Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Shaun83 » July 17th, 2006, 9:29 pm

Kim,

Thanks again for all the help. One thing that may or may not be important : after I ran the IceSword, when I went to reboot, a windows "program needs to close" box came up. The box was labeled ccApp. After it closed the computer did not restart, it just went back to as it was. I clicked restart a 2nd time and all was fine from there. Gmer log below.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-17 21:19:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 83946DE0 ZwAlertResumeThread
SSDT 837BD438 ZwAlertThread
SSDT 837422D0 ZwAllocateVirtualMemory
SSDT 83F1A2C8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 83743258 ZwCreateMutant
SSDT 837BBF68 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 83988CD0 ZwFreeVirtualMemory
SSDT 83883568 ZwImpersonateAnonymousToken
SSDT 839C2830 ZwImpersonateThread
SSDT 8383C008 ZwMapViewOfSection
SSDT 83887F88 ZwOpenEvent
SSDT 83999CF8 ZwOpenProcessToken
SSDT 8383D0C0 ZwOpenThreadToken
SSDT 8385BD78 ZwQueryValueKey
SSDT 837FDDE0 ZwResumeThread
SSDT 83804F88 ZwSetContextThread
SSDT 837CC2A8 ZwSetInformationProcess
SSDT 83F414C0 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 837B63A0 ZwSuspendProcess
SSDT 839BA768 ZwSuspendThread
SSDT 837CD718 ZwTerminateProcess
SSDT 83809F88 ZwTerminateThread
SSDT 83896E60 ZwUnmapViewOfSection
SSDT 837CBD08 ZwWriteVirtualMemory

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm
Advertisement
Register to Remove

Unread postby Kimberly » July 18th, 2006, 12:11 am

Hello

First of all the good news ... we did get pe386 successfully, Gmer shows clean. :) You did an awsome job.

One thing that may or may not be important : after I ran the IceSword, when I went to reboot, a windows "program needs to close" box came up. The box was labeled ccApp. After it closed the computer did not restart, it just went back to as it was. I clicked restart a 2nd time and all was fine from there. Gmer log below.

ccApp is Norton -> Symantec Common Client - Nothing to worry about. I get that from time to time also on my box without any reason. Next reboot everything is normal again. Removing a rootkit may freeze a computer and in that case processes are not unloaded correctly.

Ok, now we need to take care of Haxdoor.

Disconnect from internet and close running programs.

If you don't want Norton to interfer like last time, open up taskmanager by pressing CTRL+ALT+DEL - locate ccApp.exe in the list of running processes and click Terminate Process. Close TaskManager. It is possible of course that Norton will not interfer like in the previous step, but I'm unable to predict that. If the closing message and the reboot didn't cause you any trouble, then you may leave it running. Worst thing that will happen is again a "program needs to close" box that pops up.

Start Gmer
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO.
Click the Services tab this time.
Locate the following process in the list : twpkbd TCP: system32\twpkbd.sys
Select the service, right-click and select Delete

Reboot the PC.

Now we are going to look for orphan registry entries which we will clean up in the next step along with the rest.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

twpkbd
On the next line enter twpkad
Next line pe386
Next line lzx32

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Please Regsearch log and a new HijackThis log.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Shaun83 » July 18th, 2006, 12:50 am

Hi Kim,

After I ran Gmer and clicked delete, I got a message box telling me that the file could not be deleted. But it was gone from the list. I rebooted and checked Gmer again and it was not in the list. Logs below:

RegSearch

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 7/18/2006 12:37:53 AM for strings:
; 'twpkbd'
; 'twpkad'
; 'pe386'
; 'lzx32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\twpkad]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\twpkbd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\twpkbd]
; Contents of value:
; system32\twpkbd.sys
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,74,77,70,6b,62,64,2e,73,79,73,00
"DisplayName"="twpkbd TCP"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\twpkbd\Security]

; End Of The Log...


HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:41:08 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
d:\Program Files\Iomega\ToolsNT\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1106439883\ee\AOLSoftware.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\America Online 9.0a\waol.exe
c:\program files\common files\aol\1106439883\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1106439883\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00021.exe"
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1106439883\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] d:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] d:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Iomega Startup.lnk = D:\Program Files\Iomega\ToolsNT\STARTNT.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Refresh.lnk = D:\Program Files\Iomega\ToolsNT\refresh.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/ ... bAgent.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2980446140
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O20 - Winlogon Notify: twpkad - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZipToA - Unknown owner - d:\Program Files\Iomega\ToolsNT\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Also

Unread postby Shaun83 » July 18th, 2006, 12:54 am

Sorry, I also forgot that when I rebooted after Gmer, I got an additional error message box:

AOL Error
The Main.idx database file is damaged.
Error: 65-FONL

To Fix problem.....steps to reinstall AOL.



If needed, I will be able to reinstall myself later on, just want to make sure I give you all the details.
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Shaun83 » July 18th, 2006, 12:55 am

and that message was at restart, not shutdown.
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Kimberly » July 18th, 2006, 1:41 am

Hello Shaun83,

Yes, gmer did remove the service indeed as seen in the regsearch results.

AOL Error
The Main.idx database file is damaged.
Error: 65-FONL

To Fix problem.....steps to reinstall AOL.

I'm very sorry for the inconvenience caused, we didn't touch that file at all. :(
I hope you will be able to fix that without trouble. Doesn't AOL keeps a backup of the file somewhere? Unless the file was hacked by one of the rootkits ... then it's better not to install a backup at all. I really have no idea on this error as I never did encounter it before. I'll do a check on that as I don't know why AOL uses / creates the file.

If ok with you, let's fix the remaining trouble ... nothing should break anymore now.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\twpkad]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\twpkbd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"EnforceWriteProtection"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.

Reboot the PC.
______________________________

Copy/paste the following text into a new Notepad document.

@Echo Off
echo Remaining files ... > fixme.txt
If exist %WinDir%\system32\twpkbd.sys del /q %WinDir%\system32\twpkbd.sys
If exist %WinDir%\system32\twpkad.dll del /q %WinDir%\system32\twpkad.dll
If exist %WinDir%\system32\zq.dll del /q %WinDir%\system32\zq.dll
If exist %WinDir%\system32\zq.sys del /q %WinDir%\system32\zq.sys
If exist %WinDir%\system32\ps.a3d del /q %WinDir%\system32\ps.a3d
If exist %WinDir%\system32\seDS.a3d del /q %WinDir%\system32\seDS.a3d
If exist %WinDir%\system32\tndb.bin del /q %WinDir%\system32\tndb.bin
If exist %WinDir%\system32\idsxres.dll del /q %WinDir%\system32\idsxres.dll
If exist %WinDir%\system32\kgcpt.dat del /q %WinDir%\system32\kgcpt.dat
If exist %WinDir%\system32\twpkbd.sys echo twpkbd.sys FOUND>>fixme.txt
If exist %WinDir%\system32\twpkad.dll echo twpkad.dll FOUND>>fixme.txt
If exist %WinDir%\system32\zq.dll echo zq.dll FOUND>>fixme.txt
If exist %WinDir%\system32\zq.sys echo zq.sys FOUND>>fixme.txt
If exist %WinDir%\system32\ps.a3d echo ps.a3d FOUND>>fixme.txt
If exist %WinDir%\system32\seDS.a3d echo seDS.a3d FOUND>>fixme.txt
If exist %WinDir%\system32\tndb.bin echo tndb.bin FOUND>>fixme.txt
If exist %WinDir%\system32\idsxres.dll echo idsxres.dll FOUND>>fixme.txt
If exist %WinDir%\system32\kgcpt.dat echo kgcpt.dat FOUND>>fixme.txt
start fixme.txt


Save it to your desktop as cleanme.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanme.bat

Double click cleanme.bat. A DOS box should open and close quickly, this is normal. Notepad will open with fixme.txt. Please post content.
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
Using Windows Explorer, Search and Delete these Files if listed:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\tmp.tmp
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm<n°>.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm<n°>.exe

n° means any random numbers such as the ibm00021.exe

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________


While we are at it, I would like to check a couple of security settings.

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

cd %systemdrive%\
If not exist lsafiles MkDir lsafiles
regedit /a /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
regedit /a /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a lsafiles\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e lsafiles\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e lsafiles\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e lsafiles\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess
regedit /a /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Copy lsafiles\*.txt = %systemdrive%\lsa.txt
rmdir /s /q lsafiles
Notepad %systemdrive%\lsa.txt
del /q %systemdrive%\lsa.txt


Save it to your Desktop as inspect.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: inspect.bat

Locate inspect.bat on your Desktop and double-click it. When finished it will open a file in Notepad. That file will be named lsa.txt. Copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the new folder will be deleted.
______________________________

Please post
  1. fixme.reg
  2. HijackThis log
  3. Kaspersky Scan
  4. lsa.txt
You might need several replies to post the logs, lsa.txt will be huge.

Please let me know how the computer runs and if you still have the blue screen.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » July 18th, 2006, 1:53 am

AOL information on the error. Maybe you dont need to reinstall, quick restore might work.

http://help.channels.aol.com/kjump.adp?articleId=219957

See also:
http://forums.theideaweb.com/printthrea ... eadid=6043

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Shaun83 » July 18th, 2006, 2:13 am

fixme.reg

Remaining files ...


Search and Delete Files

None of the files were in the folder.

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 2:06:40 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
d:\Program Files\Iomega\ToolsNT\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1106439883\ee\AOLSoftware.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
D:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
c:\program files\common files\aol\1106439883\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
c:\program files\common files\aol\1106439883\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1106439883\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] d:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] d:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Iomega Startup.lnk = D:\Program Files\Iomega\ToolsNT\STARTNT.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Refresh.lnk = D:\Program Files\Iomega\ToolsNT\refresh.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/ ... bAgent.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2980446140
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZipToA - Unknown owner - d:\Program Files\Iomega\ToolsNT\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Shaun83 » July 18th, 2006, 3:02 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 18, 2006 2:59:44 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/07/2006
Kaspersky Anti-Virus database records: 208055
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 55757
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:34:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\APP10575.LST Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\SHAUN5142\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\SHAUN5142\style.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\SHAUN5142\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\CACHE\shaun5101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\shaun5142 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\shaun5142.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\shaun5142.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\ShopAssist\DataStore\users\SHAUN5142.adb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07152006-022418.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-07-18_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\AOL\C_America Online 9.0a\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\AOL\C_America Online 9.0a\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\AOL\C_America Online 9.0a\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\AOL\C_America Online 9.0a\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\AOL\C_America Online 9.0a\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\cert8.db Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\history.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\key3.db Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Mozilla\Profiles\default\8k3npe60.slt\parent.lock Object is locked skipped
C:\Documents and Settings\Shaun Egan\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Shaun Egan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1D7ABDFF-FB67-46F9-8704-EC477119D226} Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\History\History.IE5\MSHist012006071820060719\index.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shaun Egan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shaun Egan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shaun Egan\UserData\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0052NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0620NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2A6C1EB5-9B18-465A-A238-F88287C6DC88}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe NSIS: infected - 2 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Shaun83 » July 18th, 2006, 3:49 am

Hi Kim,

I don't think Inspect.bat is doing what you wanted it to do. When I double click it, I get a very brief DOS box and then nothing. I deleted the Inspect.bat and did everything again with the same result.

On my initial reboot (after fixme.reg) everything appears to me to have started up fine. The 00021 error was not there and the AOL error did not come back (I did nothing to try and fix that yet) I ran the Kaspersky Scan with AOL and it worked fine.

I was able to successfully install the latest version of internet explorer that I had downloaded. This was one thing that was giving me a blue screen. I have not tried to install the security update from windows (was also causing blue screen) because I didn't know if it might change the scan reports.

I did reboot after the failed attempt at Inspect.bat and got one strange thing. When I have been rebooting, my wireless connection has usually not connected. I did not know if this was because of the virus or because I made it a secure connection after I got the virus. It has been an easy fix to just right click the icon on the toolbar and click "repair." But this time, Norton came up and said that a new wireless signal was found and how did I want to treat it (home, office, away). I just selected home. I then checked the wireless signals and my secure connection was the only one available.

Also, I wanted to mention that in the body of your last post you didn't mention where to run the Hijackthis log. I ran it right before the Kaspersky Scan. Hope that was OK.

Thanks,
Shaun
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Kimberly » July 18th, 2006, 12:19 pm

Hello Shaun83,

I don't think Inspect.bat is doing what you wanted it to do. When I double click it, I get a very brief DOS box and then nothing. I deleted the Inspect.bat and did everything again with the same result.

Strange, it only uses regedit to retrieve values in the registry. Did you set somewhere to deny the use of regedit ? Windows Defender or Norton ...
According to Hijackthis startuplist, regedit.exe is present. Does it open when you do Start > Run > type in regedit.exe and hit enter. If regedit opens, close it again.

Try with this one :

cd C:\
If not exist lsafiles MkDir lsafiles
regedit.exe /a /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
regedit.exe /a /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit.exe /a /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit.exe /a /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit.exe /a /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit.exe /e /a lsafiles\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit.exe /a /e lsafiles\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit.exe /a /e lsafiles\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit.exe /a /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit.exe /a /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit.exe /a /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit.exe /a /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit.exe /a /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit.exe /a /e lsafiles\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess
regedit.exe /a /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Copy lsafiles\*.txt = C:\lsa.txt
rmdir /s /q lsafiles
pause
Start C:\lsa.txt
I did insert a pause before opening lsa.txt and left all the messages visible on the screen so you should be able to read the text in the dos box. Once you get the message 'press any key ...', notepad should open with lsa.txt
If notepad does not open, go to C:\lsa.txt and post it's content. Hope that will work better or at least give an idea what isn't working since the original batch does run fine on my PC.

On my initial reboot (after fixme.reg) everything appears to me to have started up fine. The 00021 error was not there and the AOL error did not come back (I did nothing to try and fix that yet) I ran the Kaspersky Scan with AOL and it worked fine.

I did fix the 00021 with the fixme.reg instead of hijackthis. :) Good to hear that the AOL error didn't show up anymore. It does not seem malware related as Google returns quite a few posts about this apparently random issue.

I was able to successfully install the latest version of internet explorer that I had downloaded. This was one thing that was giving me a blue screen. I have not tried to install the security update from windows (was also causing blue screen) because I didn't know if it might change the scan reports.

You mean the latest cumulative security update of Internet Explorer by latest IE version I suppose. Security updates won't affect the scan reports. The bluescreens were probably due to the presence of the rootkits. They often hook into winlogon, explorer and/or internet explorer. It becomes really difficult sometimes to install security updates or service packs while rootkitted. That's quite a normal behavior.

I did reboot after the failed attempt at Inspect.bat and got one strange thing. When I have been rebooting, my wireless connection has usually not connected. I did not know if this was because of the virus or because I made it a secure connection after I got the virus. It has been an easy fix to just right click the icon on the toolbar and click "repair." But this time, Norton came up and said that a new wireless signal was found and how did I want to treat it (home, office, away). I just selected home. I then checked the wireless signals and my secure connection was the only one available.

It's probably due to the secured connection unless one of the security updates did affect the behavior of the connection. I'm behind a router too but it's not a wireless connection. I usually leave it disconnected until the boot has completed. Clicking repair triggers XP to detect hardware and repair it, some parameters in the registry or so might change that's why Norton did popup with the new connection signal. A normal behavior of Norton. Norton told you it was a new one but as a matter of fact it was still the old one that was simply repaired by XP. Rootkits may affect NDIS drivers too, depends on how the rootkit is set up. Basically they can hide, modify, monitor, intertcept about anything.

Also, I wanted to mention that in the body of your last post you didn't mention where to run the Hijackthis log. I ran it right before the Kaspersky Scan. Hope that was OK.

No problem. :)

Kaspersky scan is clean, all the files listed are ok. The new version of the scan shows all locked system objects, nothing to worry about.

Try if inspect.bat works this time and post the results please. I don't think it is related to your environment variables because otherwise cleanme.bat or smitfraudfix would not have ran either. If you get any error messages, please write them down. Also let me know if regedit.exe opens.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Shaun83 » July 18th, 2006, 1:41 pm

Hi Kim,

Regedit did open.

I made a mistake the 1st time I tried the new Inspect.bat program you gave me and I was probably making it with the old one (sorry). When I copied it, I think I stopped at the end of the text. I make sure I copied everything, including space at the end of the text box, on a 2nd try and it worked fine.

The IE version I was talking about was the web browser. I had tried to download it because I one of the scans I was trying to run before you started to help me said it required version 5 or higher. I had 5, but I dedided to try and upgrade it to the latest (7 with beta 3). I think that scan had been something called Panda. If I remember right, Kaspersky would not work with my old IE either. I know Netscape would not work, which is why I had used AOL.

Results of Isa.txt below:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"LegacyAuthenticationLevel"=dword:00000001
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000370
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000000
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:43,6f,4a,5c,f6,f9,73,51,62,68,bd,87,69,f1,d9,76,32,35,31,65,30,\
65,62,62,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,a5,6a,8e,d6

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:5e,c0,4f,5b,52,85,58,76,c5

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:01,b3,6c,82,c7,de

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:42,f0,61,c3,f0,f7,84,eb,5a,da,c8,b6,d2,cd,ee,ca

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:84,65,c6,0f,80,0d,c5,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center]
"FirstRun"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=dword:00000000


Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Kimberly » July 18th, 2006, 5:36 pm

Hello Shaun83,

I made a mistake the 1st time I tried the new Inspect.bat program you gave me and I was probably making it with the old one (sorry). When I copied it, I think I stopped at the end of the text. I make sure I copied everything, including space at the end of the text box, on a 2nd try and it worked fine.

Hmm, not sure that you made a mistake unless you are 100% sure you did cut off the text in the quoted box ... I get the feeling that notepad is not associated to txt files or that notepad is missing. The only real difference between 2 inspect.bat, is notepad lsa.txt and start lsa.txt... start lsa.txt launches the associated text editor, while notepad lsa.txt calls notepad to open the text file. Is notepad.exe present in windows folder and windows\system32 folder ? When you right click a text file ... like lsa.txt does the default open action on the popup menu opens notepad with the file ? Shows the notepad icon ?

The IE version I was talking about was the web browser. I had tried to download it because I one of the scans I was trying to run before you started to help me said it required version 5 or higher. I had 5, but I dedided to try and upgrade it to the latest (7 with beta 3). I think that scan had been something called Panda. If I remember right, Kaspersky would not work with my old IE either. I know Netscape would not work, which is why I had used AOL.

You have XP Service pack 2, so IE version is 6.00 not 5 ... as shown here:
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180). Even the original XP comes with Internet Explorer 6 - not 5. The error shown by Panda or eventually Kaspersky could be caused by the rootkit or by some settings. Many scans are unable to run when a rootkit is present, a rootkit can make believe any program (even the OS) that this or that is missing, not the correct version, ...
Not easy to explain, but a rootkit can make your PC "lie" about anything.
Online scan will only run with Internet Explorer indeed, Firefox, Netscape are not supported right now.

On a lighter note, lsa.txt is ok - no changes made to essential security settings.

PC running ok now ?

******

Tools cleanup

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

Haxfix

If you want to remove the Kaspersky Online Scan select Kaspersky On-line Scan too (a reboot might be needed after it's removal)

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.

Next ...

Click start> run> type cmd.exe and hit enter.
Type sc delete gmer and hit enter.
Should get success message.

Reboot the PC.

