Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Help Please


  • This topic is locked This topic is locked
8 replies to this topic

#1 techgalchrys

techgalchrys

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 17 July 2007 - 06:43 PM

Hello,

I am a novice when it comes to virus issues. This machine had less than an hour on it and started acting weird. It would error with an update error that constantly would reboot the machine. Then came the unexpected problem alerts. I could not get it to stay online long enough to complete online scans from any of the ones offered and could not get it to do full scans with avg or adaware 2007. Finally discovered it might have the Sasser virus and got the fix. It reported it did not have it and then started reporting a different virus during each failed scan. I could find no info on the viruses that it was listing. I've never had a problem like this and hope you can help. I read and followed the instructions as best I could but it was hard with the machine freezing all the time.

I am grateful for anything you can do. I'll do my best to follow any suggestion, but please keep in mind that I am a novice.


Logfile of HijackThis v1.99.1
Scan saved at 5:35:00 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184702312234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183960467375
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 17 July 2007 - 08:13 PM

Hello techgalchrys and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.

Your log does not show any evidence of malware activity. Just the same, let us try a few things:

A. First I need you to try the following online virus scan a couple of times. I know that you mentioned that you have been unable to complete online scans but I need you to try this one a couple of times. This one actually removes malware but will not provide you with a report to post back.

Please use the Eset NOD32 Online Anti-Virus scanner and Removal Tool

Note: This tool requires the use of Internet Explorer and is Vista compatible

Please click HERE to start the process
  • Place a checkmark in the box beside "Terms of Service", then click "Start".
  • On the next scree, "Click" where prompted to install the required ActiveX Control.
  • Acknowledge the Security Warning in the next window by Clicking the "Install" button.
  • Press the "START" button on the Welcome Screen.
  • A download progress bar will then inform you on the status of your download.
  • Once the initialization is complete, place a checkmark beside "Remove found threats", then click "Scan".
  • When the tool has finished, under the Details Tab, you will find a list of items found and deleted.
  • No log will be made available for posting in your reply.

B. After that, whether successful or not with the above scan, please do the following:

Please download this file - combofix.exe by sUBs
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 techgalchrys

techgalchrys

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 July 2007 - 12:17 PM

Hello,

First off I want to say thank you for such clear instructions. I'm sure you know how intimidating these things can be. You made it easy and I appreciate that. The first instruction found no infections. The log for combo is listed below the hijack log. Any suggestions would be great.

Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 11:16:01 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184702312234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183960467375
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------




"IMAGINETHAT" - 2007-07-18 11:04:53 - ComboFix 07-07-19.2 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\IMAGIN~1\Desktop\internet.lnk


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-18 11:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-18 08:45 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-07-17 15:42 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-17 13:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-17 13:03 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2007-07-17 13:03 <DIR> d-------- C:\Program Files\Belarc
2007-07-17 13:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-17 13:02 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-17 08:46 <DIR> d-------- C:\DOCUME~1\IMAGIN~1\.housecall6.6
2007-07-17 08:43 <DIR> d-------- C:\Program Files\CCleaner
2007-07-16 13:15 8,576 --a------ C:\WINDOWS\system32\drivers\btsouauqiumi.sys
2007-07-11 19:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-11 19:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 19:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-10 17:08 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-10 17:08 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-10 17:08 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-10 13:21 <DIR> d-------- C:\Program Files\iTunes
2007-07-10 13:21 <DIR> d-------- C:\Program Files\iPod
2007-07-10 13:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-10 13:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-10 12:45 8,576 --a------ C:\WINDOWS\system32\drivers\fclucjogwmlc.sys
2007-07-10 12:03 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-10 11:58 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-07-10 11:58 9,216 --------- C:\WINDOWS\system32\proxycfg.exe
2007-07-10 11:58 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-07-10 11:58 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-07-10 11:58 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-07-10 11:58 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-07-10 11:58 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-07-10 11:58 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-07-10 11:58 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-07-10 11:58 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2007-07-10 11:58 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-07-10 11:58 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-07-10 11:58 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-07-10 11:58 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-07-10 11:58 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-07-10 11:58 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-07-10 11:58 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-07-10 11:58 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-07-10 11:58 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-07-10 11:58 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-07-10 11:58 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-07-10 11:58 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-07-10 11:58 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-07-10 11:58 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-07-10 11:58 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-07-10 11:58 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-07-10 11:58 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-07-10 11:58 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-07-10 11:58 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-07-10 11:58 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-07-10 11:58 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-07-10 11:58 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-07-10 11:58 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-07-10 11:58 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-10 11:58 59,392 --------- C:\WINDOWS\system32\logman.exe
2007-07-10 11:58 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-07-10 11:58 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-07-10 11:58 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-07-10 11:58 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-07-10 11:58 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-07-10 11:58 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-07-10 11:58 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2007-07-10 11:58 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2007-07-10 11:58 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2007-07-10 11:58 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2007-07-10 11:58 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-07-10 11:58 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-07-10 11:58 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-07-10 11:58 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-07-10 11:58 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-07-10 11:58 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2007-07-10 11:58 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-07-10 11:58 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-07-10 11:58 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2007-07-10 11:58 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2007-07-10 11:58 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-07-10 11:58 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-07-10 11:58 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-07-10 11:58 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-07-10 11:58 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2007-07-10 11:58 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-07-10 11:58 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2007-07-10 11:58 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-07-10 11:58 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-07-10 11:58 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-07-10 11:58 338,432 --------- C:\WINDOWS\system32\ir41_qcx.dll
2007-07-10 11:58 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-07-10 11:58 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2007-07-10 11:58 32,866 --------- C:\WINDOWS\slrundll.exe
2007-07-10 11:58 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2007-07-10 11:58 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2007-07-10 11:58 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2007-07-10 11:58 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-07-10 11:58 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-07-10 11:58 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2007-07-10 11:58 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-07-10 11:58 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 20:54:31 -------- d-----w C:\Program Files\Messenger
2007-07-17 17:45:10 10,693 ----a-w C:\WINDOWS\mozver.dat
2007-07-10 18:58:21 -------- d-----w C:\Program Files\Movie Maker
2007-07-10 18:56:25 -------- d-----w C:\Program Files\Windows NT
2007-07-10 03:04:28 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-07-10 00:58:17 -------- d-----w C:\Program Files\Yahoo!
2007-06-18 16:11:51 1,901 ----a-w C:\WINDOWS\panose.bin
2007-06-13 18:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-08 18:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=C:\WINDOWS\System32\NSecurity.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security]
C:\WINDOWS\System32\NSecurity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"


**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 11:07:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000057e

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 11:07:52
C:\ComboFix-quarantined-files.txt ... 2007-07-18 11:07

--- E O F ---

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 July 2007 - 01:02 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer (Windows Key + E), locate the following files, and DELETE them (if still present):

    C:\WINDOWS\system32\drivers\btsouauqiumi.sys
    C:\WINDOWS\system32\drivers\fclucjogwmlc.sys

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 techgalchrys

techgalchrys

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 July 2007 - 03:06 PM

Hello again,

I was able to follow all the instructions. I found both files and deleted them. A couple of weird (?) things happened during the process. The computer started skipping the screen to chose my name when starting up. Not a big deal but different. My dial up internet icon disappeared when I did the first hijack fixed and internet explorer put its icon back on the desktop even though I don't keep it there. The machine is running much better. I did notice the two files you had me delete belonged to Panda. I thought it was a safe company to use.

Again, your help is much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:59:24 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184702312234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183960467375
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 July 2007 - 05:42 PM

internet explorer put its icon back on the desktop even though I don't keep it there.

That occurs during the running of ComboFix and is normal.


I did notice the two files you had me delete belonged to Panda.


If you Google those 2 files, you will not get any hits, not one, which is usually indicative of malware. I do not know where you got the references to "Panda" which, and I agree with you, is a good product. I don't see Panda on your system.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

If you have no more malware related problems, please give me the OK and we will proceed with the final cleanup procedures.


Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 techgalchrys

techgalchrys

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 July 2007 - 09:11 PM

Dear Trevuren, The java update went fine and the machine is doing well. When I went to delete the files you recommended the description came back that they belonged to Panda. I had tried to do a online scan with Panda. Is there any explanation as to why the steps we did took out my dial up icon and settings. I have no problems getting them back in but am curious. I am thrilled at the success and your help. I am a teacher and it is very clear to me that you are a talented one as well. Wishing you the best. P.S. After looking at my log is there any other programs you would recommend to keep my machine safer. I thought AVG and Adaware was enough but that proved to be wrong. Any suggestions would be appreciated. Thanks again.

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 July 2007 - 09:39 PM

I have absolutely no idea why the icon disappeared just as I have no idea why I lose my printer icon when I run the tool. I just reboot and it comes back. In addition to the blurb that will follow, I would seriously consider getting AVG AS (Antispyware). There is a 30-day trial after which it can be used for free. The free version does not come with AVG Guard and requires that manual updates be done as the automatic update feature is disabled.

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 24 July 2007 - 09:20 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users