Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

To the Attention of "Askey 127" please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

To the Attention of "Askey 127" please

Unread postby fpalsson » July 31st, 2005, 12:41 pm

HI, I'm back from vacation :)
Do you remember helping me before?
I just ran a new Hijack This and here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:41 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\pqoppa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.independent.co.uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I am still experiencing the following problems:
1. pop-up's while IE is running (believe it or not, never happened before this malware infection that we were working on)
2. Outlook Express is missing. My efforts to restore it based on the Microsoft support page instructions have failed.
3. the file we were working on trying to delete? "pqoppa" ? it's still in the log.

If you have time to continue helping me I would much appreciate it!!!!!!!
You're the best!!
Thanks,
Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am
Advertisement
Register to Remove

Unread postby askey127 » July 31st, 2005, 8:14 pm

fpalsson,

I'll be glad to help.
Because this was a new thread, I didn't get an e-mail about your post. Anyway it's fine.
Looking into the best way to get rid of pqoppa. We should be able to do it.
Be back shortly.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » July 31st, 2005, 8:27 pm

fpalsson,
------------------------------------------------------------
Remove Process, Reg Entry and File
Download Process Explorer from http://www.sysinternals.com/Utilities/ProcessExplorer.html

Run Process Explorer and find the Process "pqoppa.exe" in the list of Processes. Select the process and click Process > Suspend.

Then in HijackThis, click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file C:\WINDOWS\system32\pqoppa.exe
When prompted if you want to reboot click YES

Leave Process Explorer running with the process suspended.
Do not terminate Process Explorer before reboot.

After the reboot check the following item in HijackThis.
Close ALL windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run

Reboot one more time and let's have a look at the log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Confusion, major.

Unread postby fpalsson » August 1st, 2005, 1:12 am

OK, I followed the instructions. Here's the log. It's still there.
Some interesting things happened while I was carrying out the instructions...
First of all, when I ran Process Explorer, there was a message that Windows did not have the correct symbol download or something. Then, pqoppa was not to be found in the Windows\System32 folder. Instead it was in something called Windows\Prefetch. I had to search for it.
Also, upon each reboot my computer announced that Norton Anti-virus was turned off and that I should click a balloon to turn it back on. (??)

What is going on? I am so confused. Can you explain what is happening.
Log follows below. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 10:09:12 PM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rutr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.independent.co.uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » August 1st, 2005, 6:20 am

fpalsson

There are some files keeping this alive.
We need to locate and delete them.
Now we are looking at the possibilityof a Qoologic infection. Ewido will frequently kill it, or at least identify and get most of it.
-----------------------------------------------------------
Please download, install, and update the free version of Ewido trojan scanner:
http://www.ewido.net/en/download/
* Install ewido security suite
* When installing, under "Additional Options", UNCHECK "Install background guard" and UNCHECK "Install scan via context menu."
* Launch ewido, there should be a big "E" icon on your desktop, double-click it.
* The program will prompt you to update; click the "OK" button

* The program will now go to the main screen

Update ewido:
You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update
* Click on Start
* The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up.
-----------------------------------------------------------
Important!! Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
The scan may take a while. Make sure it finishes.

Now Run Ewido

* Click on scanner
* Click on Settings
o Under "How to scan" all boxes should be selected
o Under "Possibly unwanted software" all boxes should be selected
o Under "What to scan" select scan every file
o Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I will let you know if ewido needs to be run again.

Save and Post Your Report:
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

* Click Save report
* Save the report to your desktop

* Exit ewido
Reboot, post the Ewido report and a new HJT log in your reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

2 more reports

Unread postby fpalsson » August 1st, 2005, 10:51 pm

okay, here are my 2 new reports.
i think it's ironic that ewido said there's no reason to panic.
i have been panicking for a couple weeks now. with each new failed attempt my panic grows.
my continued thanks...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:33:40 PM, 8/1/2005
+ Report-Checksum: 5BD47E8C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\SYSTEM32\pqoppa.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitelrr32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitegdy32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\richup.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\wgvww.dat -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\kalkkfa.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\dxoddcx.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\erbee.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsm10B.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\pop.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\exp -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitelos32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\temperror32.dat -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitemdy32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitebvx32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\jzjzmrsr.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\sbsxzp.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0029.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\!Submit\pqoppa.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Eudora2\attach\FL07Aa01.htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rutr.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Felicia Palsson\Cookies\felicia palsson@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP293\A0027583.dll -> Spyware.WebEx : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027603.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027607.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027616.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027620.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027621.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027632.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027633.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027634.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027635.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027636.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027638.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027639.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027641.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP294\A0027646.exe -> TrojanDownloader.Qoologic.v : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP296\A0027669.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP296\A0027670.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP297\A0027679.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP301\A0028764.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP305\A0031154.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP311\A0031609.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{9463D75D-4D7D-4F6B-83EC-17EEA0F75395}\RP311\A0031610.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
D:\WINDOWS\Temporary Internet Files\Content.IE5\3EWZZTWP\size=1x1&affiliate=efanguide&channel=filmtv&subchannel=alsoplaying&Network=affiliates&rating=pg13[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\WINDOWS\Cookies\felicia palsson@ehg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\WINDOWS\Cookies\felicia palsson@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
D:\WINDOWS\Cookies\felicia palsson@ehg.hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\WINDOWS\Cookies\felicia palsson@ehg-uniontrib.hitbox[5].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\Eudora_072005\attach\FL07Aa01.htm -> Spyware.BookedSpace : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 7:39:15 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.independent.co.uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » August 2nd, 2005, 5:46 am

fpalsson,

Much better. No panic. Now we have a decent chance that HJT will remove the O4 line, and it will stay gone.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run

Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT cookies and the Advanced part of the menu. Choose Run Cleaner. This process could take a while. When cleaning is finished, click Exit.
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files. You will also lose all previous restore points which are likely to be infected.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The disable/re-enable System Restore sequence is not to be done regularly, but only once after the removal of malware.
-----------------------------------------------------------
Post a New HJT Log
Start HijackThis. Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

latest HJT log

Unread postby fpalsson » August 2nd, 2005, 9:37 pm

okay, once again I followed all the instructions.
one thing was different, when I disabled System Restore, it did NOT prompt me to restart. So I restarted on my own. otherwise everything seemed okay.

Here's the newest log:
Logfile of HijackThis v1.99.1
Scan saved at 6:35:26 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.independent.co.uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


How are we doing now? (she asks hopefully.)
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » August 2nd, 2005, 10:31 pm

fpalsson,

Looks Good. Just a couple more things to clean up. Better print this Instruction out, or make a notepad text file for your desktop, since Internet won't be available in Safe Mode. I am making this an extra long post, because I don't want any delay in getting the protective programs installed. You can handle this OK.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
-----------------------------------------------------------
File and Folder Deletion.
Be sure you can see all files. In Windows Explorer, navigate to these files, and Delete each/any one that is present:
These are the files found by Ewido. Don't know if they were actually REMOVED by Ewido. They may all be gone.
C:\WINDOWS\SYSTEM32\pqoppa.exe
C:\WINDOWS\SYSTEM32\PSof1.exe
C:\WINDOWS\SYSTEM32\elitelrr32.exe
C:\WINDOWS\SYSTEM32\elitegdy32.exe
C:\WINDOWS\SYSTEM32\redtrsha.dll
C:\WINDOWS\SYSTEM32\richup.exe
C:\WINDOWS\SYSTEM32\supdate.dll
C:\WINDOWS\SYSTEM32\wgvww.dat
C:\WINDOWS\SYSTEM32\kalkkfa.dll
C:\WINDOWS\SYSTEM32\dxoddcx.exe
C:\WINDOWS\SYSTEM32\erbee.dll
C:\WINDOWS\SYSTEM32\dist001.exe
C:\WINDOWS\SYSTEM32\nsm10B.dll
C:\WINDOWS\SYSTEM32\pop.exe
C:\WINDOWS\SYSTEM32\exp
<----- Could also be exp.bat or exp.com
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe
C:\WINDOWS\SYSTEM32\elitelos32.exe
C:\WINDOWS\SYSTEM32\temperror32.dat
C:\WINDOWS\SYSTEM32\elitemdy32.exe
C:\WINDOWS\SYSTEM32\cxtpls_loader.exe
C:\WINDOWS\SYSTEM32\elitebvx32.exe
C:\WINDOWS\jzjzmrsr.exe
C:\WINDOWS\sbsxzp.exe
C:\WINDOWS\Downloaded Program Files\pcs_0029.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\cfgmgr52\EECH1.bsx
C:\WINDOWS\cfgmgr52\SPZ3.bsx
C:\WINDOWS\AuroraHandler.dll
C:\Program Files\CasStub\casstub.exe
C:\Eudora2\attach\FL07Aa01.htm
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rutr.exe

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.

Then Delete the following folder
C:\Program Files\CasStub

The folder C:\!Submit\ is a folder created to save backups of malicious files, for deletion or for analysis submission. After you are satisfied your machine is clean, you can delete this folder, then empty the recycle bin.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT cookies and the Advanced part of the menu. Choose Run Cleaner. This process could take a while. When cleaning is finished, click Exit.
-----------------------------------------------------------
Empty The Recycle Bin.
-----------------------------------------------------------
Reboot the Machine into Normal Mode.

If things look OK, proceed with these following protections for a clean machine:
-----------------------------------------------------------
Download and Install a HOSTS File
Available from here : http://www.mvps.org/winhelp2002/hosts.htm
This will block access to thousands of malicious websites. If you use a proxy server or if you are on AOL, be sure to read the special instructions.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After you install it, check for updates and Enable all Protections.
-----------------------------------------------------------
Install IE-SPYAD Find it here: https://netfiles.uiuc.edu/ehowes/www/resource.htm
IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.
-----------------------------------------------------------
Install WinPatrol - Download and Install WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
-----------------------------------------------------------
Secure your Internet Explorer . Do this even if you mostly use Firefox.
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to - Prompt
- Change the Navigate sub-frames across different domains to - Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Press the Apply button and then the OK to exit the Internet Properties page.

Update all these programs and your Windows XP regularly - Without regular updates you will not be protected when new malicious programs are released.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

thanks a million!

Unread postby fpalsson » August 3rd, 2005, 9:46 pm

I wish I had a million dollars to give you. I don't, but I'll be sure to donate something to this site. My computer is healed!! I thank you so much.
I just have a few more questions, before I install the recommended software.

1. On the advice of a computer-geek-friend, I hooked up a router to my computer to mediate between me and my cable service. Will this effect the process of any of those downloads you recommended (hosts file, spywareblaster, IE-SPYAD, Winpatrol)??

2. Is there *any* way I can retrieve the email that was stored in Outlook Express before it was lost? Is there any way I can retrieve Outlook Express?
(I don't care as much about the program itself, simply the emails I lost that were stored in its mailboxes.)

3. Assuming 2 is "no" then do you recommend another email software program?

4. Last but not least, what is your opinion of AVG anti-virus? I've been using Norton but I really want to find something good that is free, if possible.

Thank you so so so much!
Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

sorry- one more question

Unread postby fpalsson » August 3rd, 2005, 9:58 pm

are there similar changes I should make to Firefox settings (now that I'm running it) like the ones for IE?
thanks again.
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » August 3rd, 2005, 10:21 pm

fpalsson,
Answers, best I can, to your questions:
1) The router should not have any adverse effect on downloads.

2) I do not have the expertise to advise you on this subject. You might check with http://www.pcpitstop.com/. They have a lot of experience with this kind of system issue.

3)Have a look at Thunderbird here: http://www.mozilla.org/products/thunderbird/. There are others as well. I don't know whether Thunderbird tries to retrieve any OE files.

4)AVG Anti-Virus works well. There are also several other good, free AV's, including Avast and AntiVir. The main issue with some free AV's is that the update downloads are S-L-O-W, otherwise fine.

Best of Luck,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Nick-YF19 » August 14th, 2005, 4:33 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 494 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware