Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer 2005 + Other Problems [resolved]

Started by John2005 , Sep 14 2005 10:56 PM

  • This topic is locked This topic is locked

#1
John2005
Posted 14 September 2005 - 10:56 PM

John2005

    Member

  • Member
  • PipPip
  • 40 posts
Dear geeks to go,

My PC has become infected with Winfixer 2005 (aka Winantispyware). I'm also seeing occurrences of popups of Amxtravel.com, Matchservices.com, Redzip.com, etc. I downloaded and ran the following programs prior to writing this posting:

Ad-aware SE
CWShredder
Spybot S&D
Ewido Serurity Suite
Trend Housecall
Semantec Anti-Virus (this is my "resident" anti-virus program)
TrojanHunter

I'm running SP2 and didn't do an update, becasue I suspect malware is still present. I'll give you my HiJack This! log is a minute, but first, here are a few of the problems I had while running the anti-mailware programs above:

I ran CWShredder and removed cws.msconfig and cws.look2me. Now whenever I boot up the PC, I get this following messge: "CWShredder.exe application error. The instruction a uxeo12e3f1 referred to memory at 0x000000001. The memory could not be written."

Spybot identified shopathome and winfixer, and I instructed the program to remove them.

Ewido continues to return a "cabsvc.dll - infection by trojan.agent.cs" message everytime I boot up. I instruct the program to clean the file, but it doesn't seem to take.

Trend identified the Java Bytever trojan, but could not clean it. It also ideintified Trajan Agent FZ in C:\Windown\Microsoft.net.

Symantec identified three occurrences of the Trojan Byte Verifier (in a compressed file) but can't disinfect it.

I'm not trying to make this too daunting, but I could sure use some help. Here is my HiJack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:36 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\Spyware-Trojan Detection Sept 2005\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\system32\apdd.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\apdd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\cabmsvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comne...iveSecurity.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O20 - Winlogon Notify: cabmsvc - C:\WINDOWS\Microsoft.NET\cabmsvc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Administrator\My Documents\Spyware-Trojan Detection Sept 2005\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is my ewido Saved Report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:02:25 PM, 9/14/2005
+ Report-Checksum: FB380D5A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
[3940] C:\WINDOWS\system32\apdd.dll -> TrojanDownloader.Delf.lh : Error during cleaning
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Downloads\HotRodASD-dm[1].exe -> Spyware.Trymedia : Cleaned with backup
C:\WINDOWS\assembly\NativeImages1_v1.0.3705\ehepgdat.resources\6.0.3000.0_ko_31bf3856ad364e35_4ba7ad81\taskmfc.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\Microsoft.NET\cabmsvc.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\Microsoft.NET\psac.dl -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__apdd.dll -> TrojanDownloader.Delf.lh : Cleaned with backup


::Report End

Thanks in advance for your help,

John
  • 0

Advertisements

#2
g2i2r4
Posted 15 September 2005 - 07:56 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome John2005 to Geeks to Go!

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Microsoft.NET\cabmsvc.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Microsoft.NET\cvsmbac.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:R3 - Default URLSearchHook is missing

    O2 - BHO: C:\WINDOWS\system32\apdd.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\apdd.dll (file missing)

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\cabmsvc.dll

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comne...iveSecurity.cab

    O20 - Winlogon Notify: cabmsvc - C:\WINDOWS\Microsoft.NET\cabmsvc.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
John2005
Posted 15 September 2005 - 02:33 PM

John2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Dear g2i2r4,

I've followed your instructions. I'm still getting the "CWShredder.exe application error. The instruction a 0x0012e3f1 referred to memory at 0x000000001. The memory could not be written."

Good news on the winfixer, its partially disabled. Now I get a blank screen when winfixer tries to install itselt, with the message: "Error detected - Microsoft internet Explorer" at the top of the screen, but no attempt to install the malware.

Here are the results of the ActiveScan:

Incident Status Location

Adware:adware/tvmedia No disinfected C:\Documents and Settings\Administrator\Application Data\tvmcwrd.dll
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\FwD: Registration Confirmation\account_info.zip[Winzipped-Text_Data.txt .pif]
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\Your email was blocked\mail_info.zip[Winzipped-Text_Data.txt .pif]
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\Re:\our_secret.zip[Winzipped-Text_Data.txt .pif]
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\mailing error\mail_info.zip[Winzipped-Text_Data.txt .pif]
Virus:W32/Sober.V.worm Disinfected Personal Folders\Deleted Items\mailing error\error-mail_info.zip[Winzipped-Text_Data.txt .pif]
Virus:W32/Klez.I Disinfected Previous E-mail Folder\Sent Items\AAA File\me_loginmain[1].aaa
Adware:Adware/CWS.Aboutblank No disinfected Previous E-mail Folder\Family Mail\Spyware\RE: Spy Sweeper Problems: HijackThis Log for JP Frost - Requested Files\Requested Files.zip[sp.html]
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Microsoft.NET\cabmsvc.dll


Here is my HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 3:08:45 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\ehome\ehRec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\My Documents\Spyware-Trojan Detection Sept 2005\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Administrator\My Documents\Spyware-Trojan Detection Sept 2005\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(Note: your instructions called for the removal (via HiJackThis! FIX CHECKED) of the following BHO:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\cabmsvc.dll

- This was not listed on the HijackThis! scan/check box screen when I ran it.


Here is the vundofix.txt file:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 392 'smss.exe'
Threads [396][400][404]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1272 'explorer.exe'
Killing PID 1272 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 472 'winlogon.exe'
Killing PID 472 'winlogon.exe'
Killing PID 472 'winlogon.exe'
File Deleted sucessfully.

Thanks again for the help g2i2r4,

John
  • 0

#4
g2i2r4
Posted 15 September 2005 - 02:45 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please uninstall CWShredder.

Go here and follow instructions to remove TVMedia from your computer.

***

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

C:\WINDOWS\Microsoft.NET\cabmsvc.dll

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Remove this emailmessage: RE: Spy Sweeper Problems:
It's in this folder:
Previous E-mail Folder\Family Mail\Spyware\

***

Is the computer running ok now?
  • 0

#5
John2005
Posted 15 September 2005 - 10:21 PM

John2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Dear g2i2r4,

I've followed your instructions, and the good new is that Killbox was able to remove the \WINDOWS\Microsoft.NET\cabmsvc.dll file. Also, I deleted CWShredder and the error message no longer appears.

When I accessed the Microsoft Adware T.V. Media Program Removal Tool, in reading the “prerequisite” information, I found the following:

"The Adware T.V. Media Removal Tool has the following prerequisites:
• Your computer must be running a 32-bit version of Windows XP SP1 or earlier.
• You must log on as a computer administrator or as a member of the Administrators group.
If these prerequisites are not met, the installation will not work and you will receive an error message."

I did not run the removal tool, since I am running SP2. Should I run it anyway?

My system is getting better and better, but I still had several occurrences today of spyware and trojans popping up:

Upon opening Outlook, I received a Symantec Antivirus Notification:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Backdoor.Graybird
File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mc21.tmp
Location: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
User: Administrator
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Thursday, September 15, 2005 8:43:13 PM

I ran a full scan of my drives with Symantec, and it came up clean.

I also reran ewido, with the followign results:

Ewido Security Suite
File: C:\WINDOWS\system 32\__delete_on_reboot__apdd.dll
Infection: TrojanDownloader.Delf.lh
Threat: High
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:27:18 PM, 9/15/2005
+ Report-Checksum: 5C65F714
+ Scan result:
C:\WINDOWS\system32\__delete_on_reboot__apdd.dll -> TrojanDownloader.Delf.lh : Cleaned with backup
::Report End

During the ewido scan, I also received a Symantec Antivirus Notification:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\System Volume Information\_restore{D159E7D2-7180-4781-B3F8-2514E77B16FD}\RP33\A0025443.dll
Location: Quarantine
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Thursday, September 15, 2005 9:47:34 PM

I also ran AdAware, and it only up a tracking cookie, which I'm guessing is pretty harmless:

Ad-Aware SE
Name:Tracking Cookie
Category:Data Miner
Object Type:IECache Entry
Size:250 Bytes
Location:C:\...\Administrator\Cookies\administrator@2o7[1].txt
Last Activity:9-16-2005 12:49:31 AM
Relevance:Low
TAC index:3
Comment:Hits:3
Description:This cookie is known to collect information that may be used either for targeted advertising, or tracking users across a particular website, such as page views or ad click-thrus.

So, like I said g2i2r4, things are getting better, but I still have a few glitches. Your continued help is greatly appreciated.

John
  • 0

#6
g2i2r4
Posted 16 September 2005 - 02:23 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm still here and I will be as long I'm needed.


Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\DOCUMENTS AND SETTING\ADMINISTRATOR\LOCAL SETTINGS\Temp\mc21.tmp
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

We will remove the one in system restore as soon as the rest is clean.

***

Remove this program through the provided Add/Remove Programs entry. To uninstall it follow these steps:
  • Enter the control panel.
  • Double-click on the Add/Remove Programs link.
  • Look for the entry for TV Media.
  • Reboot your computer into Safe Mode
  • Delete the following directory: C:\Program Files\TV Media\ or c:\TV Media (whichever exists).
  • Reboot your computer and let it boot normally.
***

Let's see what else is there.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post

  • 0

#7
John2005
Posted 18 September 2005 - 10:37 PM

John2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
g2i2r4,

Thanks for sticking with me. I managed to kill the mc21.tmp file as you instructed. I could not find any occurrence of "TV Media" however. Here is my HijackThis! uninstall manager log:

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AOL Instant Messenger
ArcSoft Camera Suite 1.3
Ares 1.8.1
ATI Control Panel
ATI Display Driver
Backyard Hockey 2005
Blackhawk Striker from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.1
Canon Utilities ZoomBrowser EX
Citrix ICA Web Client
CleanUp!
Counter-Strike: Condition Zero
Creative Driver
Creative MediaSource
Crystal Maze from Hewlett-Packard Desktops (remove only)
Easy Internet Sign-up
ewido security suite
Far Cry
Five Card Frenzy from Hewlett-Packard Desktops (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Image Zone for Media Center PC
HP Image Zone Plus 3.5
HP Instant Support
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.5
HP Software Update
HPIZ350
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod Updater 2004-11-15
iriver Music Manager
iRiver Updater
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
KBD
LimeWire
LimeWire 4.8.0
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Monster Truck Madness 2 Trial
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
MSN
MSN Music Assistant
Norton WMI Update
Orbital from Hewlett-Packard Desktops (remove only)
Otto
Otto from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
Panda ActiveScan
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
PopSubtract
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RecordNow!
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Update Manager
Sound Blaster Audigy 2 ZS
SpamSubtract
Spybot - Search & Destroy 1.3.1 TX
Steam
Symantec AntiVirus
The Sims 2
The Sims Superstar
There (remove only)
Toolkit View(HP)
Tradewinds from Hewlett-Packard Desktops (remove only)
Tradewinds from Shockwave.com (remove only)
Trend Micro Anti-Spyware
TrojanHunter 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Updates from HP
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix [See KB892906 for more information]
Windows Media Player 10
Windows Rights Management client
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Word Symphony from Hewlett-Packard Desktops (remove only)

-John
  • 0

#8
g2i2r4
Posted 19 September 2005 - 02:22 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you please killbox this one:

C:\Documents and Settings\Administrator\Application Data\tvmcwrd.dll

(it´s getting on my nerves :tazz: ).

Reboot and let me know how things are now.
  • 0

#9
John2005
Posted 19 September 2005 - 07:32 PM

John2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Dear g2i2r4,

I Killboxed the tvmcwrd.dll file. Everything seems good now. You've been great.

Speaking of "getting on my nerves", two quick ones for you:

Do you know why the calendar function doesn't work on certain Web applications? E.g. if I go to Continental.com, key in travel cities, and then try to use the calendar pop-up to plot the dates, it doesn't work. I need to manually key in the dates. Why doesn't it work?

And: in terms of tracking cookies, like 2o7.net, what is your take on them? Should I try to block them from adding themselves to my PC, or are they truly harmless? How would I block them from my PC?

Thanks again,

John
  • 0

#10
g2i2r4
Posted 20 September 2005 - 02:27 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I will post you some tips for the future when we are done. That way you can setup Internet Explorer too.
I would remove cookies on a regular basis (like once a week)

As to the calender issue:
It has to do with your settings for javascript.
Read about it and much more on making Internet Explorer safer in this exellent tutorial made by our expert Bobbi Flekman.

Shall I post you the tips and close this topic?
  • 0

#11
John2005
Posted 20 September 2005 - 04:45 PM

John2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
OK, thanks g2i2r4.
  • 0

#12
g2i2r4
Posted 21 September 2005 - 11:29 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You're welcome.

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with the instructions from the tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP