Hi,
I had the same problem and I destroyed it.
In a first time,
find prjMensag and DESTROY IT, it's a dirty trick.
After, destroy all file names I found from the site
http://www.trendmicr...AME=ADW_MOTOR.A SEE BELOW. Good Luck. Mary
ADW_MOTOR.A
Discovery Date: Feb 4, 2005
Description:
Threat Type: Adware
Systems Affected: Windows 98, ME, NT, 2000, and XP.
This adware may be downloaded from the internet. It may also be packaged with other software applications. Upon execution, it connects to the following URL where it downloads components:
http://bins.media-motor.net/ http://bins2.media-motor.net/ http://mmm.media-motor.net/ http://www.maxmind.com:8010/ The downloaded files are saved in the Windows folder using the following file names:
a64sddd.exe
affbun.txt
imgurla.exe
mm63.ocx
tempf.txt
unstall.exe
usta32.ini
This adware creates advertisements and generates popup windows related to Media Motor.
It creates the following registry entry to run at Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run popuppers64="%Windows%\a64sddd.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It creates the following registry keys:
HKEY_CLASSES_ROOT\IObjSafety.DemoCtl
HKEY_CLASSES_ROOT\CLSID\{E0CE16CB-741C-4B24-8D04-A817856E07F4}
HKEY_CLASSES_ROOT\Interface\{3E4BCF50-865B-4EF4-A0BC-BF57229EA525}
HKEY_CLASSES_ROOT\Interface\{64A5BD22-8D8A-4193-9CF8-7DB5212ABB17}
HKEY_CLASSES_ROOT\Interface\{674A6BD5-317A-49CF-9647-1E085E660CE0}
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\media-motor.net
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\popuppers.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\media-motor
Solution:
TREND MICRO SOLUTION
Minimum scan engine version needed: 7.100
TMAPTN version needed: 220.02
DCE version needed: 3.8
TMADCE version needed: <not yet available as of this writing>
MANUAL REMOVAL INSTRUCTIONS
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the grayware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
popuppers64="%Windows%\a64sddd.exe"
In the left panel, locate and delete the following:
HKEY_CLASSES_ROOT>IObjSafety.DemoCtl
HKEY_CLASSES_ROOT>CLSID>{E0CE16CB-741C-4B24-8D04-A817856E07F4}
HKEY_CLASSES_ROOT>Interface>{3E4BCF50-865B-4EF4-A0BC-BF57229EA525}
HKEY_CLASSES_ROOT>Interface>{64A5BD22-8D8A-4193-9CF8-7DB5212ABB17}
HKEY_CLASSES_ROOT>Interface>{674A6BD5-317A-49CF-9647-1E085E660CE0}
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Internet Settings>
ZoneMap>Domains>media-motor.net
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Internet Settings>
ZoneMap>Domains>popuppers.com
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall>media-motor
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the grayware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_MOTOR.A.
Description Created: Feb 14, 2005