Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Some advice sought before posting a HJT log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby six-h » September 19th, 2007, 6:54 pm

Just that it is something else to slow down start up!
Does it overwrite each backup, or do you end up with loads of files??

OK, in the meantime, re booting!
six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England
Advertisement
Register to Remove

Unread postby Katana » September 19th, 2007, 7:19 pm

Post a fresh HJT log and I will look if there is anything you don't need at startup.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby six-h » September 19th, 2007, 7:48 pm

katana,

OK back up and running. :D

The Reg Edit that you asked me to do, does this take care of all the items in the Totalscan report, 'cos when I tried to D/L ERUNT, IE threw its toys out of the pram, and closed! So I lost the report!! :o

I've looked at the "how did I get infected" link, and comment as follows: -
1)
a)Updates are all current...I think, Microsoft site recons so anyway!
b)Already running SP2.

2) Downloads: -
Dont use P2P
Can I scan downloaded freeware before opening it to avoid surprises?
3) X tube is as far as I go now!
4) Have AVG Antivirus, will use it after the 6 Month Kaspersky trial finishes.
5) will try Firefox
6) Currently Windows, Have Kerio and will change to that soonest.
7) Have
8.) Will D/L MVPS Hosts and IE Spyad
9) Have Both.
10) Will try Ewido.
11) Will D/L Defender.
12) need to digest this, 'cos I dont understand it yet!

If you follow this advice then (with a bit of luck) you will never have to hear from me again


I agree with your sentiments, but would say that it has been interesting to talk with you, and in that respect, I would welcome further chat, if you ever had the time!!
particularly re - training :)

Something else that I've been advised, is to create a limited user account for general use and web surfing in particular.
Using such an account, can I still download, or would I have to step up to the Admin account to do this?
If so, I can't see the point 'cos it's mostly when downloading that you are at risk.
Or am I missing the point!! :shock:

sorry if I'm keeping you up!! :oops:
six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby six-h » September 19th, 2007, 7:59 pm

OK katana,here's the HJT Log: -

Logfile of HijackThis v1.99.1
Scan saved at 00:52:46, on 20/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Geoff Vost\My Documents\Security Progs\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Geoff Vost\My Documents\highjackthis\Geoff Vost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?auth=DQAAA ... mZ21VbeE9w
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7243283515
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Geoff Vost\My Documents\Security Progs\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

I cannot imagine where you start to decipher these logs!
It impresses the **** out of me! 8)

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby six-h » September 19th, 2007, 8:51 pm

Katana,
I think you’ve done the sensible thing, and gone to bed!
Quite right too! :D
I don’t know how do you do this and a day job!
You must be knackered in the morning.
Don’t you have a wife or “significant otherâ€
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby Katana » September 20th, 2007, 7:23 am

Hi six-h,
six-h wrote:The Reg Edit that you asked me to do, does this take care of all the items in the Totalscan report, 'cos when I tried to D/L ERUNT, IE threw its toys out of the pram, and closed!

Yes it does, so no problem there.
six-h wrote:Can I scan downloaded freeware before opening it to avoid surprises?

Most AV's allow you to do this, right click the file and select "Scan With -AV Name-"
six-h wrote:I agree with your sentiments, but would say that it has been interesting to talk with you, and in that respect, I would welcome further chat, if you ever had the time!!
particularly re - training

Just start a topic in the General Discussion room, you will get comments from all the members :)
six-h wrote:Something else that I've been advised, is to create a limited user account for general use and web surfing in particular.
Using such an account, can I still download, or would I have to step up to the Admin account to do this?
If so, I can't see the point 'cos it's mostly when downloading that you are at risk.

You can download just the same, mainly a user account won't allow you to install programs, or change important settings.
This helps stop the nasties doing things without you knowing.
six-h wrote:Depending on your verdict, I guess that my next job should be to create another image.
Which begs the question, if there are other seperate earlier images on my external disk, is cross infection possible?
Logic says no, (God! shades of Little Britain!!) since each image is a seperate and isolated volume, would you agree?

If the machine was infected when you did the image, then the image will have the infection.

I have looked at your startups, and this list shows the items that are either not needed or users choice (this means that some people use it but most don't)
I have included a link, so you can see what each does.
There are two ways to stop them (there are more ways, but I feel these are the best :) )

1) Run HJT and put a check mark next to each Item, then click "Fix Selected"
This will remove them, however it is not the easiest way of getting them back if you make a mistake.

2) Winpatrol ---- Winpatrol.com
This is a startup manager program. It has a free version which is very good and will suit your needs.
Simply install it, and when it runs select the "Startup Programs" tab.
Highlight each item you want to stop from startup and click "Disable".
If you find at some point you need the program then all you have to do is click "Enable"
It will also tell you if anything is trying to add itself to startup, so it is a useful line of defense.

O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START <<<< See HERE for more details
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe" <<<< See HERE for more details
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe <<<< Provides functions for special keys on you keyboard
[color=green]O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
<<<< See HERE for more details
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <<<< See HERE for more details
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" <<<< See HERE for more details
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime <<<< See HERE for more details
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe <<<< See HERE for more details
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 <<<< See HERE for more details
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe <<<< See HERE for more details
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe <<<< See HERE for more details
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe <<<< See HERE for more details
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <<<< See HERE for more details
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe <<<< See HERE for more details
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

These two are not needed, but if you remove them then they will put themselves back.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <<<< See HERE for more details
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" <<<< See HERE for more details
(Winpatrol will help with these two as well)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby six-h » September 20th, 2007, 8:06 am

Hi katana,
Good to hear that the Totalscan items are taken care of. :)

I've just tried the disinfect function, and it won't work unless you pay for the Pro version so you can close that page.
We will have to do it the old fashioned way

So what's the point in using the free version, other than to worry you into buying the licence? :?

Pleased that I can scan D/L files before opening them, and that I can still D/L using a "User Account", I'll set one up. :)


If the machine was infected when you did the image, then the image will have the infection.

I think you mis understood me.
OK an image of an infected system will be infected on the drive that it is copied to, but will a further image of a clean system, copied to the same external drive that still holds the previous image, become contaminated?

Fact is, on my ext Disk, I have three images.
1) Image of the system just prior to installing SP2 (PC not upto then connected to the internet)
2) Image of system imediately after installing SP2 (still not yet connected to the internet)
3) Image of the system immediately after my previous visit to the malware forum, and Benyac cleaned the system.(At this point the PC was internet connected, and it seems that there was some undetected residual MBS crap still there)
It is this residual stuff I'm worried about.

Thanks for the tip re Winpatrol, I'll use that!
I'll also study the links that you kindly provided against the startup items. :D

I was up last night till 3:45, trying (and failing) to get my home page to "stick", Im certain that the problem lies with what ever triggers the "secure/non-secure items" warning. I never used to get that.
Do you or your colleagues have any ideas what I can do? Its driving me mad!! :evil:

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby Katana » September 20th, 2007, 8:43 am

six-h wrote:So what's the point in using the free version, other than to worry you into buying the licence? :?

The free version tells you where any nasties are lurking, so you can remove them yourself.
It has a very good detection rate and picks up a lot of things that other scanners miss.
six-h wrote:OK an image of an infected system will be infected on the drive that it is copied to, but will a further image of a clean system, copied to the same external drive that still holds the previous image, become contaminated?

I see what you mean, It's very unlikely that an image will infect another image. Any malware in the image would not be "live" until you reinstalled the image.
six-h wrote:I was up last night till 3:45, trying (and failing) to get my home page to "stick", Im certain that the problem lies with what ever triggers the "secure/non-secure items" warning. I never used to get that.
Do you or your colleagues have any ideas what I can do? Its driving me mad!! :evil:

I can ask for you, or you could ask yourself in the general discussion room.
It is not a malware issue and you will probably get a quicker response, so that is the best place for it.
Open a topic with the title "IE not saving cookies" or something similar.
You will also get to meet the other folks that lurk round here :)

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby six-h » September 20th, 2007, 9:56 am

katana,
sorry for delay in responding to you, I didn't realise that I had closed outlook express when I was messing about with this gmail problem.
getting there slowly, but I will take yor advice and post in the general discussion room.

Point taken re totalscan, as long as you are competent to remove the nasties yourself!

Good news re the images, I was not bothered if I have to delete the last one, but was worried in case the Pre and Post SP2 images could have become contaminated, though since everything is working OK 6 months after installing SP2, I don't think that these images have any value anymore!

Can I take it that I'm now clean?
If so, can I clear my desktop of ERUNT, ERUNT.exe, and the various report text files that I've saved there? :)

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby Katana » September 20th, 2007, 10:01 am

Hi six-h,
Yes you are good to go now :)
You can delete any logs, and the Erunt install file.
I would recommend that you keep the Erunt program, a regular backup of the registry is always a wise idea.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby six-h » September 20th, 2007, 11:22 am

katana,
I wasn't aware that you had just posted!
I was going to ask another question.
whilst rooting arround in Internet Options, General, clicking on "settings" under browsing history, then on "View Objects", I found "C:\ WINDOWS|Downloaded Program Files" that contains several garishly coloured Java files,(You know the ones I mean).
There are 3 Files with a yellow shield Icon with a ! on it, all labeled "Java Runtime Environment 1.6.0" Right clicking and selecting "Properties" shows each created same time and date, but with slightly different ID strings, but all of them contain 0 bytes! "status installed".

There are a further two "empty" icons there, but they look like a pice of paper with several multicoloured cubes on them.
One is labeled JRE 1.6.0 as the others, and one is labeled "Microsoft data collection control".
Both refer to "Active X control", and have different ID strings, but the Microsoft one shows "Status Damaged"

Can I delete these?? :?


Re your current posting: -

Good to be sure that I'm clean.
Thankyou! :D

Regarding ERUNT, I'll move it from my desk top to "programme Files"
is that OK? :)

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby Katana » September 20th, 2007, 12:35 pm

six-h wrote:There are a further two "empty" icons there, but they look like a pice of paper with several multicoloured cubes on them.
One is labeled JRE 1.6.0 as the others, and one is labeled "Microsoft data collection control".
Both refer to "Active X control", and have different ID strings, but the Microsoft one shows "Status Damaged"

Can I delete these?? :?

You can delete them, if and when you need them you will be prompted to reinstall them.
six-h wrote:Regarding ERUNT, I'll move it from my desk top to "programme Files"
is that OK? :)

Yes, no problem there
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby six-h » September 20th, 2007, 1:23 pm

OK katana,

I won't pester you any more!
Thankyou for all your help and advice,
and for the peace of mind! :D

You have got me thinking about enroling! if they'd have me! :roll:

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Unread postby Katana » September 20th, 2007, 3:46 pm

six-h wrote:You have got me thinking about enroling! if they'd have me! :roll:

You would be more than welcome. There are people from all walks of life doing this job, from teenagers at school to retired people.
How much you already know about computers is irrelevant, you will pick up the knowledge as you progress.

There is a topic at Safer Networking forums (the home of Spybot S&D) about becoming a helper.
Here are the comments I made
http://forums.spybot.info/showthread.php?t=10777&page=2
Hi folks, just a quick note for anyone interested in learning.

As a member of one of the schools mentioned, I know for a fact what the training is like --- HARD WORK
I am not saying this to discourage anyone but to let you know what you are letting yourselves in for.
The whole process is time consuming.
I started learning in November '06 and was let loose on the public June '07
There is a lot to learn and, because the bad guys are always changing their tactics, I guess I will never stop learning.
Having said all that though, when you do start helping in the forums, that first "Thankyou " makes it all worth while,
and we do tend to have a laugh and enjoy ourselves while training
It doesn't matter what your computer knowledge is all you need is an interest in learning and a wish to help people.
So if you are still interested, sign up to one of the schools and join the gang.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby NonSuch » September 20th, 2007, 4:10 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 141 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware