Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Boot.ini Removed by "Normal" Restart of Windows [Solved]


  • This topic is locked This topic is locked

#16
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Cruise:

Thanks for the suggestion. Yes, you did catch a real "winner" of a problem here.

Typing in

attrib +s +h +r Boot.ini

in the C:\ root directory DOS window gives the following message:

file not found - Boot.ini

I will now restart; however, I am pretty sure that I'm going to wind up with what, for the sake of brevity, I will call the "boot.ini missing failure."

I did and it did.

I am going to rebuild the boot.ini file using the recovery mode, and start the machine in "Safe mode." I should then be able to get the information about the boot.ini file, which I will then post in a follow up to this.

Thanks for your help. I do appreciate it. I'm sorry this is proving so intractable.

cmcrgl
  • 0

Advertisements


#17
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Cruise,

After rebuilding the boot.ini file with the bootcfg /rebuild command I started Windows in safe mode.

I then ran msconfig from the Run window in the Start menu. The boot.ini tab was there. Here is how it looks.

msconfig_safe.JPG

Clicking on the "Check all Boot Paths" button brings up the following window:

button.JPG

So, booting the machine into safe mode, the boot.ini file is present, but, during "normal" booting, something is deleting it. (Sorry to state the obvious, but that's my principal talent!) Is there some equivalent of the basic "REM" command that we might be able to apply to the additional files that load during a normal boot, in order to discover which step is killing the boot.ini file?

How should we proceed from here? Currently, on the afflicted machine I am sitting in safe mode with the msconfig program running.

Thanks. I hope that your patience with this is holding up!

cmcrgl
  • 0

#18
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi There,

Let's see if this can help us pinpoint the problem :)

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Thanks
Cruise
  • 0

#19
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Cruise,

Thanks for the additional information.

I am viewing this on a non-infected computer; however, I have downloaded the file, put it on a thumb drive and will transfer it to the machine with the problem, copy it to the desktop and run it as per your directions. Should I run this on the machine following a standard boot or a safe boot? I'm thinking that I will do it under both conditions, beginning in the safe mode, then in standard mode and post both results. That is, unless I hear from you shortly. I imagine that you can easily ignore the "safe mode" log.
  • 0

#20
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi cmcrgl,

Go ahead and run it in normal mode.

~Cruise
  • 0

#21
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Cruise,

Thanks for the directions.

A quick question: Running the script I received a second "are you sure sort of message about running the supplementary searches. I clicked the response that indicated, yes, I did want to run the supplementary searches. I have been waiting since for the "All Done" message. Checking the Windows Task Manager shows that 99% of the CPU cycles are being used by the "System Idle Process." Could you give me some idea of how long I should be patient? I only ask because your instructions for running the script didn't include a mention of a second window about the supplementary searches, and I always get a little nervous when something appears to act in an "undocumented" way!

I will reboot into normal mode and run the scan.

cmcrgl

PS. I opened the log on the desktop that was created running the script in the safe mode. Scrolling to the end, I found what looked like a definite "I"m finished" message:

---------- (launch time: 2010-02-10 19:50:13)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 178 seconds.
---------- (total run time: 205 seconds)

I'm about to run the script following the "standard boot" a full log will follow
  • 0

#22
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello Cruise,

Running the script following a normal boot, the window stating that the script had finished running did appear.

Here is the log:

"Silent Runners.vbs", revision 60, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{201f27d4-3704-41d6-89c1-aa35e39143ed}\(Default) = "AskBar BHO"
-> {HKLM...CLSID} = "AskBar BHO"
\InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll" ["Google Inc."]

{b0cda128-b425-4eef-a174-61a11ac5dbf8}\(Default) = "AIM Toolbar Loader"
-> {HKLM...CLSID} = "AIM Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

""%SYSTEMROOT%\system32\rundll32.exe" C:\WINDOWS\system32\pfmshx_201.dll,RunDllEntry newpfolder "%1"" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{4BBAAAE9-0005-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

"{6230EF55-8E71-4F40-861A-DBA282584FF5}" = "AVS VideoConverter 6"
-> {HKLM...CLSID} = "AVSVideoConverter Object"
\InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" ["Online Media Technologies Ltd."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"wvauth"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> gemsafe\DLLName = "C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll" ["Gemplus"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> skype4com\CLSID = "{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}"
-> {HKLM...CLSID} = "IEProtocolHandler Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL" ["Skype Technologies"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVSVideoConverter6\(Default) = "{6230EF55-8E71-4F40-861A-DBA282584FF5}"
-> {HKLM...CLSID} = "AVSVideoConverter Object"
\InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" ["Online Media Technologies Ltd."]

EncryptDocMgr\(Default) = "{52C70C7B-98B9-4626-8BD0-4D00FF028488}"
-> {HKLM...CLSID} = "EncryptMenuItem Class"
\InProcServer32\(Default) = "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll" ["Wave Systems Corp."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

{4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

EncryptDocMgr\(Default) = "{52C70C7B-98B9-4626-8BD0-4D00FF028488}"
-> {HKLM...CLSID} = "EncryptMenuItem Class"
\InProcServer32\(Default) = "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll" ["Wave Systems Corp."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

PIDirectoryHook\(Default) = "{E8244BEF-0200-4A1A-BE4E-35A4A9F51C3F}"
-> {HKLM...CLSID} = "PI5 CopyHook"
\InProcServer32\(Default) = "C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll" [null data]

Roxio DragToDisc Shell Extension\(Default) = "{5E44E225-A408-11CF-B581-008029601108}"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

{5E44E225-A408-11CF-B581-008029601108}\(Default) = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439}"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

{4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\PropertySheetHandlers\

{4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}"
-> {HKLM...CLSID} = "PismoFileMountAuditPackage"
\InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Max\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

muveeVideoCameraArrival\
"Provider" = "muvee autoProducer 4.0"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee autoProducer 4.1 - Aiptek\muveeapp.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

PDVD7DXPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPDVDDX"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

PDVD7DXPlayVideoCDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPDVDDX"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

RoxioSCAudioCDTask33\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" ["Google"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data]

"{61539ECD-CC67-4437-A03C-9AACCBD14326}"
-> {HKLM...CLSID} = "AIM Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data]

"{61539ECD-CC67-4437-A03C-9AACCBD14326}" = "AIM Toolbar"
-> {HKLM...CLSID} = "AIM Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{B0DE3308-5D5A-470D-81B9-634FC078393B}\(Default) = "Ask Toolbar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{E16DC1FE-7C34-43F2-B754-F3AD12DDF97C}\(Default) = "Google Find Bar"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{0B83C99C-1EFA-4259-858F-BCB33E007A5B}\
"ButtonText" = "AIM Toolbar"
"CLSIDExtension" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}"
-> {HKLM...CLSID} = "AIM Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{03402f96-3dc7-4285-bc50-9e81fefafe43}" = (no title provided)
-> {HKLM...CLSID} = "AIM Toolbar Search Class"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "bkup_Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]
<<H>> "tbNumber" = "1" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
ArcSoft Connect Daemon, ACDaemon, "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]
Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Broadcom ASF IP and SMBIOS Mailbox Monitor, ASFIPmon, ""C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service" ["Broadcom Corporation"]
Intel® PROSet/Wireless SSO Service, WLANKEEPER, "C:\Program Files\Intel\WiFi\bin\WLKeeper.exe" ["Intel® Corporation"]
Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\WiFi\bin\EvtEng.exe" ["Intel® Corporation"]
Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe" ["Intel® Corporation"]
Intel® PROSet/Wireless WiFi Service, S24EventMonitor, "C:\Program Files\Intel\WiFi\bin\S24EvMon.exe" ["Intel® Corporation"]
Maxtor Service, Maxtor Sync Service, ""C:\Program Files\Maxtor\Sync\SyncServices.exe"" ["Seagate Technology LLC"]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe" ["Dell Inc."]
NTRU TSS v1.2.1.25 TCS, tcsd_win32.exe, ""C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe"" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
PnkBstrB, PnkBstrB, "C:\WINDOWS\system32\PnkBstrB.exe" [null data]
SafeConnect Manager, SCManager, "C:\Program Files\SafeConnect\scManager.sys servicestart" ["Impulse Point, LLC"]
SigmaTel Audio Service, STacSV, "C:\WINDOWS\system32\StacSV.exe" ["SigmaTel, Inc."]
TdmService, TdmService, "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" ["Wave Systems Corp."]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
Wave UCSPlus, Wave UCSPlus, "C:\WINDOWS\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75}" [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2010-02-10 20:25:53)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 164 seconds.
---------- (total run time: 194 seconds)


Attached File  Startup_Programs__THE_REVELATOR__2010_02_10_20.25.53.txt   27.66KB   255 downloads

I realize this may take some time to scan/examine/puzzle through, but I will stand by. Thanks.

cmcrgl
  • 0

#23
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi cmcrgl,

Let's check to see if C: is set as your active partition.

Goto the Start Menu
Select run
type diskmgmt.msc

It should list C: as the active partition, if it does not, right click on it and select Mark Partition as Active.

Thanks
Cruise
  • 0

#24
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello Cruise,

I opened disk management as instructed. I couldn't find anywhere in the window (see below) that labeled the partition as "Active" but "Mark Partition as Active" was greyed out the context menu that opens when I right clicked on the "C" drive Icon.

diskmanagement.JPG

I believe that this indicates it is set to active (bootable) status. Where should the "Active" label appear? in the disk management window?

Thanks.

cmcrgl
  • 0

#25
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi cmcrgl,

Let's give this a shot :)

Open Notepad and copy and paste the following information.

@echo off
copy c:\windows\pss\boot.ini c:\boot.ini


Select File
Select Save As

Save the file as boot.bat, and select the file type as All Files and save it to your desktop.

Now go ahead and run boot.bat.

This should copy a backup boot.ini into place, that way we can try to protect it with the permissions from before.


After you run the bat file, go to your command prompt and navigate to your C: drive and type attrib +s +h +r Boot.ini

Let me know how that works out.

Thanks
Cruise
  • 0

Advertisements


#26
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Cruise,

Thank you for the current course of action. I have received your message and will act upon it as soon as I can; however, I have run up against a looming deadline on another project and may not be able to carry out your suggestions as promptly as I would like. I just wanted to let you know that. However, I am not abandoning our quest for an answer.

cmcrgl
  • 0

#27
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Upon creating and running the batch file, I found that it did not create a boot.ini file in the root directory. I checked the c:\windows\pss directory and found that the file was named

boot.ini.backup

so I edited the batch file to reflect this. After running it I have a boot.ini in the root directory of C: and I have applied the attribute command to it.

Restarting, the machine booted successfully to the desktop.

Second restart: regular boot failed with original pair of error screens.

I will restore and repeat the steps above, this time running the batch file after reaching the desktop.

it seems that attrib isn't protecting the file against whatever is removing it. I will test this when I can and report the results as soon as I can.
  • 0

#28
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi cmcrgl,

Thanks for that try, let's give this a shot. Take a look in your Add/Remove Programs in your control panel, and look for the ASK Toolbar, or ASK.com toolbar. If you see it there, please uninstall it and then reboot your computer.

If you do not see the ASK toolbar there, can you please give me a fresh OTS Scan :)

Thanks
Cruise
  • 0

#29
cmcrgl

cmcrgl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Cruise,

I found and removed the Ask Toolbar as you instructed. That seems to have done the trick.

Once it was removed, I restarted windows three times without losing the boot.ini file.

Thank you so much for guiding me through this.

I will be returning the computer to my nephew once I have created a disk image of the C drive.

I would appreciate it if this thread might be held open for a few days, until, say Friday the 19th as from now till then I am going to be otherwise engaged, and I would appreciate having a few days before we close the book on this one.

cmcrgl
  • 0

#30
Cruise475

Cruise475

    Trusted Helper

  • Member
  • PipPipPipPip
  • 1,348 posts
Hi cmcrgl,

Great News, I am glad we were finally able to figure it out. We will also be able to keep this open for a few days just in case something pops up :)


We need to take care of a few housekeeping tasks now.


Please open OTS

* Make sure you have internet connection..
* Click the CleanUp! button.
* Select Yes when the "Begin cleanup Process?" prompt appears.
* If you are prompted to Reboot during the cleanup, select Yes



Now we need to create a new System Restore point.


Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.


Please download JavaRa to your desktop and unzip it to its own folder.

* Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
* Accept any prompts.
* Open JavaRa.exe again and select Search For Updates.
* Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
* Scroll down to the Java SE Runtime Environment (JRE) option.
* Download and install the latest Java Runtime Environment (JRE) version for your computer.



It is a good idea to keep Windows updated by visiting Http://windowsupdate.microsoft.com.

We are going to ensure that Windows Automatic Updating is turned on, to ensure that you will get all available updates.
* Goto your Control Panel.
* Select Automatic Updates
* Make sure Automatic is selected.






Now we will talk about some prevention steps :)

Antispyware Programs:
I recommend the following programs to help keep your computer safe from future attacks. Be sure to keep them updated, and scan your computer at least once a month.
* SpywareBlaster to help prevent spyware from installing in the first place.
* SpywareGuard to catch and block spyware before it can execute.
* IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.


Antivirus Protection.
This is basically a necessity! Be sure to have an up-to-date antivirus program installed and running on your computer. But remember, only one program should be installed at a time to prevent conflicts. As with any other tool, It needs to be updated regurarly to help combat the newest threats. I recommend the following FREE Antivirus Programs.
AntiVir
Avast



Firewall.
A firewall is just as important as a reliable antivirus program. A firewall acts as a barrier between you and the rest of the world. It blocks all internet traffic from reaching your computer that you have not approved. If you don't use a firewall it will open up your computer to attacks Criminals can break into your computer and steal your personal information, or to even use your computer for anything they please.

Additional, Just as you should only have one antivirus program installed on your system, you should only have ONE firewall installed. If you have more than one installed, they will conflict with each other and not work properly.

Here are a few Free Personal Firewalls

Comodo Free Firewall
Zone Alarm Free
Sunbelt-Kerio




Next, you can use the MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
http://mvps.org/winhelp2002/hosts.htm


Lastly, To find out more information about how you got infected in the first place, and some pointers to follow to prevent future infections. Check out this article by Tony Klein. How did I get infected in the first place?


Good Luck
Cruise
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP