Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SpyBot keeps detecting CoolWWWSearch.WCADW

Started by Paul430 , Dec 05 2005 03:41 PM

  • This topic is locked This topic is locked
11 replies to this topic

#1 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 05 December 2005 - 03:41 PM

Hi,

SpyBot keeps detecting CoolWWWSearch.WCADW. I've run AdAware, SpyBot, and Trend Micro's CWShredder several times each, in various combinations. I've run McAfee VirusScan with current definitions. It found a bunch of trojans, but SpyBot keeps detecting CoolWWWSearch.WCADW. And I get a "Cannot find 'file:///c:/secure32.html'. Make sure the path or Internet address is correct." message upon launching Internet Explorer.

HijackThis log below. Thanks.

Paul

------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:25:13 PM, on 12/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\paytime.exe
C:\WINNT\system32\paytime.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: *.map25fh.gale.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131979815315
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINNT\system32\Hummbird\inetd32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

    Advertisements

Register to Remove

#2 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 08 December 2005 - 10:01 AM

Found this thread which seemed to describe a similar issue:

http://forums.tomcoy...showtopic=50964

Ran Panda ActiveScan. Log file:

Incident Status Location

Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-33cb472b-24fa0e3d.class
Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-3bf72601-28683aa1.class
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\plewon\Local Settings\Temp\ICD1.tmp\azesearch.inf
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\plewon\Local Settings\Temp\ICD1.tmp\azesearch4.ocx
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\plewon\Local Settings\Temporary Internet Files\Content.IE5\S56VKXAZ\azesearch[1].cab
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\plewon\Local Settings\Temporary Internet Files\Content.IE5\S56VKXAZ\azesearch[1].cab[azesearch4.ocx]
Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\plewon\Local Settings\Temporary Internet Files\Content.IE5\S56VKXAZ\azesearch[1].cab[azesearch.inf]
Adware:Adware/AzeSearch Not disinfected C:\WINNT\Downloaded Program Files\azesearch.inf
Adware:Adware/Startpage.ANM Not disinfected C:\WINNT\loadadv728.exe
Adware:adware/azesearch Not disinfected C:\WINNT\system32\azebar.xml
Adware:Adware/AzeSearch Not disinfected C:\WINNT\system32\azesearch4.ocx
Adware:Adware/AzeSearch Not disinfected C:\WINNT\system32\iasada.dll_tobedeleted
Virus:Bck/Galapoper.HP Not disinfected C:\WINNT\system32\ll.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINNT\system32\paytime.exe
Virus:Bck/Galapoper.HP Not disinfected C:\WINNT\tool3.exe

Ran BitDefender. Log file:

C:\WINNT\desktop_1877.exe Infected with: Dropped:Trojan.Clicker.Spywad.B
C:\WINNT\desktop_1877.exe Disinfection failed
C:\WINNT\desktop_1877.exe Deleted
C:\WINNT\loadadv728.exe Suspected of: BehavesLike:Trojan.Downloader
C:\WINNT\loadadv728.exe Disinfection failed
C:\WINNT\loadadv728.exe Deleted
C:\WINNT\system32\ll.exe Infected with: Trojan.Proxy.Lager.F
C:\WINNT\system32\ll.exe Disinfection failed
C:\WINNT\system32\ll.exe Deleted
C:\WINNT\system32\paytime.exe Suspected of: BehavesLike:Trojan.StartPage
C:\WINNT\system32\paytime.exe Disinfection failed
C:\WINNT\system32\paytime.exe Delete failed
C:\WINNT\tool3.exe Infected with: GenPack:Trojan.Downloader.Small.BFZ
C:\WINNT\tool3.exe Disinfection failed
C:\WINNT\tool3.exe Deleted

Did Start|Search for tool*
Found tool4.exe and tool5.exe in C:\WINNT\system32. Did some websearching and decided they might be malware. Deleted them.

Ran Process Manager in HiJack This. Tried to kill two instances of paytime.exe. Got a message that it couldn't kill one of them. Did a refresh. One instance was still running. Tried killing it again. And it died.

Couldn't go directly to Scan from the Process Manager. The button wouldn't work. Had to relaunch HiJack This. Placed check marks next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O4 - HKLM\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINNT\system32\paytime.exe

Closed all windows. Clicked Fix Checked.

Then I thought about the search toolbar I'd seen on my windows before running the virus scans. I'd done some web searching on AzEntretien after seeing it in the first HiJack This log, because it had a name a lot like that toolbar. Although one of the virus scans had killed the toolbar, I ran HiJack This again, and placed check marks next to:

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab

Closed all windows. Clicked Fix Checked.

