Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected by "XP Police" program


  • This topic is locked This topic is locked
5 replies to this topic

#1 sam-my

sam-my

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 08 February 2009 - 05:19 PM

HI

I have been directed to this section from " Am I infected? What do I do?"
My previous thread was:

http://www.bleepingcomputer.com/forums/t/201025/pc-infected-by-xp-police-program/

DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by SAMY at 0:14:45.26 on Mon 02/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2046.1329 [GMT 2:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
svchost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows7\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vista Rainbar\Rainmeter.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Documents and Settings\SAMY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.nana.co.il
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: UrlHelper Class: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - c:\program files\imesh applications\imesh mediabar\iMeshIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [UberIcon] "c:\program files\windows7\ubericon\UberIcon Manager.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Vista Rainbar] c:\program files\vista rainbar\Rainmeter.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Visual Task Tips] "c:\program files\windows7\visualtasktips\VisualTaskTips.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: Download with &FileFactory Turbo - c:\program files\filefactory turbo\plugins\ie\FileFactoryIE.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1233952594727&h=f98ff3d392e2ed1595dcab2e4f296288/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\samy\applic~1\mozilla\firefox\profiles\hlflftgq.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2009-1-28 113904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2009-1-28 79616]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-11-19 421496]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-11-17 80392]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-1-4 222456]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-19 170640]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2009-1-28 1990656]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-11-23 70176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-19 15504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-08 01:24 16,608 a------- c:\windows\gdrv.sys
2009-02-06 22:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-06 22:36 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-06 01:37 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-06 01:37 --d----- c:\program files\SUPERAntiSpyware
2009-02-06 01:37 --d----- c:\docume~1\samy\applic~1\SUPERAntiSpyware.com
2009-02-05 22:23 4,096 a--sh--- C:\VSM000.IDX
2009-02-01 23:58 --d----- c:\docume~1\samy\applic~1\Droppix
2009-02-01 23:58 --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-02-01 23:56 --d----- c:\program files\LightScribe Diagnostic Utility
2009-02-01 23:42 462,848 a------- c:\windows\system32\HHActiveX.dll
2009-02-01 23:42 24,576 a------- c:\windows\system32\msxml3a.dll
2009-02-01 23:42 --d----- c:\program files\Droppix
2009-02-01 23:41 --d----- c:\docume~1\alluse~1\applic~1\Droppix
2009-01-31 12:18 --d----- c:\docume~1\samy\applic~1\TrojanHunter
2009-01-29 00:16 230 a------- C:\config.xml
2009-01-29 00:04 --d----- c:\program files\Microsoft Research
2009-01-28 21:19 --d----- c:\program files\SureThing CD Labeler 5
2009-01-28 00:09 79,616 a------- c:\windows\system32\drivers\sbmount.sys
2009-01-28 00:09 113,904 a------- c:\windows\system32\drivers\stcvsm.sys
2009-01-28 00:09 12,800 a------- c:\windows\system32\stcsnap.dll
2009-01-28 00:09 --d----- c:\program files\StorageCraft
2009-01-27 00:21 --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-01-27 00:18 --d----- c:\program files\Diskeeper Corporation
2009-01-24 22:09 --d----- c:\program files\VSTplugins
2009-01-24 22:05 --d----- c:\program files\Sony
2009-01-24 22:05 --d----- c:\program files\Sony Setup
2009-01-24 16:04 483,328 a------- c:\windows\system32\actskn45.ocx
2009-01-24 16:04 --d----- c:\program files\iMesh Applications
2009-01-22 23:40 --d----- c:\docume~1\samy\applic~1\proDAD
2009-01-22 23:40 --d----- c:\program files\proDAD
2009-01-22 23:40 90,112 a------- c:\windows\unvise32.exe
2009-01-22 23:40 --d----- c:\program files\LooksBuilderSE
2009-01-22 23:40 237,568 a----r-- c:\windows\system32\qtmlClient.dll
2009-01-22 23:40 69,632 a------- c:\windows\system32\MtxPreview.dll
2009-01-22 23:40 49,152 a------- c:\windows\system32\MtxParhBFXPreview.dll
2009-01-22 23:40 49,152 a------- c:\windows\system32\CvoAPI.dll
2009-01-22 23:40 45,056 a------- c:\windows\system32\BFXSrcFilter.ax
2009-01-22 23:40 0 a------- c:\windows\Graffiti5.2Pin.ini
2009-01-22 23:40 --d----- c:\program files\Boris FX, Inc
2009-01-22 23:37 --d----- c:\program files\SureThing Express Labeler
2009-01-22 23:37 --d----- c:\program files\common files\SureThing Shared
2009-01-22 23:34 171,520 a------- c:\windows\system32\drivers\MarvinBus.sys
2009-01-22 23:34 --d----- c:\program files\common files\Pinnacle
2009-01-22 23:34 --d----- c:\docume~1\alluse~1\applic~1\Pinnacle Studio Ultimate
2009-01-22 23:30 --d----- c:\program files\Pinnacle
2009-01-22 23:30 --d----- c:\program files\common files\Yahoo!
2009-01-22 23:30 --d----- c:\docume~1\alluse~1\applic~1\Studio 12
2009-01-22 23:30 --d----- c:\docume~1\alluse~1\applic~1\Pinnacle Studio Plus

==================== Find3M ====================

2009-01-17 06:53 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 06:53 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 17:11 50,688 a------- c:\windows\system32\wbhelp2.dll
2008-12-29 23:18 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-12-29 23:18 1,060,864 a------- c:\windows\system32\mfc71.dll
2008-12-29 23:01 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-11 12:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-02 00:55 22,328 a------- c:\docume~1\samy\applic~1\PnkBstrK.sys
2008-12-02 00:55 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-02 00:55 682,280 a------- c:\windows\system32\pbsvc.exe
2008-11-29 23:18 74,703 a------- c:\windows\system32\mfc45.dll
2008-11-19 19:31 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-18 22:31 355,584 a------- c:\windows\system32\TuneUpDefragService.exe
2008-11-17 15:30 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:14:51.42 ===============

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 17 February 2009 - 09:34 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

-- Note: The screen instructions indicate the attach.txt must be zipped before attaching (not posted) to your forum post. Instead, we want you to include attach.txt as an attachment to upload using the "Browse" button in the text editor when making your reply.

Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • DSS.txt
  • Attach.txt
  • Kaspersky's Log
  • What Problems do you still have?

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 20 February 2009 - 08:47 AM

Hi Extremeboy

First of all many thanks for your time.
I think that this 'waiting time" has been beneficial for me.
I remarked that although I was performing AV and AS manual scan of my PC with no findings, I was finding
from time to time problems.
We are three users on this PC (my two kids and myself), and my kid's desktop has been changed (all the
icons rearranged in different way, some of them not found), some programs disappeared from
"All Programs" list.

When two days latter i remarked that just after the boot I got a fast notification:
? Programs Not Found - Skipping Autocheck
7 Programs Not Found - Skipping Autocheck
?? Programs Not Found - Skipping Autocheck
? Programs Not Found - Skipping Autocheck


I understood, that my OS was going bad slowly. I presumed i had got some rootkits.

I found out that I had a C drive image I have done 10 days before being Hijacked by the virus
and assumed that, to retrieving my C drive while loosing what has been added in the mean time,
is a better alternative than reinstalling my OS (I have visited some threads here). Exactly what I did.
The notification disappeared, and both desktop displays have been retrieved.


This hard "learning" taught me to be more vigilant (and less lazy) and to ensure I have
appropriate backups, in a timely manner

P.S.
Prior to performing and saving an image of my HD I generally use to clean it using CCleaner and Ace Utilities,
defrag it and scan it using my PC AV and AS (2). But, based on this bad experience,(when my AV and both
AS ran with no finding) I would like, if possible, to take this opportunity to ask you, as an expert
what else I have to do to ensure my backUp image is free from all nasties.

Thanks

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 20 February 2009 - 03:44 PM

Hello.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2)Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Then you can do a reinstall. This will not remove any of your files or pictures etc... it just reinstall windows onto your Drive. If you partitioned your drive it would be easier because you just have to reinstall windows on that one drive, and all your other data will be safe.

However a format will remove everything. If you need help reinstall or formating please start another topic in the XP forum as this forum is only removing malware infections. Thanks.

Hope that helps. Any thing else you want to ask?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 21 February 2009 - 12:31 PM

Hello.

Below are just some prevention tips and some AV/Firewall programs.

Install an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Some Free Anti-Virus software I recommend are: Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Install a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Some Firewall programs I recommend to others are:
Update your Firewall Program - It is imperitive that you update your Firewall at least once a week (Even more if you wish). If you do not update your firewall then it will not be able to catch any of the new variants that may come out.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 21 February 2009 - 12:34 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users