Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RESOLVED] trojan downloader


  • This topic is locked This topic is locked

#1
bradstacey

bradstacey

    Member

  • Member
  • PipPip
  • 21 posts
Well I was cruising around the internet when Norton pops up about six windows in a row saying that I have different types of viruses that were attempting to download but automatically deleted, so at first I thought I was okay. I closed my current browser windows and opened a new one, only to find that my about::blank page has been changed. ITs a full page of links about genital enlargement and hair loss options and all sorts of useful links. Also, whatever the infection is pops up a message box which says:
**WARNING!
Windows detected spy software "sspmyDoom.cih" ver 2.018. Somebody is trying to access you through port 245. Your private information is in danger.

Click "OK" for information on how to remove this spy software. **

If I click cancel, nothing happens but it keeps the link page. If I click OK the page switches to some hackers definition of spyware... It's not illegal and its not so bad, riiiight. All of the links on the hijack page refer to 'http:\\onemoresearch.net". It also adds two sites to my trusted sites, which can't be removed from trusted, and cant be added to restriced, which is in my opinion comuter rape.The sites it adds are: frame.crazywinnings.com and static.topconverting.com.

Now theres a proccess called DrWatsn32.exe which I suspected, and sure enough things start running when I shut it down, but it pops back up a few seconds later.

I can't run anything off of my quick launch menu or desktop exept, occasionally, internet explorer, which always pops up this hijacked links page, and which I have to use to explore my computer.

I've run ad-aware 6, spyware blaster, spybot s&d, norton antivirus, updated them all, re-scanned, and this search page is still hijacked, and my programs still dont run very often. kaza was put out of commission by it, too, apparently. NAV finds no viruses, and even though the other programs find and 'fix' several problems, they don't stop the page from being hijacked or let my programs run again.

I did all the steps recommended on this site, but theres some resident file which keeps restoring all the adware, trojans, etc. Please help me.

Logfile of HijackThis v1.98.0
Scan saved at 10:22:45 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\addtn.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\WINDOWS\system32\drivers\CDAC11BA.EXE
D:\WINDOWS\system32\gearsec.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\WINDOWS\system32\cmd.exe
D:\WINDOWS\system32\addgi.exe
C:\Programs\BSPlayer\bsplayer.exe
D:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26F53C99-0B61-4FB0-4D4A-515CE2A6A5F0} - D:\WINDOWS\iemx32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB
-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [addtn.exe] D:\WINDOWS\addtn.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tibs5] D:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\RunOnce: [appee32.exe] D:\WINDOWS\appee32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
  • 0

Advertisements


#2
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Some new information: adware always detects the following virus, which returns after it is deleted: Win32.TrojanDownloader.Agent.al

The housecall scan linked to off of here also detects a trojan. both say that theysuccessfully removed it, but it keeps returning in scans. something seems to be blocking norton updates of the common client service due to a file called ccweb.dll which cannot be moved deleted or updated. maybe the virus is hiding in there? also, spybot s&d, every time I load it, has no new updates, but either 1049 or 1044 new bad products to immunize. occasionally it says it has 1049, then after that immunization, it has 1044, then it has no more, until I restard spybot.

this seems to be a really bad virus, and re-formatting is looking to be the best option lately. if anyone has any other advice, please let me know.
  • 0

#3
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Hi bradstacey,

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\yvhzl.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26F53C99-0B61-4FB0-4D4A-515CE2A6A5F0} - D:\WINDOWS\iemx32.dll
O4 - HKLM\..\Run: [addtn.exe] D:\WINDOWS\addtn.exe
O4 - HKLM\..\Run: [tibs5] D:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\RunOnce: [appee32.exe] D:\WINDOWS\appee32.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com

Then delete the following files (if they exist):

D:\WINDOWS\iemx32.dll
D:\WINDOWS\addtn.exe
D:\WINDOWS\system32\tibs5.exe
D:\WINDOWS\appee32.exe

Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier
  • 0

#4
Da-Zman

Da-Zman

    New Member

  • Member
  • Pip
  • 3 posts
Did all of your suggestions, including About:Buster, Cleanup!, CWShredder 2.13, Ad-Aware, and the latest vs of HJT. All in safe mode. Rebooted, problem still there. Also note, O15 - Trusted Zone: *.frame.crazywinnings.com seems to not allow removal by HJT. Even when you fix it, it comes back.
  • 0

#5
Da-Zman

Da-Zman

    New Member

  • Member
  • Pip
  • 3 posts
By the way, here is the HJT logfile. I don't know what the wuauclt.exe is? Also note the part where *.frame.crazywinnings.com doesn't remove itself despite repeated attempts to remove it with Hijack This and manually:
-----------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 8:32:49 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096309664963
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
  • 0

#6
Da-Zman

Da-Zman

    New Member

  • Member
  • Pip
  • 3 posts
Finally, here is the About:Buster log file:
------------------------------------------------

Scanned at: 6:48:42 PM on: 2/8/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Scanned at: 9:07:16 PM on: 2/8/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#7
ddejonghe

ddejonghe

    New Member

  • Member
  • Pip
  • 1 posts
I have the same problems... Will do as suggested and see if it works for me...

Really a nasty infection....

Dominique
  • 0

#8
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay, I'm the original poster of the topic just to clarify. I'm not registered as multiple users. But, like adzman, I did all that, yet frame.crazywinnings always reappears instantly in the trusted zone. And, now that I've done all of those instruction, things aren't exactly worse, but bad in a different way. Now Norton Antivirus is no longer autoprotecting, I click Enable but it remains off, and there's an error in email scanning which wont allow me to turn it on. windows update supposedly downloaded something to check for malware, it downloaded, made me restart, but didnt do any apparent scans.
i did the trend micro scan while i went to sleep, woke up in the morning with nothing on the screen...? then this morning i was starting to do the panbdora software you recommended, but that site looks exactly like something you'd get from a search hijacker, with all sorts of other links and crap. and you posted the trendmicro scan twice... did you mean for me to do the same scan sandwhiched around the pandora one?

on a side note, good job coolwwwsearch. ive bought none of your products, your adware and forced links are really effective! congratulations! ive also wasted hours of my life! thank you! i really hope anyone respondsible for creating viruses dies a slow horrible death and burns in some facsimile of h*** for eternity.

alright heres my aboutbuster log:
Scanned at: 12:24:58 AM on: 2/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed 2 Random Key Entries
Removed! : D:\WINDOWS\system32\awasj.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


And my hjt log:
Logfile of HijackThis v1.98.0
Scan saved at 12:51:40 AM, on 2/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunOnce: [CleanUp!] C:\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab

okay, my intuition is telling me that this virus is slowing replacing or adding code to my necessary software. in one of the scans, i think cwshredder, it located something called coolwwwsearch.msconfig. it seems like the [bleep] who created the virus has read one of these help processes and prepared the virus to screw up the next likely step for the person trying to fix their computer. probably a former employee of microsoft or something? really disturbing. I DIDNT FIRE YOU, BRO! haha, anyways. please help my newb a** a little more, then I'm just going to reformat, cause this ones a goner I think.

So, in case I am unable to to return here, farewell.
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
  • 0

#10
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
But it deletes everything in my restricted zone too? is there any way to make a backup? cause i've been adding sites to that like crazy to avoid pop-ups and such. and other ad banners.

im guessing that the site in the trusted zone is where the malware is re-downloading the virus, right? i kinda want to understand whats going on with this as well as fix it...
  • 0

Advertisements


#11
mpfeif101

mpfeif101

    Member 1K

  • Retired Staff
  • 1,411 posts
Go ahead with the fix. It will clear your restricted site zone, but once you are clean we can get you some protection programs so that you don't need to manually add sites to the restricted zones. :tazz:
  • 0

#12
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
goodness gracious, its gone! praise be to the geeks which go!
  • 0

#13
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#14
axl

axl

    New Member

  • Member
  • Pip
  • 1 posts
Hi you all!!!
I'm new here and need some help. ;) :tazz:
I've the same problem, somebody is trying to acces port 245 etc...I've downloaded your link " http://www.mvps.org/.../DelDomains.inf " and this is a text document? I'm also new with pc, so...what I've to do with it?
And another question: When try to open any application my pc show something like this " drwtsn32.exe has detected a problem and you have to close " can I finish this process without get several changes into windows?
Thanks in advance!!!
  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Welcome to geekstogo axl ;)

You Must Read This Before Posting A Hijackthis Log

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP