as ADW_TENGET.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC. For additional information about this threat, see Technical Details. Overview Technical Details In the wild: Yes ---------------------- Payload 1: Reroutes Internet Explorer to commercial site ---------------------- Language: English Platform: Windows 95, 98, ME, NT, 2000, XP Encrypted: No Size of virus: Installer: 113,648 Bytes Browser Helper: 90,112 Bytes Pattern file needed: 594 Scan engine needed: 5.400 Discovered: Jul. 21, 2003 Detection available: Jul. 21, 2003 ---------------------- Details: This is Trend Micro’s detection for both the dropper and the actual adware that modifies Internet Explorer settings so that the browser is occasionally rerouted to a commercial Web site. Installation When executed, this malware's dropper component drops the main malware executable in the Windows systen folder as any of the following: WINSTART001.EXE WINSTART.EXE The dropped executable, upon execution, installs itself by creating either of the following registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run WINSTART001.EXE = "%System%\WINSTART001.exe -b" or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run WINSTART.EXE = "%System%\WINSTART.exe -b" (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.) The entry allows it to execute every time Windows starts. The main malware component also drops either of the following sets of non-malicious files: BHO001.DLL Install_All.DLL RSP001.DLL rules.dat Update_com.DLL or BHO.DLL RSP.DLL Additionally, it adds either of the following sets of registry keys to register its dropped components on the system: HKEY_CLASSES_ROOT\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0} HKEY_CLASSES_ROOT\CLSID\{60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} HKEY_CLASSES_ROOT\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0} HKEY_CLASSES_ROOT\TypeLib\{ACBA087F-1547-41DE-8E9E-3F0963CE4BEF} or HKEY_CLASSES_ROOT\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0} HKEY_CLASSES_ROOT\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978} HKEY_CLASSES_ROOT\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC} HKEY_CLASSES_ROOT\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0} It adds either of the following registries to setup the installed spyware application as the default Browser Helper Object or BHO: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ explorer\Browser Helper Objects\{60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} (Default) = "Natural Language Navigation" or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\explorer\Browser Helper Objects\ {730F2451-A3FE-4A72-938C-FC8A74F15978} When setup as a BHO, the dropped files contains codes that can do any of the following based on user browser interaction: Open files for reading Load files Open files for writing Open Internet connection Open URL Download and execute files from the Internet Create, edit, and delete registry values Delete and copy files Retrieve system information The dropped DLL files also contain functions that would modify certain registry keys for processing keywords entered in the Internet Explorer address bar. Internet Explorer Rerouting The main malware file modifies the HOSTS file, which is commonly found in the Windows system folder, to contain the following lines: 216.177.73.139 auto.search.msn.com 216.177.73.139 search.netscape.com 216.177.73.139 ieautosearch As a result, when the strings to the right of the list are entered in the Internet Explorer address bar, the browser is automatically redirected to a Web site on the IP address. Description created: Jul. 22, 2003 Description updated: Jul. 25, 2003