Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Post "Spy Falcon" Removal


  • This topic is locked This topic is locked
6 replies to this topic

#1 the SASS Man

the SASS Man

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 15 March 2006 - 10:51 PM

<_< Per instructions found here, I have removed Spy Falcon. Of couse, I have "successfully" removed the d*%# thing three other times! So....what I need is to have one of you scan my HackThis! log and see if there are any other threats.

:( Also, is there any way to IMMUNIZE against this particular threat, and, more importantly, is there a SECURITY PATCH to remove this vulnerability from my system? I am running Windows XP SR1 behind a firewall. (I have not installed SP2 because of the reports of serious curruption reported by people I know who've installed it...is there any "SAFE" way to install SP2, and/or is it worth installing SP2 to in order to benefit from security patches and bug fixes?)


:huh: Lastly, here is my HackThis data:
===================================================================
Logfile of HijackThis v1.98.0
Scan saved at 2:41:10 PM, on 3/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Macallan\Macallan Mail Solution\MCPop3.exe
D:\Program Files\Macallan\Macallan Mail Solution\MCSmtp.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\WINDOWS\System32\snmp.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

===================================================================

-- the SASS Man

    Advertisements

Register to Remove


#2 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 21 March 2006 - 05:47 PM

Hi the SASS Man:

Windows SP2 needs to be installed on a clean system. This is likely the reason for your friends problems.
However, I also advise to request the SP2 CD from Microsoft. This seems to have a better success rate.

When we have your PC clean, I will offer some additional protection to download for your PC. This will help keep you clean on the Internet, even with SP1.

You are using an expired version of Hijack This. First, please delete the version you are using, then download the new version from here:

http://radiosplace.com

Or from here:

http://www.spywarein.../hijackthis.zip

View Post


Then, run Hijack This. Scan and copy the log, to post into this topic.

To post, please use the Add Reply feature, so I will be notified.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 the SASS Man

the SASS Man

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 21 March 2006 - 10:55 PM

Since my original post, I have had no problems--until just toady. About fifteen minuets ago, I opened up a web browser to a page I knew was safe (because I wrote it!) and this dayam "You're infected" device appeared in my box and advertizing pages started to appear. Here is the current log using the updated HackThis! program you directed me to....

Logfile of HijackThis v1.99.1
Scan saved at 8:31:27 PM, on 3/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Macallan\Macallan Mail Solution\MCPop3.exe
D:\Program Files\Macallan\Macallan Mail Solution\MCSmtp.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\WINDOWS\System32\snmp.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
D:\Program Files\eMule\emule.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\rdpclip.exe
D:\WINDOWS\system32\logon.scr
D:\Program Files\EditPlus 2\editplus.exe
D:\PROGRA~1\COMMON~1\SEMBLY~1\regedit.exe
D:\WINDOWS\system32\W?nSxS\w?auboot.exe
D:\WINDOWS\System32\nvctrl.exe
D:\WINDOWS\System32\mssearchnet.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\wipinfnt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\System32\hp744A.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: winxzq32 - D:\WINDOWS\SYSTEM32\winxzq32.dll
O23 - Service: Apache2 - Unknown owner - D:\ApacheGroup\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MCPop3 Service (MCPop3) - Macallan Applications - D:\Program Files\Macallan\Macallan Mail Solution\MCPop3.exe
O23 - Service: MCSmtp Service (MCSmtp) - Macallan Applications - D:\Program Files\Macallan\Macallan Mail Solution\MCSmtp.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


--- the SASS Man

#4 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 22 March 2006 - 12:42 PM

Hi the SASS Man:

Yes, looks like it regenerated and some others were added, for good measure.

Please print, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.
Also, please read this text first, then continue with this fix in the order given, or it may fail.


Please download Look2Me-Destroyer.exe to your desktop.

Please use this link:
http://www.atribune....ontent/view/28/

* Close all windows and browsers, before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX


Next:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please do not run it yet.

Please download, install, and update the free version of Ewido Security Suite:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also, be sure to check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next:
Please set your system to show all files; please see here if you're unsure how to do this.


Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.To disable TeaTimer:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.
After all of the fixes are complete it is very important that you enable TeaTimer again.


Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\System32\hp744A.tmp
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O20 - Winlogon Notify: winxzq32 - D:\WINDOWS\SYSTEM32\winxzq32.dll


Click on Fix Checked when finished and exit HijackThis.

While remaining in SAFE MODE:

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

D:\WINDOWS\System32\hp744A.tmp
D:\WINDOWS\SYSTEM32\winxzq32.dll

Exit Explorer, but DO NOT REBOOT and remain in SAFE MODE.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan,the contents of C:\Look2Me-Destroyer.txt and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.

To post, please use the Add Reply feature, so I will be notified.

Edited by Piatan, 22 March 2006 - 12:45 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#5 the SASS Man

the SASS Man

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 24 March 2006 - 12:37 AM

:oops: Okay...well, alot of things happening since ytour post, my friend. I was able, using the HackThis data, to basically kill the active infections shortly after I posted last....but, I went ahead and tried to follow your directions. Here are (some) of the results....

First, I copied your post, and edited the text as I progressed. Here is that text. Following tha are, in order, the HackThis log, and the smitRem.txt, which were the only files I was able to obtain. The edited message has more.

-- the SASS Man


=====================================================================

Using this file to verrify your instructions...
I should note that before I received your mail, I evaluated my existing HackThis! log, and from the information I found there, I rebooted into "Safe Mode With Command Prompt." I then took the following steps:
1. I renamed "mssearchnet.exe" to "mssearchnet.deadexe".
2. I renamed "nvctrl.exe" to "nvctrl.deadexe".
3. I created a text file to replace each of the above .EXE files containing three characters:
"ZZZ" (then Ctrl-Z to close)
4. I located a folder named "windows\windows32\W?nSxS" (but I was unable to modify it).
5. I located a file in that folder named "w?auboot.exe" (but was unable to modify it from DOS).
6. I returned to Windows and was able to rename the file (now called "wυauboot.exe") to
"wυauboot.deadexe".
However, I was still unable to manipulate "system32\W?nSxS" (now called WinSxS").
7. Finally, I started the computer with SpyBot S&D running at atartup, and this found and
destroyed the following items:
"SpyFalcon", "Smith-C" (or something like that), and about four others.
8. This removed each problem from my memory! By the time I received your post,
everything APPEARED to be clean.

Later, as I started this procedure, and entered Safe Mode, I was finally able to rename and move that directory. I moved all of the .deadexe files into it, and renamed it "!Quarrentine". It sits in my Virus folder, and I can archive and send it to you, if you'd like. Also, the file indicated below has been renamed to ".deaddll" and added to the "!Quarenteen" folder.


"-Hi the SASS Man:

Yes, looks like it regenerated and some others were added, for good measure."

Please download Look2Me-Destroyer.exe to your desktop. (done)

* Close all windows and browsers, before continuing.
* Double-click Look2Me-Destroyer.exe to run it. (done)
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
(When I ran this and checked the box, the program never reappeared...)
(Update! This thing ran the next day! --and apparntly found nothing.)

...

Next:

Download smitRem.exe and save the file to your desktop. (it's there)
Double click on the file to extract it to it's own folder on the desktop.
(It sits in a "Virus" folder along with all this other stuff)

Please do not run it yet.

Please download, install, and update the free version of Ewido Security Suite:
(unable to launch link from WordPad)
(Opened link from the site the next day)
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". (Done.)
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
(This warning did not appear!)
From the main Ewido screen, click on update in the left menu, then click the Start update button.
(When I did this, the program errored out with a hard memory error!)
After the update finishes, the status bar at the bottom will display "Update successful"
Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also, be sure to check for updates:
Ad-Aware SE Setup
(unable to launch link from wordpad)
(Opened the link from the site the next day)
Again, do NOT run a scan yet.

(I did go ahead and run a "Fast Memory Scan" the next day, after performing all of the
instructions I could. I was in normal mode, although there were still no apparent active
infections. I removed several questionable items.
The program faulted when I went to save a log file, and the log info was lost!)


Next:
Please set your system to show all files; please see here if you're unsure how to do this.
(This is the only setting I use)

Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.To disable TeaTimer:
Run Spybot-S&D
Go to the Mode menu , and make sure "Advanced Mode " is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer " and OK any prompts
Restart your computer.
After all of the fixes are complete it is very important that you enable TeaTimer again.


Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
(done)

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\System32\hp744A.tmp
(not found)

O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
(not found)

O20 - Winlogon Notify: winxzq32 - D:\WINDOWS\SYSTEM32\winxzq32.dll
(done)

Click on Fix Checked when finished and exit HijackThis.

While remaining in SAFE MODE:

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

D:\WINDOWS\System32\hp744A.tmp
(not found)

D:\WINDOWS\SYSTEM32\winxzq32.dll
(done, and see above)

Exit Explorer, but DO NOT REBOOT and remain in SAFE MODE.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
(done)

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan,the contents of C:\Look2Me-Destroyer.txt and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
HijavkThis.log: Present
Ewido Log: Lost due to program failure!
Look2Me-Destroyer.txt: Nonexistant
smitRem.txt: Present


To post, please use the Add Reply feature, so I will be notified.
I am (obviously) including this file so you can see what went right and/or wrong when I tried to perform these steps.
Murphy's law has the final say in alot of areas, no?

-- the SASS Man, Thursday, March 23, 2006, 10:14:52 PM



=====================================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:21:29 PM, on 3/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\K-Share\D-Drive Contents\Program Files\Spybot - Search & Destroy 1.1\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Monitor Apache Servers.lnk = D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - D:\ApacheGroup\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=====================================================================


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/22/2006
The current time is: 22:30:10.21

Running from
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ld****.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1672 'explorer.exe'
Killing PID 1672 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

#6 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 24 March 2006 - 04:31 PM

Hi the SASS Man:

Well, wasn't that fun ? Murphys law is alive and well. :blink:

Ewido can be Uninstalled in Control Panel-->Add/Remove Programs. Then, if you wish, can be re-installed. Your option.

There doesn't seem to be much left to be done, since you have already done all the hard work.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\K-Share\D-Drive Contents\Program Files\Spybot - Search & Destroy 1.1\SDHelper.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

If everything has now returned to normal, I suggest the following.


One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
    -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
<http://castlecops.co...lite7736-.html>
So how did I get infected in the first place?

Safe surfing. :wavey:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#7 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 27 March 2006 - 08:24 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users