[tampabelle]

Hi Andrew,

CONGRATULATIONS !!!!!!!! Your PC is clean



I would recommend the following steps to keep your PC clean (especially Step 8 now that your PC is clean) –

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!

[Advertisements]

thats one thing ive noticed, i dont have shareaza!!, i noticed it when scanning through the logs aswell as some reference to amtyne and wear webcam?? on the log. i may have used shareaza once a few years ago but it was deleted. is there a simple way for me to wipe this.

also one last thing, i still have the desktop screen on saying danger:spyware, it doesnt let me right click on the desktop or inside any folders, is that anything to do with spyware or virus's?


cheers.

[andrew1185uk]

thats one thing ive noticed, i dont have shareaza!!, i noticed it when scanning through the logs aswell as some reference to amtyne and wear webcam?? on the log. i may have used shareaza once a few years ago but it was deleted. is there a simple way for me to wipe this.

also one last thing, i still have the desktop screen on saying danger:spyware, it doesnt let me right click on the desktop or inside any folders, is that anything to do with spyware or virus's?


cheers.

[tampabelle]

NOW you tell me !!!!!

Step 1
Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Step 2
Copy the part in bold below into notepad and save it as background.reg
Save as type:All files (The first line in the file should be REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

Doubleclick the file and confirm you want to merge it with the registry.


Step3

Reboot the PC in Safe Mode.

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Shareaza

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\Shareaza


Reboot the PC in Safe Mode.

Let me know how it goes.

[andrew1185uk]

shareaza seems to have gone. Thanks a lot for all youve done, my computer was a mess and i didnt want to reformat, or want the spyware to damage my uni work etc, so youve saved me!

when payday comes ill be sending you a bit of money, enough to buy you a few beers, as you certainly deserve them!.


i only have one small probelem left though, ive changed the desktop wallpaper fine and the signs gone, but since restarting from deleting shareaza a internet explorer window (i usually use firefox) has popped up 3 times with a link to the smart security website, something along the lines of www.smart-security. info or com. and the only other minor problem is that i cant right click on desktop or in folders, am i righ in thinking the service packs could solve this or do they not have anything to do with this?

[tampabelle]

Hi Andrew,


Did you catch another infection ????


I will kill you !!!

Please visit the Microsoft site I told you and install Service Pack 1.

Post a HJT log here

I have seen this before. Let me check and revert though it may be tomorrow morning.

Edited by tampabelle, 19 July 2005 - 07:46 PM.

[andrew1185uk]

ok i think its part of the smart security desktop problem i had, at the moment im downloading service pack too which it said was needed from my updates tab bottom right, ill set off dloading and installing the service pack 2 and 3 tomorrow morning and run a spyware scan etc. its a bit late here in england so ill report back tomorrow!!.

[tampabelle]

Dont install Service Pack 2 yet !!!

Installing Service Pack 2 when the PC is infected usually lead to bad results !!!!

Even if it does get installed, uninstall Service Pack 2.

[tampabelle]

Hi Andrew,


Install Service Pack 1.

Post HJT log here tomorrow, I will have a look at it

[andrew1185uk]

hi tampa, im having an absolute nightmare with this. i installed all the updates as the windows update suggested the other day, since rstarting though ive lost use of mouse sound etc, ive tried the update again hoping it would install any drivers needed that have somehow gone etc.

ive got my drivers CD here which has worked before, ive tried installing the usb 2.0 from it and sound but none work after restart. i thought my pc would have realised and automatically updated. ive tried several mouses so it isnt them, but shouldnt the keyboard not work too?

anyway if i can get the mouse sorted and drivers, then ill get service pack 2 off and you can check if everythings ok and we can get the security measures on!.

cheers. andrew.

[tampabelle]

Hi Andrew,


Press the Windows key on your keyboard (between the crtl and al;t keys on the left hand side), then settings and control panel.

In the new windows which opens, navigate to System and hit enter. Press the Hardware button (you can use the tab key to navigate between various choices. when the General tab at the top is highlighted, use the arrow key to get to Hardware). Press the tab key again and when Device Manager is highlighted, hit enter. Navigate and check which if the hardware devices are not working.

Try the update driver option for each of the hardware items not working !!!

Let me know how it goes !!!

[andrew1185uk]

hi, just sorted the sound as you posted. basically it had an explanation mark against it, so i reinstalled it and it was fine. been through all the usb hubs and everything else on device manager and everything is apparently working fine. for some reason its not detecting the mouse, ill post a log soon btw too.

[tampabelle]

How is the mouse connected to the PC ???

What kind of pin does it have ???

[andrew1185uk]

Logfile of HijackThis v1.99.1
Scan saved at 00:00:22, on 22/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Trust\460LR MOUSE WIRELESS OPTICALOFFICE\1.1\moffice.exe
C:\Program Files\Trust\460LR MOUSE WIRELESS OPTICALOFFICE\1.1\MOUSE32A.DAT
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Soulseek\slsk.exe
C:\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\460LR MOUSE WIRELESS OPTICALOFFICE\1.1\moffice.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121818960732
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1121819161186
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://www.tynebridg...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pdownloader.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[andrew1185uk]

its USb, pc usually detects as its plugged in, no software involved.

[tampabelle]

Did you happen to try to connect or disconnect the mouse while the PC was up ??? It could damage the USB port !!!