Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lucallback Proxy Module And Others


  • Please log in to reply
8 replies to this topic

#1 DebraJess

DebraJess

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 18 June 2006 - 03:33 PM

I'm not having a specific problem with my computer. While taking a computer class I was told to "know what normal looks like so you'll know if something is not normal". I look at my Zone Alarm Pro Program Control list regularly and lately I've noticed a number of programs that don't look normal. I've used Spybot, Ad-aware, and I have Zone Alarm Pro Firewall and Norton Anti-Virus. My operating system is Windows XP Home Edition. This is my first time using HijackThis. I've listed at the end of the log alist of programs I don't recognize. I've "killed" most of them using ZA, but I'm not sure if this is enough. If there are malicious programs, I would appreciate knowing how to remove them.

Thank you!
DJ

Logfile of HijackThis v1.99.1
Scan saved at 4:25:58 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [HTST] C:\DOCUME~1\DEBRAJ~1\LOCALS~1\Temp\TB_UPD~1.EXE /autoshow
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126378389\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /A "C:\WINDOWS\system32\E_S3.tmp"
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/180c0eb55a5634560006/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130990701203
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

******
Add/Remove Programs Install Date Fix - this is listed 8 times, which has me suspicious

ALEUPdate

ChngeVer - this is listed 6 times

CLR JIT Handler and Remote Host

Creativity_E MFC Application - listed twice with different icons

DbMirror.bz

DRM Migrate EXE

E_DMSG00

EPUTIX24EXE

FEXMAPl 1.0 MAPI Repair Tool

GLJ64.tmp

host.exe - this has a Quicken icon next to it. I do use Quicken, but I don't remember seeing this on my program list before

iPod Service Module - I don't own an iPod, but I do have iTunes, and I hadn't see the iPod module before.

ltmsg - has a littel telephone icon next to it

LuCallBackProxy Module

LuProdRg.exe - I pretty sure this is malicious, just would like confirmation

LuSetUp.exe - has a Symatic like icon next to it

NavCmd2RedUpdt.exe

Netropa ® Onscreen Display

Netropa™ Hot Key

NSCSettingsPatches.exe

Object 800009fc - there are 28 different Objects listed with different numbers all starting with 80000

Omnigrate.exe

QWPatch.exe - this has a Quicken like icon next to it. I do have Quicken, but don't remember this program being listed before

Registry Editor

RESTARTEXE.EXE

SAPISVR 5

ScanToApp MFC Application

ScanToFile Microsoft ??????

selfextr

Self-Extracting Cabinet -This is listed 10 times

Setup Lancher - this has an icon that looks list a carboard box overflowing with paper

setup.exe - this has an icon that makes me think of AOL, it's a triagle tilted on its side with a circle in the center.

SLinst.exe

SPBBC Service

Spooler Subsystem App

SYMCDEFSI32.EXE - this is listed twice, once in caps, once in lower case letters

tb_setup.exe - this has been on my computer for a while. I killed it a long time ago and was told it couldn't be removed. I just need to know if someone ever figured out how to remove it.

update32.exe

Userinit Logon Application

Verify Class ID

Viewpoint Media Player MtsAxlnstaller

Viewpoint.exe - I can't really see what this icon is, it's too small, but it's green and blue.

WMI - I do believe this is malicious, but not sure. It's listed twice

BC AdBot (Login to Remove)

 


#2 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:11:09 PM

Posted 19 June 2006 - 10:09 PM

Hi and welcome to Bleeping Computer!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Track this topic under (Options) so that you are notified when you receive a reply.

Please be patient with me during this time.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#3 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:11:09 PM

Posted 20 June 2006 - 02:33 PM

Hello DebraJess,

There are a few things in your log that I'd like to address. I'll also need some additional information from you which are in my instructions below. But before that, I'd like to answer some of the questions you had about your uninstall list:

host.exe - this has a Quicken icon next to it. I do use Quicken, but I don't remember seeing this on my program list before
QWPatch.exe - this has a Quicken like icon next to it. I do have Quicken, but don't remember this program being listed before

These are Quicken. They should be left alone.

iPod Service Module - I don't own an iPod, but I do have iTunes, and I hadn't see the iPod module before.

This is part of iTunes.

LuProdRg.exe - I pretty sure this is malicious, just would like confirmation
LuSetUp.exe - has a Symatic like icon next to it
SYMCDEFSI32.EXE - this is listed twice, once in caps, once in lower case letters

These are all Symantec.

WMI - I do believe this is malicious, but not sure. It's listed twice

WMI stands for Windows Management Instrumentations -- these could very well be valid entries.


As you may know, individual programs are comprised of many files and functions. When ZoneAlarm is alerting you, you can go to the ZoneAlarm Control Center and select Program Control on the left panel. It will list all programs trying to access the Internet. If you click on the entry in question, the program that belongs to it will be listed in the bottom. As long as it belongs to a program you recognize, you can feel confident in allowing access.


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.


Download CleanUp!
Download and install CleanUp! but do not run it yet. *WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.


Download Ewido
Please download Ewido Anti-Malware
  • Install Ewido anti-malware
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen. When you run Ewido for the first time, you may get a warning "Database could not be found!" -- just click OK.
  • You will need to update Ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update Ewido: Ewido manual updates


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Huntbar
Viewpoint Media Player
Viewpoint


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [HTST] C:\DOCUME~1\DEBRAJ~1\LOCALS~1\Temp\TB_UPD~1.EXE /autoshow
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/180c0eb55a5634560006/...ip/RdxIE601.cab

Please remember to close all other windows, including browsers then click Fix checked.


Deletions
Delete the following File indicated in RED if it still exists:

C:\Documents and Settings\DEBRA JESS\Local Settings\Temp\TB_UPD~1.EXE << probably TB_UPDATE.EXE


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    • Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
  • Click OK
  • Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.
Run Ewido
Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.


Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.
  • Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
  • Enter your e-mail address, country, and state and click Scan Now.
  • Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
  • Begin the scan by selecting My Computer. Note:
  • Please turn off the real time scanner of any existing antivirus program while performing the online scan.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report.
  • It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.
Generate An Uninstall List
  • Open HijackThis.
  • Click on the "Configure" button on the bottom right.
  • Click on the tab "Misc Tools".
  • Click on the Box that says "Open Uninstall Manager".
  • Click on the button "Save list"
Please save a copy and paste the contents with your next reply.


With Your Next Post...
Please paste the following with your next reply:
  • Ewido report
  • Panda Scan report
  • Uninstall List from HijackThis
  • a new HiJackThis log taken after the Panda scan finishes.

Edited by Deckard, 20 June 2006 - 02:34 PM.

The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#4 DebraJess

DebraJess
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 21 June 2006 - 11:04 PM

Thank you so much for helping me, Deckard! I really appreciate it. Here are the logs you requested:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:14:54 PM 6/21/2006

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCAR -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-480437244-2704883870-4021508746-1007\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-480437244-2704883870-4021508746-1007\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\MediaLoads\v1\ML.exe -> Adware.DownloadWare : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP973\A0087062.exe -> Adware.DownloadWare : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup (quarantined).


::Report end

Panda Scan:

Incident Status Location
Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/delfinmedia Not disinfected c:\program files\DelFin
Adware:adware/downloadware Not disinfected c:\program files\MediaLoads
Potentially unwanted tool:application Not disinfected c:\program files\Search Toolbar
/mywebsearch Not disinfected
Adware:adware/buddylinks Not disinfected Windows Registry
Spyware:spyware/clipgenie Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry


Uninstall list:

Aaron's WebVacuum
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Advanced RealMedia Export Plug-in for Premiere 6.0
American Tradition® Signature Colors™ Virtual Painter
AOL Explorer
AOL Instant Messenger
Care2 Green Thumbs-Up
ccCommon
Cleaner 5 EZ
CleanUp!
Copy Utility
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
DivX
DivX Converter
DivX Converter
DivX Player
Documents To Go
Easy CD Creator 5 Basic
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
ewido anti-spyware 4.0
Flip Words
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
InterActual Player
Internet Worm Protection
iTunes
LiveUpdate 3.0 (Symantec Corporation)
Lucent Win Modem
Macromedia Flash Player 8
MediaLoads
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Office Sounds
Microsoft Office XP Media Content
Microsoft Office XP Standard
mIRC
Modem Helper
Movie Studio 2 Hardware
MSN Music Assistant
My Wal-Mart Digital Photo Center
NAVShortcut
Network Play System (Patching)
NetworkAddonMod Beta Version 2005.09.30
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
NoteTab Light (Remove only)
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
Panda ActiveScan
Panorama 32
PCFriendly
PF1250-1650 Guide
PhoneTools
Pop-Up Stopper Free Edition
PowerDVD
PRO200WL
Quicken 2005
QuickTime
RealPlayer
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave Player
SimCity 4 Deluxe
SPBBC
Spybot - Search & Destroy 1.3
Symantec
Terayon DOCSIS Modem
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WordPerfect Office 11
ZoneAlarm Pro

Logfile of HijackThis v1.99.1
Scan saved at 11:54:06 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1126378389\ee\AOLHostManager.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1126378389\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126378389\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /A "C:\WINDOWS\system32\E_S3.tmp"
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130990701203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#5 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:11:09 PM

Posted 22 June 2006 - 09:56 AM

My pleasure! :thumbsup:

You're looking good. Both Ewido and Panda caught a few things that weren't in your HijackThis log. Let's get rid of these bad boys.


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.


Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following program:

MediaLoads

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
  • Go to Start > Run and type: regsvr32 /u occache.dll and click OK.
  • Delete:
    • C:\Program Files\AWS
    • C:\Program Files\DelFin
    • C:\Program Files\MediaLoads
    • C:\Program Files\Search Toolbar
    • C:\Windows\Downloaded Program Files\cc.inf
  • Go to Start > Run and type: regsvr32 occache.dll and click OK.
Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded, click on NEXT.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database: Standard
    • Scan Options: Scan Archives and Scan Mail Bases
  • Click OK
  • Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
  • Now under select a target to scan, select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run all the way.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button and save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.


With Your Next Post...
Please paste the Kaspersky Scan report and let me know how your computer is running now.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#6 DebraJess

DebraJess
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 22 June 2006 - 10:21 PM

Hi Deckard,

I performed all your instructions and the Kaspersky Scan had no report. This is what it said

The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.

Report is empty.

I guess this is a good thing. My computer seems to be working fine, but I really don't have time to put it through it's paces. I'll be going away for the weekend, so when I return I'll give a good workout.

THANK YOU!

DJ

#7 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:11:09 PM

Posted 22 June 2006 - 11:40 PM

Congratulations! Your logs are clean. Any more issues? If not, you should be good to go but we still have a few items I'd like to address.

Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm and then click OK.
Reset System Restore
  • Go to Start>Run, type SYSDM.CPL and press Enter.
  • Select the System Restore tab.
  • Check "Turn off System Restore on all drives" and click Apply.
  • Now uncheck the same option and click OK.
Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Enable Windows Automatic Updates
  • Go to Start>Run, type WUAUCPL.CPL and press Enter.
  • Make sure "Keep my computer up to date" is checked.
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".
Update Spybot S&D
Download Spybot Search & Destroy 1.4. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button on top to Immunize your computer - you should do this each time there is an update. Click 'Check for Problems' and fix all the entries, which are indicated in RED.

Install Sun's Java
I see that you do not have Sun's Java installed. Sun's Java Sun's Java Virtual Machine is much more secure than Microsoft's Java Virtual Machine. I highly recommend that you install the latest version.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • Spyware Blaster - check regularly for updates.
  • IE-Spyad - Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them.
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous website. Works with both IE and Firefox.
Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:
  • Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
  • Miranda-IM - another Instant Messenger client with multiple IM capabilities.
  • Desktop Weather - A taskbar weather program that is free and resource light.
Please respond to this thread one more time so we can mark this thread as resolved.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#8 DebraJess

DebraJess
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 27 June 2006 - 08:21 PM

Congratulations! Your logs are clean. Any more issues? If not, you should be good to go but we still have a few items I'd like to address.


Hi Deckard,

Thank you for the last set of instructions. I seem to be having a few problems with some of the programs, however.

I have successfully performed the following operations:

Reset the hidden system/file folders
Reset system restore
Updated MS Windows
Enabled Automatic Windows Updates
Updated Spybot S&D
Installed Sun's Java
Installed Spyware Blaster
Installed Spyware Guard
And I already have Ad-aware from your last set of instructions

I have some questions about the following programs you recommended:

IE-Spyad - you say to install options #2 and #4. I'm not seeing an option #2 or #4 on the website, unless you are referring to downloading the .zip files instead of the .exe files. Also, the instructions say that this program can conflict with Spyware Blaster and Spybot S&D. Is this program that necessary?

MVPS Hosts - you say to double click on the .bat file. I don't see a .bat file. I tried to double click on the only file with an icon, but nothing seemed to happen. Did I do something wrong?

Haven't gotten to WinPatrol or McAfee Site Advisor yet. I'm a little pooped from all this downloading and installing. I also haven't gotten to the IM instructions yet. I don't use IM all that often. Perhaps I will get to those tomorrow.

Thank you again for all of your help, advice and patience. I really appreciate it.

DJ

#9 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:11:09 PM

Posted 27 June 2006 - 11:46 PM

Hi DJ,

IE-Spyad is fully compatible with SpywareBlaster. IE-Spyad put sites into your Restricted Zone, but SpywareBlaster sets "kill bits" in your registry -- a feature invented by Microsoft that allows a user to prevent unexpected ActiveX execution in Internet Explorer. They do similar but complimentary things. IE-Spyad is also fully compatible with Spybot S&D, which also has complementary features.

IE-Spyad is a self-extracting .ZIP file so save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD). From within that folder, double-click install.bat.

Select Option #2 - Install the new IE-SPYAD list, by typing 2

Then return to the main menu.

Select option #4 - Add the old porn sites domain, by typing 4


Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.


MVPS Hosts: You may not see a file named mvps.bat, but rather mvps (Windows usually hides the file extension for known filetypes). If that was the file you double-clicked, you did the right thing and it should be protected now. It's a silent install, so I understand why that might be confusing.

I'm glad to hear your system is still working without any issues. :thumbsup:
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users