Went to the hard drive. Enabled view of system and hidden files. And deleted:

C:\WINNT\system32\paytime.exe

Rebooted. Searched the hard drive for aze*.* And well, this is maybe when I messed up. I had too many windows open. I selected these two files:

C:\Documents and Settings\plewon\Local Settings\Temp\ICD1.tmp\azesearch.inf
C:\Documents and Settings\plewon\Local Settings\Temp\ICD1.tmp\azesearch4.ocx

I thought I was selecting them from the Windows Explorer file list, to delete them. But I'd selected them from the file list in my text editor. I didn't even click the button to open them. It was just the act of selecting to highlight them in the file list. And they disappeared. Poop.

I went to Windows Explorer and deleted:

C:\Documents and Settings\plewon\Local Settings\Temporary Internet Files\Content.IE5\S56VKXAZ\
C:\WINNT\system32\azebar.xml
C:\WINNT\system32\azesearch4.ocx

And then I looked in my recycle bin, and all five files were there, same original locations as I've pasted here. Is that how the Temp folder behaves? Try and access files in it and they get deleted?

I emptied my Recyle Bin. And rebooted. Still somewhat worried the .inf file had been run.

No AZSEARCH toolbar upon reboot.
Ran SpyBot. "No Immediate Threats Found."
Ran Ad-Aware. It killed five tracking cookies.
Ran BitDefender. No Problems Found.
Ran Panda ActiveScan. And dayam if it didn't find 4 threats:

Incident Status Location

Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-33cb472b-24fa0e3d.class
Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-3bf72601-28683aa1.class
Adware:Adware/AzeSearch Not disinfected C:\hjt\backups\backup-20051207-100246-615.inf
Adware:Adware/AzeSearch Not disinfected C:\WINNT\system32\iasada.dll_tobedeleted

The online version doesn't allow for cleaning. So I downloaded the 30 day trial version. But it's not compatible with McAfee VirusScan. So I didn't install it. I just moved the four files to the recycle bin, figuring I can get them back later if I need them.

I ran the Trend Micro CWShredder and it found nothing. And then I ran Panda ActiveScan again, and it found these 4 threats:

Adware:Adware/AzeSearch Not disinfected C:\RECYCLER\S-1-5-21-1482476501-436374069-682003330-41262\Dc1.dll_tobedeleted
Adware:Adware/AzeSearch Not disinfected C:\RECYCLER\S-1-5-21-1482476501-436374069-682003330-41262\Dc2.inf
Spyware:Spyware/Premeter Not disinfected C:\RECYCLER\S-1-5-21-1482476501-436374069-682003330-41262\Dc3.class
Spyware:Spyware/Premeter Not disinfected C:\RECYCLER\S-1-5-21-1482476501-436374069-682003330-41262\Dc4.class

So I just need to empty that recycle bin? Otherwise I'm clean? Do you think I was overly aggressive on those Java classes? Here's my most recent HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:04 AM, on 12/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\WINNT\System32\wisptis.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.thomson.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.map25fh.gale.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131979815315
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINNT\system32\Hummbird\inetd32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

#3 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 16 December 2005 - 06:42 PM

Hello Paul430, and welcome to TomCoyote forums. I'm dak, and I'll be helping you to fix your computer. I'm sorry for the delay in replying to your log. If you still require assistance, could you also please do this: ----- run HijackThis and click on the "Open the misc tools section". Next, Click on "open uninstall manager" Then Click "save list". This should create a log called "uninstall_list.txt". Please post the contents of "uninstall_list.txt", along with a new HijackThis log, as a reply to this thread.
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

#4 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 19 December 2005 - 08:00 AM

Hi Dak,

uninstall_list.txt:
------------------

3Com 56K V.90 Mini PCI Modem
64x Drivers
AccessDirect
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Reader 6.0.1
AFPL Ghostscript 7.04
AFPL Ghostscript Fonts
ATI Control Panel
ATI Display Driver Utilities
Dell Dock Quick Install for Windows
Dell ResourceCD
Epic 4.2.3
Exceed for Windows NT
Google Desktop
Google Toolbar for Internet Explorer
GSview 4.2
HijackThis 1.99.1
Intel SpeedStep technology Applet
Intel® PRO Ethernet Adapter and Software
J2SESDK
Macromedia Flash Player 8
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Baseline Security Analyzer
Microsoft Office 2000 SR-1 Premium
Microsoft Project Standard 2002
Microsoft VGX Q833989
Microsoft Visio Professional 2002 SR-1 [English]
Microsoft Windows Journal Viewer
Microsoft XML 4.0 SP 2
Mozilla Firefox (1.5)
Panda ActiveScan
PatchLink Update Agent
PrintKey2000
Remote Administrator v2.1
SDValidator78
Security Update for Windows 2000 (KB904706)
Spybot - Search & Destroy 1.3
Synaptics Pointing Device Driver
TeemTalk
UltraEdit-32
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix (SP5) Q818043
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinZip



HijackThis log:
--------------

Logfile of HijackThis v1.99.1
Scan saved at 8:53:44 AM, on 12/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.thomson.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.map25fh.gale.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131979815315
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F92F4542-FA70-4E82-9E20-B378197FC228}: NameServer = 216.234.97.2 216.234.97.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tl.thomcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tl.thomcorp.net,erf.thomson.com,gale.com,thomcorp.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINNT\system32\Hummbird\inetd32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

Thanks,

Paul

#5 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 19 December 2005 - 08:01 PM

Hi Paul430; good job cleaning your computer :) I don't see anything bad in your latest HijackThis log... are you still experiencing any problems with your computer?
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

#6 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 19 December 2005 - 10:54 PM

Hi Dak,

Hi Paul430; good job cleaning your computer :)


Thanks. I was pretty motivated. My wife's mom had an identity theft last year, and it remains an ongoing legal and financial issue for her. So my paranoia here was a keylogger infection.

I'm not noticing any problems. The porn toolbars are gone. No spontaneous browser windows.

Can you tell me anything about those Java classes I deleted?

Paul

#7 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 20 December 2005 - 04:34 PM

Can you tell me anything about those Java classes I deleted?


You mean these?

Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-33cb472b-24fa0e3d.class
Spyware:Spyware/Premeter Not disinfected C:\Documents and Settings\plewon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Measure.class-3bf72601-28683aa1.class


Looks like premeter; it apparently spys like this:


It collects information on Internet usage and the applications installed in the computer and sends it to Internet advertising companies.


so, I wouldnt think that your at any risk of identity theft from it.

----------

Now, just a few steps to finish cleaning, some tidying up and some tips to prevent getting reinfected.


1) Flushing system restore

To remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

a. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

b. Reboot.

c. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

-----------

2) Cleaning temp files

...incase some maliciouse files are hiding there.

Download and install CCleaner.

Double click the CCleaner icon, and make sure only the following are checked under the "windows" tab:

temporary internet files

empty recycle bin

temporary files

old prefetch data

Then click the 'applications' tab, and make sure only the following are checked:

Sun java


Now, click on "analyse" and then "run cleaner"

-----------

3) rehide hidden files

We need to make sure all hidden files are rehidden, to protect them from accidental harm.

Please:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select "Do not show hidden files and folders".
* Check the "Hide protected operating system files (recommended)" option.
* Click Yes to confirm.
* Click OK.


-----------

4) Update windows

Please visit the microsoft update site, click "express (reccomended)", and follow the onscreen instructions to get all of the security updates for windows.

-----------

5) Remove junk

These HijackThis entries are not malware, but they may not be nessesary, and can slow down your computer; it is up to you wether you wish to keep or remove them. Any which you wish to remove, simply scan with HijackThis, put a check next to the entry(s) that you do not wish to retain, and (with all other windows shut), click "fix selected"

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon http://support.micro...kb;en-us;256139

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.




Finally,

How to remain clean

If you have any questions about the steps below, please feel free to ask.

All of these programs are FREE. The writing in green is a brief explanation of why each step is necessary. It is not necessary for you to read the green writing to understand what to do, but it is included for if you wish to know what each program does.

Programs to download and install

Use a Firewall: If you're not already using a firewall, download and install either ZoneAlarm or Kerio.

These firewalls will ask for your permission before allowing a program to access the internet. Use common sense -- if you have just told a program to do something which involves accessing the internet (like updating, for example), then click 'allow'. Once you trust a program, click 'always allow'. Block programs which you are unsure of from accessing the internet.


Firewalls are important as they limit unauthorised remote-access to your computer over the internet and prevent, for example, a virus simply being sent strait to your PC. Two-way firewalls (like ZoneAlarm and Kerio) also limit the ability of programs on your computer accessing the internet without your permission. You should not run more than one firewall at once as they can interfere with each other, possibly preventing either of them from working.

Use a secure web-browser: There are two main ways to do this:

You can download and install Firefox

Or you can correctly configure internet explorer

Although of course there are many other browsers that you can chose from (Avant, Opera, K-melion, Slimbrowser, etc); I chose Firefox as the alternative browser to recommend simply because I find it very user friendly, very customisable and highly documented on the web (so that you can find help with any problems that you may have with it).

Secure web-browsers are important for two reasons: one, firewalls allow web-browsers to send and receive information over the internet, so they represent a possible way for malware to get past your firewall, and two, the majority of things that you do on the internet will be done with a web-browser, and for this reason malware often targets them, attempting to redirect your web-browser to advertisement sites, or to steal your bank details if you enter them. For these reasons, it is important to have a secure web-browser

Use anti-slyware programs: Uninstall spybot search and destroy v1.3, and download and install the latest version (v1.4) Spybot S&D (make sure to select the option to turn teatimer on)

Also, download and install Spywareblaster and Spyware Guard.

Make sure that you update these programs regularly.

A part of the Spybot S&D program (called teatimer) will ask your permission before allowing changes to the registry. Use common sense -- if you have just changed some settings or installed a program, it is probably safe to click 'allow'; if the change comes out of the blue, or if you don’t recognise the program making the entry, then click 'block'.


These four programs between them perform pretty-much the same function as an anti-virus program, but with one key difference -- whereas anti-virus programs are targeted at viruses, these programs are targeted at adware, spyware, diallers, browser-hijackers etc. Ad-Aware SE and Spybot S&D are both scanning programs. Spybot-S&D also offers active protection of your computers registry. Spyware Guard scans programs just before they run, and prevents any programs which it recognises as slyware from running. And finally, Spywareblaster prevents your web-browser from accessing certain sites which are known sites which slyware redirects your web browser to, and prevents the downloading of slyware active-x components. Updating is important so that the anti-slyware programs have the latest lists of how to recognise slyware


Things you should do regularly

At least once a month (and preferably more frequently), do the following:

manually update your anti-virus and anti-slyware programs (Spybot S&D, Ad-Aware SE, Spyware Guard, Spywareblaster and your McAfee) by using the update button on the programs' main display. Once you have, use Spybot S&D's 'immunise' button, and Spywareblaster's 'enable all protection' button.

This is so that they have the latest list of how to recognise malware. Clicking Spybot S&D's 'immunise' button and Spywareblaster's 'enable all protection' button will ensure that those programs are protecting you from the newer additions to there slyware lists.

Scan for malware: use your anti-virus software, Ad-aware SE and Spybot S&D to completely scan your computer for malware.

This is because, despite the protections which are in place on your computer, it is still possible to get infected by malware. Scanning every now-and-then should find any malware which has managed to 'slip through the net'.

Update windows: By visiting this site, or by the clicking 'windows update' in your start menu.

Security holes regularly get found in all different versions of windows. The update site releases 'patches', which fix the security holes, preventing malware from exploiting them


Extra things you can do, to prevent your computer slowing down to a crawl:

These aren't malware-related, but it is still advisable to do them regularly in order to keep your computer running smoothly.

Defragment your hard-drive: by clicking on the start menu, then going Programs --> Accessories --> System Tools --> Disk Defragmenter. Select 'analyse' and, if it suggests that you defragment your drive, click the 'defragment' button.

If a file on your computer needs to increase in size, but there is no free space near to it, then the file becomes split in two, being stored on two different locations on your hard-drive. This means that, when reading that file, the computer has to jump between two different locations on your hard-drive, slowing the computer down. 'Defragmenting' simply means moving files about so that the separate parts of a 'split' or 'fragmented' file are next to each other, forming one continuous file again.

Clean the junk off of your PC: By running CCleaner

Your PC accumulates a surprising amount of junk -- temporary files which are no longer needed, registry keys left behind by a poorly uninstalled program, information about a term you entered into a search box a year ago, etc etc etc. These bits of 'junk' can get in your way and possibly slow your computer down. CCleaner gets rid of them.

If the infection(s) which you originally had come back, please post again in this thread.

If, at any point in the future, you have reason to believe that you have become infected again, you can get rid of the infection by:

Updating Spybot S&D, Ad-Aware SE, and your anti-virus program.

Scanning with the above three programs.

Telling the above programs to fix anything that they find.


If you still have reason to believe that you are infected, or if you get infected in the future, then please do not hesitate to use this forum again :)

And, feel free to ask any questions that you have.

Thank you.
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

#8 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 02 January 2006 - 01:43 PM

Hey Dak, I'm on Windows 2000 on this machine, so no System Restore, right? Thanks, Paul

#9 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 02 January 2006 - 10:18 PM

Whoops, my bad -- your right, there is no system resore on windows 2000. Is everything ok with your computer now?
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

#10 Paul430

Paul430

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 03 January 2006 - 12:08 PM

Hey Dak, I'm sorry, I'm sure you want to close this thread. I was on holiday, so I've just now gone through your tidying up instructions. I downloaded CCleaner. It's v1.26.218. I didn't see an available "old prefetch data" checkbox, but I ran it against: temporary internet files empty recycle bin temporary files sun java And I followed the rest of your instructions, including the two HijackThis fixes and everything seems good. So as long as the "old prefetch data" isn't an issue, I think we're good. Thanks again. Paul

#11 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 04 January 2006 - 08:28 AM

Hi Paul430. I seem to have been under the impression that you had windows XP. 'old prefectch data' is only applicable to XP machines; its no problem that that option wasn't there.
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

#12 Dak

Dak

    Silver Member

  • Authentic Member
  • PipPipPip
  • 378 posts

Posted 20 January 2006 - 12:32 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Any donations to help keep this web-site online would be greatly appreciated. | Join the TomCoyote classroom

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·