Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fighting CWS all day, CWS gone, spy sweeper


  • This topic is locked This topic is locked
13 replies to this topic

#1 damselindistress

damselindistress

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 28 May 2005 - 01:23 PM

Hi. I give you guys an incredible amount of credit for dealing with this stuff all the time. I can't tell you how many tears have been shed already from this! I had CWS, which was caught by spy sweeper as some files were loaded to start at startup, links were added to favorites, home page was switched and home page hijack popped up constantly. I used the CWShredder and followed the home search assistant / CWS_NS3 removal / backdoor BDD guide on this site. The CWS seems to be gone, and after using the antivirus Kaspersky the Lavasoft adware and spysweeper show all clear.

Unfortunately the home page shield and hijack shield are still popping up warnings repeatedly, my wallpaper seems to turn to white, and a yellow warning icon is still blinking and popping up messages.

When I followed the guide, I had a few problems:

Step 2: didn't see any of the services, but did see Remote Procedure Call (RPC) Locator (assumed it wasn't the problem ...). Comparing my Laptop (the problem) with the home PC, a few services were "extra" in mine: IAP, internet connection firewall, DLT, deventagent, actionagent, win32sl

Step 3: didn't see any of the processes. The processes were: taskmgr, explorer, svchost, lsass, services, winlogon, csrss, system, system idle process system

Step 5 & 6: couldn't find any of the files

Looks like it was a complete failure, but again the CWS seemed to go away.

The problem is that after fixing with the hijackthis, the R1 and R0 came right back, so obviously
I haven't deleted the process yet.

Here the log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:02 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\clrprv.oo\server.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Waktu Solat\waktusolat.exe
C:\Documents and Settings\hassan-odierno\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFFC2.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pcServer] C:\WINDOWS\System32\clrprv.oo\server.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Startup: Shortcut to waktusolat.lnk = C:\Waktu Solat\waktusolat.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://aboutpageproduction.mercer.com
O15 - Trusted Zone: http://home.mercer.com
O15 - Trusted Zone: http://intranet.mercer.com
O15 - Trusted Zone: http://intranetapp.mercer.com
O15 - Trusted Zone: http://mercerdesktop.mercer.com
O15 - Trusted Zone: http://ukc.mercerdesktop.mercer.com
O15 - Trusted Zone: http://ukl.mercerdesktop.mercer.com
O15 - Trusted Zone: *.mercer.com
O15 - Trusted Zone: http://*.wmel2aap01
O15 - Trusted Zone: *.mercer.com (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A79FFEA-ED3F-46A5-A264-8AEBC1DA83B8}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercer.com
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

As you can see the R0, R1 and O2 pieces came right back.

So, any ideas? Thank you in advance for all your help. I hope you know how much help you've given to so many people and how appreciative we are! (If you don't see me giving a contribution, remind me - you deserve it!)

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 28 May 2005 - 08:31 PM

Welcome damselindistress to Bleeping Computer.

Please disable SpySweeper. It will get in the way of us cleaning up.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\System32\clrprv.oo\server.exe
C:\WINDOWS\System32\hpFFC2.tmp


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFFC2.tmp

O4 - HKLM\..\Run: [pcServer] C:\WINDOWS\System32\clrprv.oo\server.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.


Posted Image
Life is what happens while you're making other plans

#3 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 29 May 2005 - 02:16 AM

Thank You! Looks better now, though the results of the scan were a bit worrying.

Virus scan results:


Incident Status Location

Virus:Trj/Cloak.A Disinfected Operating system
Adware:Adware/CWS No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Black Jack Online.url
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Network Security.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\hassan-odierno\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM32\hhk.dll
Virus:Trj/Cloak.A Disinfected C:\WINDOWS\SYSTEM32\oleadm.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM32\perfcii.ini
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\winnook.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\WNSPOO~1.EXE
Most of them looked like leftovers from before (hopefully I can delete them and that will be that, but the last few looke worrying!

Results of the hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:12 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Waktu Solat\waktusolat.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\hassan-odierno\Desktop\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Startup: Shortcut to waktusolat.lnk = C:\Waktu Solat\waktusolat.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A79FFEA-ED3F-46A5-A264-8AEBC1DA83B8}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercer.com
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Looks much better now!

Are we out of the woods?

My normal procedure is to keep spy sweeper resident, and run spybot and lavasoft once a week, and we have Mcaffee. Do you think this is sufficient protection? (I know, don't go on adult sites - it seriously isn't worth the effort!)

Thank you very much!!!!!
:thumbsup:

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 29 May 2005 - 06:42 AM

Let's get ride of the rest.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files.
Don't use it yet.

***

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling\Online Gambling.url
C:\Documents and Settings\hassan-odierno\Favorites\Black Jack Online.url
C:\Documents and Settings\hassan-odierno\Favorites\Black Jack Online.url
C:\Documents and Settings\hassan-odierno\Favorites\Home Loan.url
C:\Documents and Settings\hassan-odierno\Favorites\Network Security.url
C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling\Online Gambling.url
C:\Documents and Settings\hassan-odierno\Favorites\Online Gambling.url
C:\Documents and Settings\hassan-odierno\Favorites\Online Pharmacy.url
C:\WINDOWS\SYSTEM32\hhk.dll
C:\WINDOWS\SYSTEM32\oleadm.dll
C:\WINDOWS\SYSTEM32\perfcii.ini
C:\WINDOWS\SYSTEM32\winnook.exe
C:\WINDOWS\SYSTEM32\WNSPOO~1.EXE


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Reboot to save mode again.

***

Run Ewido, and run a full scan. Save the logfile from the scan.

***

Post back here with the scanlog from Ewido.


Posted Image
Life is what happens while you're making other plans

#5 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 29 May 2005 - 08:32 AM

Thanks again. Done. Not impressed with the virus scan - still found stuff. Its funny that different programs find different things.


Heres the log:

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:04 PM, 5/29/2005
+ Report-Checksum: D14FBA98

+ Date of database: 5/29/2005
+ Version of scan engine: v3.0

+ Duration: 77 min
+ Scanned Files: 129103
+ Speed: 27.62 Files/Second
+ Infected files: 39
+ Removed files: 39
+ Files put in quarantine: 39
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\hassan-odierno\Cookies\hassan-odierno@bravenet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\hassan-odierno\Cookies\hassan-odierno@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\hassan-odierno\Desktop\HijackThis\backups\backup-20050528-215625-137.dll -> Trojan.Puper.g -> Cleaned with backup
C:\Documents and Settings\hassan-odierno\Desktop\HijackThis\backups\backup-20050529-015428-371.dll -> Trojan.Puper.g -> Cleaned with backup
C:\Documents and Settings\hassan-odierno\Desktop\HijackThis\backups\backup-20050529-121721-556.dll -> Trojan.Puper.g -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP642\A0118326.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP642\A0118369.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP643\A0118390.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118476.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118477.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118478.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118479.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118480.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118481.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118482.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118483.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118484.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118485.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118486.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118487.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118488.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118489.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118490.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118491.exe -> TrojanDownloader.Zlob.i -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118492.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118493.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118494.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118495.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118502.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118515.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP644\A0118531.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0118625.exe -> Trojan.Puper.h -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0118627.exe -> Trojan.Puper.g -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0118628.exe -> Spyware.Agent.dn -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0118767.dll -> Spyware.MaidBar -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0120225.dll -> TrojanDownloader.Agent.ns -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0120248.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP645\A0120250.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnMY1865.exe -> Dialer.Generic -> Cleaned with backup


::Report End


Are we set?

Just two other questions -

1. What should I do to ensure no problems in the future? (what if we don't have a virus scan program on one of our computers?)

2. The desktop wallpaper seems to be blanked over by a file c:/windows/desktop.html, but I couldn't find the file. Any ideas?

Thanks in advance!

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 29 May 2005 - 09:25 AM

Let's see if we can get the desktool working again.

Download the following file and unzip it to your desktop. Then doubleclick it and grant permission to merge the registry entries.

restoretool

***

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.




I'll post you some suggestions on how to keep your computers clean when we are done.

Edited by g2i2r4, 29 May 2005 - 09:26 AM.



Posted Image
Life is what happens while you're making other plans

#7 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 29 May 2005 - 10:20 AM

Hi. Didn't fix the desktop wallpaper unfortunately. The wallpaper comes up fine, then at the very end of startup the empty html page blanks the wallpaper out. It used to have flashes from the CWS, so it must be a "leftover" somewhere.

#8 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 29 May 2005 - 10:53 AM

Download and Save Spywadfix to your computer from this link:
http://www.thespykiller.co.uk/files/spywadfix.exe.

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run.

It is not malicious.
It will open an Input box. Paste this line into the box

c:/windows/desktop.html

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your windows default desktop and context menu functions.
It will restart Explorer.

***

Once you have done that, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Did this help?


Posted Image
Life is what happens while you're making other plans

#9 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 29 May 2005 - 11:05 AM

Hi. It says file not found. Since it doesn't exist the wallpaper is blank. I just can't figure out where its being called...

#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 29 May 2005 - 12:22 PM

Have you tried running Other Profiles Regfix.vbs?

Also try this:
open Display Properties > Desktop Tab. Choose a Wallpaper and apply. Close Display Properties. To see the change, click on the desktop and press F5


Posted Image
Life is what happens while you're making other plans

#11 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 30 May 2005 - 10:47 AM

Hi. No luck. seems like such a simple problem, but quite frustrating! Any last ideas?

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 30 May 2005 - 03:25 PM

* Please rightclick this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
For some time it will look like nothing is happening. Just keep waiting.
Once it's done it will create a log. A window will come up telling you when it's saved.

If it won’t run:
Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
In the command prompt use this command:

assoc .vbs=VBSFile Note the space behind assoc

That should get Silentrunners on the way.


Posted Image
Life is what happens while you're making other plans

#13 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 03 June 2005 - 12:58 PM

All clear now. Thank you!!! As a last measure, assuming I have no protection, what should I do to ensure no more viruses or anything else gets onto my computer? I have a lot of software downloaded now. Not sure which ones to move to the home computer and which ones to just ignore. I'm thinking keep webroot spysweeper, run lavasoft once per week, and run one of the online antivirus scans once a week. What do you think?

#14 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:35 PM

Posted 03 June 2005 - 01:41 PM

No silent runners log then?

Please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users