Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kazaa remnants?


  • Please log in to reply
15 replies to this topic

#1 MaxPower42069

MaxPower42069

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 28 April 2009 - 11:14 PM

I'm trying to help a friend with his infected XP machine. It had a number of issues, most of which have since been resolved. Avira and Malwarebytes scans now come up clean. However, my antispyware programs detect one or two processes which cannot be removed, even in safe mode.

Throughout the repair, I have been dogged by Kazaa-related services (WildTangent and Altnet among them). I believe these last remaining problems may be related to Hyperbar, which is unable to be removed from the registry (I get an error about it being in use).

Hypersearchhook URL Search Hook variant is detected by SuperAntispyware. On the other hand, Spybot S&D detects BDE projector. In both instances, the cleaning process fails. How do I remove these pesky detections? The computer runs well and boots quickly without issue. All antispyware and antivirus sites are available. Windows update is functional. This one has me stumped.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 30 April 2009 - 09:08 PM

Be sure to disable Spybot's Teatimer function if in use

Update mbam and run a FULL scan
Please post the results

Then run

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 01 May 2009 - 12:15 PM

Thanks for helping me out here. I've been spinning my wheels on this one all week. I did like you said, and it appears that there are still a couple things in the registry. Here are my scan results:


Malwarebytes' Anti-Malware 1.36
Database version: 2062
Windows 5.1.2600 Service Pack 3

5/1/2009 1:01:02 AM
mbam-log-2009-05-01 (01-01-02).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 187982
Time elapsed: 1 hour(s), 30 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d714a94f-123a-45cc-8f03-040bcaf82ad6} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/01/2009 at 05:00 AM

Application Version : 4.26.1002

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 03:15:14

Memory items scanned : 263
Memory threats detected : 0
Registry items scanned : 5358
Registry threats detected : 2
File items scanned : 89930
File threats detected : 0

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 01 May 2009 - 07:57 PM

Please reboot the computer, update mbam and scan it one more time

Then run Dr Web
-------------------------------------



Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 03 May 2009 - 03:22 PM

Ok, sorry for the delay in posting. We had a brief power outage during the final stages of the Dr Web scan, so I had to rerun it. Each full Dr Web scan takes upwards of 12 hours on this machine, so it took me some time to get back to you.

Dr Web found a couple things. The first was probably a false positive (smithfraudfix tool, I'm apparently not the first to work on this computer) and the second was adware.msearch.


Here are the MB scan results...


Malwarebytes' Anti-Malware 1.36
Database version: 2066
Windows 5.1.2600 Service Pack 3

5/1/2009 10:50:36 PM
mbam-log-2009-05-01 (22-50-36).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 181795
Time elapsed: 1 hour(s), 23 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d714a94f-123a-45cc-8f03-040bcaf82ad6} (Fake.Dropped.Malware) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



A0422777.#xe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995\A0422777.#xe;Tool.Prockill;;
A0422777.#xe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995\A0422777.#xe;Tool.ShutDown.14;;
A0422777.#xe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Archive contains infected objects;;
A0422793.#xe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Tool.Prockill;;
A0422796.#xe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Tool.ShutDown.14;;
A0422864.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Tool.Prockill;;
A0422870.DLL;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Adware.Msearch;;
A0422871.DLL;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Adware.Msearch;;
A0422872.DLL;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Adware.Msearch;;
A0422873.DLL;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Adware.Msearch;;
A0422874.DLL;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP995;Adware.Msearch;;
Process.#xe;C:\WINNT\system32;Tool.Prockill;;

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 03 May 2009 - 07:17 PM

Are you still having your original problem?
Most of what you are seeing now is in System Restore, which we'll take care of
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 04 May 2009 - 10:09 PM

Adaware still detects 19 unremovable objects in the registry, all remnants of win32.adware.startnow. They can't be deleted, even manually while in safe mode.

All other scans come up clean. Adaware is the only one that can see it, apparently. Is there any way to zap these reg keys?

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 05 May 2009 - 04:42 PM

This is the one that concerns me
Process.#xe;C:\WINNT\system32;Tool.Prockill;

You are having almost the exact problem and situation as someone else

First, turn off System Restore

Please download and run Process Explorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply


Run Dr. Web CureIt one more time
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 05 May 2009 - 05:11 PM

I'm posting the process explorer log first, since Dr Web will probably take a while to scan...

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 336 Windows NT Session Manager Microsoft Corporation
csrss.exe 392 Client Server Runtime Process Microsoft Corporation
winlogon.exe 416 Windows NT Logon Application Microsoft Corporation
services.exe 468 Services and Controller app Microsoft Corporation
svchost.exe 640 Generic Host Process for Win32 Services Microsoft Corporation
unsecapp.exe 848 WMI Microsoft Corporation
wmiprvse.exe 1060 WMI Microsoft Corporation
svchost.exe 700 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 776 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 828 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 872 Generic Host Process for Win32 Services Microsoft Corporation
AAWService.exe 968 Ad-Aware Service Application Lavasoft
AAWTray.exe 2316 Ad-Aware Tray Application Lavasoft
spoolsv.exe 1184 Spooler SubSystem App Microsoft Corporation
sched.exe 1292 Antivirus Scheduler Avira GmbH
svchost.exe 1428 Generic Host Process for Win32 Services Microsoft Corporation
avguard.exe 1740 Antivirus On-Access Service Avira GmbH
cisvc.exe 1756 Content Index service Microsoft Corporation
wmonitor.exe 1772 wmonitor Module Boingo Wireless, Inc.
mdm.exe 1832 Machine Debug Manager Microsoft Corporation
svchost.exe 1908 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1972 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 1700 Application Layer Gateway Service Microsoft Corporation
lsass.exe 480 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1156 Windows Explorer Microsoft Corporation
avgnt.exe 1532 Antivirus System Tray Tool Avira GmbH
ctfmon.exe 1540 CTF Loader Microsoft Corporation
procexp.exe 2844 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

#10 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 06 May 2009 - 11:21 AM

Ok, the Dr Web scan found nothing this time. I'd post a log, but the "save report list" option is grayed out.

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 06 May 2009 - 07:20 PM

Do you have the AdAware Anniversary Edition?
It's been so long since I used this I had to read up on it
It has a real-time monitor similar to Teatimer
Disable AdAware and the update mbam and run a Full scan

Then run SAS one more time
Then see how it runs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 07 May 2009 - 07:58 PM

Ok, I disabled adwatch live. Here are the results of the two scans, pretty much the same as before. Mywebsearch is still in there...

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 10:18:31 PM
mbam-log-2009-05-06 (22-18-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 143992
Time elapsed: 1 hour(s), 17 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



-------------------------



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2009 at 08:32 PM

Application Version : 4.26.1002

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 03:00:32

Memory items scanned : 245
Memory threats detected : 0
Registry items scanned : 5360
Registry threats detected : 2
File items scanned : 89406
File threats detected : 3

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Adware.Tracking Cookie
.revsci.net [ C:\Documents and Settings\Gabe\Application Data\Mozilla\Firefox\Profiles\e0zos9td.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Gabe\Application Data\Mozilla\Firefox\Profiles\e0zos9td.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Gabe\Application Data\Mozilla\Firefox\Profiles\e0zos9td.default\cookies.txt ]

#13 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 08 May 2009 - 03:26 AM

Ok, I had a breakthrough tonight. I exported a scan log from Adaware, which noted the problem registry keys. I operated under the assumption that these keys were bad, and removing them wouldn't wreck the system. As previously stated, they couldn't be removed in RegEdit. So I used the "find in registry' option on RegSeeker, and cut/pasted each key into a search. RegSeeker was actually able to delete the entries. Now Adaware no longer detects them, and no reference to Hyperbar can be found anywhere in the registry.

The computer is running much better now. I'll post the SAS scan log once it finishes.

#14 MaxPower42069

MaxPower42069
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Forest Park, GA
  • Local time:01:32 PM

Posted 08 May 2009 - 05:03 PM

Here are the last two logs. Looks like mywebsearch is finally gone...


Malwarebytes' Anti-Malware 1.36
Database version: 2095
Windows 5.1.2600 Service Pack 3

5/8/2009 2:06:34 PM
mbam-log-2009-05-08 (14-06-34).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 177658
Time elapsed: 1 hour(s), 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2009 at 04:56 PM

Application Version : 4.26.1002

Core Rules Database Version : 3884
Trace Rules Database Version: 1832

Scan type : Complete Scan
Total Scan Time : 02:23:53

Memory items scanned : 408
Memory threats detected : 0
Registry items scanned : 5392
Registry threats detected : 0
File items scanned : 89378
File threats detected : 0

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:32 PM

Posted 08 May 2009 - 07:15 PM

If there are no longer signs of malware then please....

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

-------------------------------

[/list]Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software, crack sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users