Find and delete:

C:\Windows\system32\drivers\gmer.sys
C:\Windows\gmer.exe
C:\Windows\gmer.dll
C:\Windows\gmer.ini

On your desktop you may delete the following files :

WinPFind.zip
SmitfraudFix.zip
haxfix.exe
gmer.zip
regsearch.zip
IceSword1.18en.rar
Fixme.reg
inspect.bat

Folders on your desktop :

SmitfraudFix
IceSword1.18en

Folders on your HDD :

C:\RegSearch
C:\WinPFind
c:\program Files\haxfix

Files on your HDD :

C:\lsa.txt


References in case you have trouble with AOL and sending mail.

My worst problem has been that I was notified by my high speed carrier that my computer was used to send out spam. As I was trying to fix my problems the next day, Norton messaged began popping up telling me that email messages had been rejected by my internet service.

If you ever have probs with your ISP, refer them to this topic and let them know that you have been, among others things, victim of a variant of this rootkit:
http://www.f-secure.com/v-descs/mailbot_az.shtml

More precise description:
http://www.symantec.com/security_respon ... 99&tabid=2

Let me know about Notepad and tell me if you still have other PC trouble.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Shaun83 » July 18th, 2006, 9:45 pm

Hi Kim,

Notepad is present in both the windows folder and the windows\system32 folder. If you open a text file from desktop with a right click Notepad is the default program. If you highlight the programs in the text box as if you were going to copy them you can highlight a space after the last period. Adding that space to what I copied is the only thing I did differently.

I deleted the listed programs, files, & folders.

PC seems to be running great to me.
Shaun83
Regular Member
 
Posts: 37
Joined: July 16th, 2006, 8:41 pm

Unread postby Kimberly » July 19th, 2006, 12:23 am

Hello Shaun83,

Text association looks ok to me, Notepad is present and a text file opens correctly .. so no worries to have then. I wanted to be sure. Maybe indeed a small glitch occured during copy.

I'm very pleased to hear that the computer is running great. It should indeed behave much better without the nasties.

Hide your system files again.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading uncheck Show hidden files and folders.
  6. Check the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Click OK.
______________________________

Reboot a couple of times, run some programs, make sure that everything runs smoothly and then reset your System Restore.

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

******PLEASE READ******

It is very rewarding to see that your computer is clean. May I urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints - Stand up and be Counted! link in my signature and support our cause. Thank you.
______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/offic ... fault.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/securi ... fault.mspx

Recently Published
http://www.microsoft.com/technet/securi ... fault.mspx

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Resources for using Internet Explorer 6
http://support.microsoft.com/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/securi ... secxp.mspx

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwa ... ilies.mspx

Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 7

To check if you have the latest version installed and get the needed updates, please go to the link below:
http://www.java.com/en/download/windows_automatic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to check your Java Software.

Or you can get the manual download here:
http://www.java.com/en/download/manual.jsp

Check in your Control Panel, under Add/Remove programs and uninstall ALL older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Check out these topics for more information:
http://spywarewarrior.com/viewtopic.php?t=17910
http://spywarewarrior.com/viewtopic.php?t=17598

Free programs that may help you in keeping the PC clean
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's HostsManager here
Free Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Ewido

Realtime protection against these threats:
  • Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
  • Worms
    Nobody should receive e-mails in your name with malicious files in the appendix anymore.
  • Dialers
    Security against all kinds of dialers. No fear when receiving the next phone bill.
  • Trojans and Keyloggers
    No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.
Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends the following features will stop working:
  • Scheduled scans.
  • Real-time monitoring of the entire system.
  • Memory Scan detects active threats.
  • Self-protection at kernel layer guarantees gapless monitoring.
  • Automatic online-update.
The manual memory scan will work in the free version and you can manually update the definitions by clicking on the "Start Update" button under Manual update in the update module.

You can download Ewido here
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

For advanced users : ProcessGuard

ProcessGuard blocks rootkits, prevents spyware, guards your computer from DLL trojans...
For more information take a moment to read the Introduction and the Known Attacks information pages.
You can download Process Guard here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Happy surf Shaun83. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware