Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help Infection

Unread postby cyberfreak » January 15th, 2006, 3:02 am

Okay I know I've got several problems on my computer. Maybe you guys can help.

Internet explorers home page has been Hijacked, Firefox has some sort of back door activity going on with it( so far Opera seems fine so thats what I'm using), and Mozilla Thunderbird seems to be having some backdoor problems as well. I was first infected two nights ago when I clicked a link and something downloaded. I proceeded to try and fix the problem on my own with no success, I got tired went to bed but left the computer up. I woke up the next morning and several applications had been opened on there own like paint, calc, and the MS DOS box. In the MS. DOS box was "Ping http://www.sexkings.nu" . It appears somehow someone was pinging http://www.sexkings.nu with my computer! Now I know a little about computers but am only just begining to learn. Why and how was someone or something remotely using my DOS box to ping the address sexkings.nu?
So I proceeded to try to fix the problem some more, I'm stuborn and want to learn about computers so this was a perfect opportunity. Then all of a sudden calc opens up on its own again! Now that is freakky.
Please help and share what ever cool computer info you can. ( I don't just want to fix my computer I want to learn)


Here is the log :

Logfile of HijackThis v1.99.1
Scan saved at 1:43:26 AM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://home.microsoft.com/search/search.asp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BBEC1B2A-AC72-57D9-D55D-F4CC11608C95} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [32.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe
O4 - HKLM\..\Run: [32.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe
O4 - HKLM\..\Run: [javaqa32.exe] C:\WINDOWS\system32\javaqa32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.0.368.36062\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6444716998
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)


If you need more info let me know I have done an online check with semantic and kept record of them. I also have numerous programs like adaware and spybot and so many more. Just let me know what you need and what I should do. Thanks
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm
Advertisement
Register to Remove

Unread postby amateur » January 15th, 2006, 9:27 am

Hi Cyberfreak, :D

Welcome to MRU.

I am sorry to inform you that you have multiple infections: :( Bube.d, a.k.a Win32.Beavis, and about:blank. About blank respawns and the bad files are changed everytime the computer is rebooted. It's best if it's cleaned at one go. So, I would suggest that we get the Bube.d out of the way first and then deal with the about:blank. In the mean time, don't use Internet Explorer, continue using Opera for downloading any program needed for the fixes and for communicating with us, etc.
Bube.d needs a special 'process' to remove. It is described here in a post by CalamityJane. Please follow that - and then post back here with a new hijackthis log please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

still infected

Unread postby cyberfreak » January 16th, 2006, 3:12 am

Logfile of HijackThis v1.99.1
Scan saved at 1:17:34 AM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\Google Updater\1.0.368.36062\GoogleUpdater.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://home.microsoft.com/search/search.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BBEC1B2A-AC72-57D9-D55D-F4CC11608C95} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [d3hn32.exe] C:\WINDOWS\system32\d3hn32.exe
O4 - HKLM\..\Run: [32.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe
O4 - HKLM\..\Run: [32.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [javaqa32.exe] C:\WINDOWS\system32\javaqa32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.0.368.36062\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6444716998
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 16th, 2006, 1:17 pm

Hi Cyberfreak :),

Thanks for the logs.

It's best if we can get this off at one go. So, please follow the instructions very carefully, without missing any. First of all I need you to download some programs for use later. Once the programs downloaded, you'll have to disconnect from the internet and unplug your modem. So, read through the instructions very carefully, print them out, and if you have any questions, post them here before you start. Let's go:

Download HSfix.zip and unzip it to your desktop. Do not use it yet.

Download About:Buster by RubberDucky. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder by TrendMicro, install it, check for updates but again, don't use it yet.

Download and install Ewido Anti-Malware
During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu

Check for updates but do not run it yet.

================================================

We'll need to disable realtime scanners so that they will not interfere with our fixes.

Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable TeaTimer:
" Run Spybot-S&D
" Go to the Mode menu , and make sure "Advanced Mode " is selected
" On the left hand side, choose Tools -> Resident
" Uncheck "Resident TeaTimer " and OK any prompts
" Restart your computer.

Disable Microsoft AntiSpyware
1. Open Microsoft AntiSpyware.
2. Click on Options> Settings.
3. In the left pane, click on Real-time Protection.
4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware

It's important that you re-enable them later once the fix is completed.
================================================
Ensure hidden files and folders are set to show;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

=======================

Please disconnect from the Internet and unplug your modem for the duration of this fix. Please make sure that you have printed the rest of these instructions.

=======================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

======================

While in Safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

======================

Then Open CWshredder that you downloaded in the first step. Close all browser windows and click on the fix>next button.

======================

Bring up task manager Ctrl-Alt-Del and end this processes if it is present :

C:\WINDOWS\ALCXMNTR.EXE

======================

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jfbbs.dll/sp.html#87649%resultposition.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {BBEC1B2A-AC72-57D9-D55D-F4CC11608C95} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [d3hn32.exe] C:\WINDOWS\system32\d3hn32.exe
O4 - HKLM\..\Run: [32.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe
O4 - HKLM\..\Run: [32.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [33.tmp.exe] C:\DOCUME~1\nj\LOCALS~1\Temp\33.tmp.exe


Make sure that all other windows other than HijackThis are closed and click 'fix checked'
Exit HJThis but stay on Safe Mode.

====================

Clean temp files:

The following step is important as you may have several malware files in your temp directories.

Using Windows Explorer, navigate to the following folder and open the folder. Go to Edit>copy all>delete all to empty the folder.

C:\DOCUME and SETTINGS\Owner\LOCAL SETTINGS\Temp (do this for every user)

Still in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

====================

Run about buster:

Now press Windows key and E key at the same time to bring up Windows Explorer and navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

==========================================================

Run Ewido.

Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

===============================================

Still in Safe Mode, Using Windows Explorer, find and delete the following files and folders in bold, if found: Be careful not to delete anything else.

C:\WINDOWS\msxd.exe
C:\WINDOWS\syscr32.exe
C:\WINDOWS\sdkfb.exe
C:\WINDOWS\msxd.exe
C:\WINDOWS\udttb.dll
C:\WINDOWS\system32\addsn.dll
C:\WINDOWS\system32\jfbbs.dll
C:\WINDOWS\system32\d3hn32.exe

===============================================

Clean temporary files and the Prefetch folder:

1. Go > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.

Prefetch Folder


Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

===============================================

Now reboot in Normal Mode.

===============================================

We need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll


If any are missing or not working properly then you can download new copies from Merijn's Files and follow the instructions at that site to install them where they belong for your OS.

============================================================
Reconnect to the internet. Please download

" Hoster
" Unzip Hoster.zip
" Open Hoster.exe
" Then click on "Restore Original Hosts"
" Close program when complete.
" Empty Recycle Bin
" Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given

Warning: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

=============================================================

Finally, run Panda's ActiveScan and perform a full system scan.
" Once you are on the Panda site click the Scan your PC button.
" A new window will open...click the big Check Now button.
" Enter your Country.
" Enter your State/Province.
" Enter your e-mail address.
" Select either Home User or Company.
" Click the big Scan Now button.
" Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
" Click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.

================================================================

Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
http://www.java.com/en/download/windows_automatic.jsp

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:
http://www.java.com/en/download/manual.jsp

Once you have installed the latest update, please go to Add/Remove Programs and remove all older instances of Java listed there.

==================================================================

Now reboot and run hijackthis again and post a fresh log along with the about buster log, the Ewido log and the Panda report :)
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

I'm back :)

Unread postby cyberfreak » January 23rd, 2006, 5:16 pm

Okay I just wanted to let you know I'm still working on this problem and will have a log for you guys before the day is up. I just had a lot of school work and got distracted.

The computer is running really slow unless it is in safe mode. SO i've got to get this fixed.

Be ready I'll post again tonight
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 23rd, 2006, 5:33 pm

Hi Cyberfreak,

Welcome back. :) It's been about a week since I heard from you the last time. With this infection, the files change everytime you restart your computer thus making it more difficult to fix. So, I am not sure if the fix I wrote up would still work. When you have time and are ready, please post a new HijackThis log and don't reboot your computer until the infection is cleaned.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Log

Unread postby cyberfreak » January 24th, 2006, 6:09 pm

(I accidentally posted this somewhere else as well)
Okay, I rebooted in normal mode and wasn't able to do anything from normal mode. It takes five minutes for anything to happen in normal mode. So I'm communicating with you from safe mode with networking.
I have a hijact this log, and an exido log, about buster says it successfully removed stuff but it didn't offer me a log and at the end it says it had an error : Run-time error '339' Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid. It says it found a CWS infection.

-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:53:22 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://home.microsoft.com/search/search.asp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.0.368.36062\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6444716998
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
-----------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:14:19 AM, 1/24/2006
+ Report-Checksum: 13DEB727

+ Scan result:

:mozilla.6:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.14:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.15:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.16:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.63:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.64:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.65:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.66:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.67:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.68:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.70:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.128:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.154:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.158:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.159:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.160:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.165:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.166:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.175:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.203:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.204:C:\Documents and Settings\nj\Application Data\Mozilla\Firefox\Profiles\10djl9tf.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F8CFA57-B4AB-4FA3-9D8E-9BE241\290B3F92-6637-4DE6-AA3D-8147C5 -> Spyware.SpywareNo : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F8CFA57-B4AB-4FA3-9D8E-9BE241\2F0CC494-A8B1-494B-A0C8-67F311 -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F8CFA57-B4AB-4FA3-9D8E-9BE241\47247B3D-987E-44B7-81A5-2D4E6F -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F8CFA57-B4AB-4FA3-9D8E-9BE241\CB6D866E-2E82-43DB-8251-DB9208 -> Adware.SpySheriff : Cleaned with backup


::Report End
----------------------------------------


Ok what next, why is windows running so slow, and am I going to have to take it out back and shoot it?
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 24th, 2006, 7:08 pm

Hi Cyberfreak,

I am unable to see the running processes because the HijackThis log is generated in Safe Mode. Neither Spybot nor HijackThis needs to run at the start up which seems to be the case. Both of them are trying to scan, while the other programs are trying to load, would slow the computer down. Open Spybot. Go to settings>Automation and unchcek "run check on program start". Make sure that under system start "no automation" is checked.

Next, run HijackThis, click on Config button, under the main tab, make sure that "run HijackThis at startup and show it when items are found" is unchecked.

Restart your computer. Scan with hijackthis and post a new log from Normal Mode, please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

still trying

Unread postby cyberfreak » January 26th, 2006, 2:44 am

I'm still trying in normal mode but not achieving anything. I click on the start button and it takes litteraly anywhere from 5 to 30 minutes for it to bring anything up. I did manage to change the spybot settings, that took half a day. Then I click on hijact this and that never finishs loading. Any advice to speed things up? :cry: I'm dying here.
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 26th, 2006, 9:38 am

Hi Cyberfreak, :)

I see this C:\fixwareout\SUB\BFU.exe in your log, which tells me that you've had wareout infection at one time and tried to clean it. I am afraid it did not get cleaned. :( This is a very stubborn infection. The computer will have to be kept on until it's cleaned, otherwise the files change at every reboot to escape detection, just like the about blank infection you had. You can disconnect from the internet, but you musn't reboot unless told to do so. All that said, let's try the following in Safe Mode. You may need to copy/paste these instruction on a notepad on your desktop and also print them so that you'll have access to them at all times. Disconnect from the internet now.

Because the log is from Safe Mode, I cannot see the running processes, but it looks like you have several antiviruses running, one showing up at the startup. : Kaspersky, AntiVir and EZ Trust. It's not a good practive to have more than one antivirus running at the same time. They conflict with each other and leave the computer vulnerable, may even cause crashes. Please decide on ONE antivirus program and uninstall/remove the others from the Add/Remove Programs.

Go to Start>Control Panel>Add/Remove Programs and look for a program called Search Assistantant. If found, uninstall/remove the program.
While you are there, remove the antivirus programs that you've decided to remove.

Next, in Safe Mode run HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://home.microsoft.com/search/search.asp
O4 - HKLM\..\Run: [dmlyx.exe] C:\WINDOWS\system32\dmlyx.exe
GoogleUpdater.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
04 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.0.368.36062\GoogleUpdater.exe


Close all other windows and click on "fix checed"

Next open a new Notepad (not wordpad: this is important)
Please run Notepad and paste the following text in the Code box into a new file:

Code: Select all
attrib -r -h -s C:\Windows\System32\dmlyx.exe
del C:\Windows\System32\dmlyx.exe
attrib -r -h -s C:\Windows\System32\dm???.exe
del C:\Windows\System32\dm???.exe


Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.

Clean the temp files in safe mode

Click Start>>>Run
Type into the box: cleanmgr.exe
Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

Also in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Now, reconnect to the internet. Try rebooting in Normal Mode now. If successful, run an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Scan with HijackThis and save the report.

Post back the new HijackThis log and the Kaspersky scan result, and please do not reboot your computer until the next set of instructions.


Good Luck!
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Cool

Unread postby cyberfreak » January 29th, 2006, 6:51 am

Now windows is running at full speed again. Ok, here:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 29, 2006 02:44:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/01/2006
Kaspersky Anti-Virus database records: 173711
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 34474
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1153 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
-------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:46:25 AM, on 1/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nj\My Documents\hijackthis (1)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6444716998
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

crap

Unread postby cyberfreak » January 29th, 2006, 7:26 am

In task manager I was looking at the running processes and found some troubling things.

Process File: system.exe
Process Name: Trojan.Mitglieder.B

Description: system.exe is a process which is registered as the Net Controller 1.08 Trojan, Trojan.Mitglieder.B, the Agent-EN Trojan and the Trojan.StartPage Trojans. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

------------------
Process File: csrss.exe
Process Name: Microsoft Client/Server Runtime Server Subsystem

Description: csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Note: csrss.exe is also process which is registered as a number of mass mailing worms and trojans. These viruses are distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
-------------------------
Process File: smss.exe
Process Name: Session Manager Subsystem

Description: smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Note: smss.exe is also a process which is registered as a number of trojans and mass mailing worms, and the PWSteal.Wowcraft.B Password stealer. These Trojans allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
-------------------------
Process File: inetinfo.exe
Process Name: IIS Admin Service Helper

Description: inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.

Note: inetinfo.exe is also a process which is registered as the Trojan.W32.RONTOKBRO. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
--------------------------------------

And that isn't everything but it is late. I'm going to run an antivirus program and then go to sleep.
I hope my computer is okay :cry:
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 29th, 2006, 9:12 am

Hi Cyberfreak,

The files you've reported to be running in the Task Manager are essential files, except system.exe, for the Windows to operate They are only harmful when they are running from a different directory than they are supposed to be. In your case, they are running from the correct directory. Your log is clean. Kaspersky report is clean.

I can not find system.exe anywhere in your log. Are you sure about that one? Are you sure that it's not only SYSTEM or System Idle Process?

Please let me know.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Okay

Unread postby cyberfreak » January 29th, 2006, 6:58 pm

It is just listed as System.

I have questions now. Is my system clean? Why does Registry Tool kit say that I have 115 or so errors? How do I fix these errors without having to pay for anything (like buying Registry Toolkit)?
When all this started why was my computer pinging someone, what does that mean, and why was my calc opening and closing of its own accord?


I'm currently going to college for Network and Security Management but I haven't gotten to all the good stuff yet so I don't know any of this fun virus and worm stuff yet. How does it all work, is there a good website that will explain it all?

Why is my floppy drive not working now? I went into Device Manager and it said : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

>So I did uninstalled and reinstalled and it says the same thing.

You guys are great by the way. What do I have to do to join your University and learn to help others like you guys helped me?
cyberfreak
Regular Member
 
Posts: 32
Joined: January 14th, 2006, 10:51 pm

Unread postby amateur » January 29th, 2006, 7:54 pm

Hi Cyberfreak :D ,

It is just listed as System.
Good. That's harmless.
I have questions now. Is my system clean?
Yes, your system is clean. :thumbright:
Why does Registry Tool kit say that I have 115 or so errors? How do I fix these errors without having to pay for anything (like buying Registry Toolkit)?

I wouldn't know why the Registry Tool Kit says that you have errors. It's not a malware tool, it's a registry tool. One should not play around with the registry unless one knows exactly and very well what he/she is doing.
When all this started why was my computer pinging someone, what does that mean and why was my calc opening and closing of its own accord?
.
It may have been done/caused by the malware.
I'm currently going to college for Network and Security Management but I haven't gotten to all the good stuff yet so I don't know any of this fun virus and worm stuff yet. How does it all work, is there a good website that will explain it all?

This is a very good place to learn. You can join the Malware Removal University, where I was trained. Sign up and start learning.
Why is my floppy drive not working now? I went into Device Manager and it said : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39) So I did uninstalled and reinstalled and it says the same thing.

I would suggest that you visit a forum which deals with hardware and software issues like PCPitStop.
Please let them know you visited this board and tell them that we have given you the all clear as regards to malware. I hope you can get your problem fixed
You guys are great by the way. What do I have to do to join your University and learn to help others like you guys helped me?

Just sign in and start training.

Now that you are clean, or seem to be, please follow these simple steps in order to keep your computer clean and secure.

Reenable Tea Timer
§ Run Spybot-S&D
§ Go to the Mode menu , and make sure "Advanced Mode " is selected
§ On the left hand side, choose Tools -> Resident
§ check "Resident TeaTimer " and OK any prompts

Re-nable MicrosoftAntispyware
Open Microsoft Antispyware
Click on Options > Settings.
In the left pane, click on Real-time Protection
Under Startup Options check Enable the Microsoft Antispyware Security Agents on Startup (recommended)
Under Realtime spyware threat protection check Enable realtime spyware threat protection (recommended)
After you check these, click on the Save button and close Microsoft Antispyware.

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AntiVir here
AVG Free here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall (Will be discontinued as from the end of 2005) here
Outposthere
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
· Fraudulent claims or scams
· Offensive material
· Security vulnerabilities
· Spyware or Adware
· Spam related material
· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, fe. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

And, finally, here is a link if you want to do something about it.
Happy and safe surfing. ;)
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware