Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help me to remove spyware(Fake alert) from my system

Started by sagarmr , Aug 16 2008 05:28 AM

  • Please log in to reply

#1
sagarmr
Posted 16 August 2008 - 05:28 AM

sagarmr

    New Member

  • Member
  • Pip
  • 6 posts
While downloading a mp3 file, I was given an .exe file to download. I download and installed it (I am so stupid!). Then it created 2 desktop shortcut icon named "Online spy ware test" and "Anti virus Scan". Now, They are generating FAKE system alert in every seconds, and some time prompt varies types of .exe file download. Clicking on the fake alert I am getting redirected to (http://www.antispycheck.com/?aid=1012).

Here is my Hijac this log file and StartupList report. Please help me to remove the spy ware.

Hijac this log file 
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:42:04 PM, on 8/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Applications\wcs.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\Program Files\DAP\DAP.EXEC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Applications\wcm.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAP\DAP.EXEC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://internetsearchservice.com/ie6.html"]http://internetsearchservice.com/ie6.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://internetsearchservice.com/ie6.html"]http://internetsearchservice.com/ie6.html[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://internetsearchservice.com"]http://internetsearchservice.com[/url]R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunchR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} - C:\Program Files\Applications\iebt.dllO2 - BHO: 604262 helper - {4F006697-FB04-4B67-86BB-0DCA9C0514B4} - C:\WINDOWS\system32\604262\604262.dll (file missing)O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: Internet Service - {254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program Files\Applications\iebr.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [S3Trayp] S3trayp.exeO4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUPO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htmO8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url]O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]https://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{17AD523D-D14C-4D68-A868-45F38B5D99FB}: NameServer = 122.248.47.11 4.2.2.2O17 - HKLM\System\CS1\Services\Tcpip\..\{17AD523D-D14C-4D68-A868-45F38B5D99FB}: NameServer = 122.248.47.11 4.2.2.2O22 - SharedTaskScheduler: bebization - {97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dllO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe--End of file - 6883 bytes
StartupList report
StartupList report, 8/16/2008, 4:43:24 PMStartupList version: 1.52.2Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v7.00 (7.00.6000.16705)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Applications\wcs.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\Program Files\DAP\DAP.EXEC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Applications\wcm.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAP\DAP.EXEC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Common Startup:[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeMicrosoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunRTHDCPL = RTHDCPL.EXEAlcmtr = ALCMTR.EXEVTTimer = VTTimer.exeS3Trayp = S3trayp.exeDownloadAccelerator = "C:\Program Files\DAP\DAP.EXE" /STARTUPavgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minSunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunMSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /backgroundYahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietwblogon = C:\WINDOWS\system32\ubpr01.exectfmon.exe = C:\WINDOWS\system32\ctfmon.exe--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=C:\WINDOWS\DREAMA~1.SCRdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry key not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}(no name) - C:\Program Files\Applications\iebt.dll - {300CF5C9-F02D-4CB8-ABED-9C229DA56825}604262 helper - C:\WINDOWS\system32\604262\604262.dll (file missing) - {4F006697-FB04-4B67-86BB-0DCA9C0514B4}(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}--------------------------------------------------Enumerating Download Program Files:[Symantec RuFSI Utility Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dllCODEBASE = [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url][Shockwave Flash Object]InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocxCODEBASE = [url="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]https://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url]--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\system32\webcheck.dllSysTray: C:\WINDOWS\system32\stobject.dll--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Runsmile = C:\Program Files\Applications\wcs.exe--------------------------------------------------End of report, 5,551 bytesReport generated in 0.047 secondsCommand line options:   /verbose  - to add additional info on each section   /complete - to include empty sections and unsuspicious data   /full     - to include several rarely-important sections   /force9x  - to include Win9x-only startups even if running on WinNT   /forcent  - to include WinNT-only startups even if running on Win9x   /forceall - to include all Win9x and WinNT startups, regardless of platform   /history  - to list version history only

  • 0

Advertisements

#2
kahdah
Posted 16 August 2008 - 06:56 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello sagarmr

Welcome to G2Go. :)
=====================
Please go to Start> Control Panel > then Add\Remove programs.
Please then remove DAP.
Then close out of add\remove programs.

Afer that Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
===============
After that please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
sagarmr
Posted 16 August 2008 - 12:43 PM

sagarmr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi kahdah,
Thank you very much. The spyware has been removed successfully from my system.(I think so). And it was completed by running MBAM. But yet, I had some problem in running your other recommendation, DSS. At the last time it stop working with an error message. Please find the log file created by MBAM below. Now, please tell me should I worry about
the "not performed" DSS? And can I use DAP in future? I really liked it. Thank you once again.
Log file(MBAM)
Database version _linenums:1058'>Malwarebytes' Anti-Malware 1.24Database version: 1058Windows 5.1.2600 Service Pack 211:40:31 PM 8/16/2008mbam-log-8-16-2008 (23-40-31).txtScan type: Quick ScanObjects scanned: 40810Time elapsed: 3 minute(s), 13 second(s)Memory Processes Infected: 2Memory Modules Infected: 1Registry Keys Infected: 10Registry Values Infected: 17Registry Data Items Infected: 12Folders Infected: 1Files Infected: 20Memory Processes Infected:C:\Program Files\Applications\wcm.exe (Trojan.Zlob) -> Unloaded process successfully.C:\Program Files\Applications\wcs.exe (Trojan.Zlob) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\system32\ouhzw.dll (Trojan.Zlob) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{300cf5c9-f02d-4cb8-abed-9c229da56825} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300cf5c9-f02d-4cb8-abed-9c229da56825} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{254b87bb-510d-41fa-a887-52c5fa9be585} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\x123.x123mgr (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\x123.x123mgr.1 (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Bar (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{254b87bb-510d-41fa-a887-52c5fa9be585} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{254b87bb-510d-41fa-a887-52c5fa9be585} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\system32\604262 (Trojan.BHO) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\ouhzw.dll (Trojan.Zlob) -> Delete on reboot.C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\iebr.dll (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\iebtu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\iebu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\wcm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\wcs.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Program Files\Applications\wcu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\Sagar\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\Sagar\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\Sagar\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\Sagar\Local Settings\Temp\wgve1.exe (Trojan.Zlob) -> Quarantined and deleted successfully.C:\Documents and Settings\Sagar\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

  • 0

#4
kahdah
Posted 16 August 2008 - 12:48 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
DAp is adware it is up to you if you want to use it in the future.
But as you can see here > http://research.sunb...threatid=288290
I do not recommend it.

Instead of dss please run Hijackthis again.
And post a new log from it please.
  • 0

#5
sagarmr
Posted 16 August 2008 - 01:04 PM

sagarmr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for your recommendation.
Here goes the Log file and start up report by Hijack This.
LOG FILE
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:58:04 AM, on 8/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\FileZilla Server\FileZilla Server.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunchR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: 604262 helper - {4F006697-FB04-4B67-86BB-0DCA9C0514B4} - C:\WINDOWS\system32\604262\604262.dll (file missing)O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [S3Trayp] S3trayp.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url]O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]https://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{17AD523D-D14C-4D68-A868-45F38B5D99FB}: NameServer = 122.248.47.11 4.2.2.2O17 - HKLM\System\CS1\Services\Tcpip\..\{17AD523D-D14C-4D68-A868-45F38B5D99FB}: NameServer = 122.248.47.11 4.2.2.2O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe--End of file - 5304 bytes
Startuplist
StartupList report, 8/17/2008, 12:59:45 AMStartupList version: 1.52.2Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v7.00 (7.00.6000.16705)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\FileZilla Server\FileZilla Server.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Common Startup:[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeMicrosoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunRTHDCPL = RTHDCPL.EXEAlcmtr = ALCMTR.EXEVTTimer = VTTimer.exeS3Trayp = S3trayp.exeavgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minSunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"FileZilla Server Interface = "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunMSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /backgroundYahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietctfmon.exe = C:\WINDOWS\system32\ctfmon.exe--------------------------------------------------File association entry for .SCR:HKEY_CLASSES_ROOT\scrfile\shell\open\command(Default) = "%1" %*--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=C:\WINDOWS\DREAMA~1.SCRdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry key not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}604262 helper - C:\WINDOWS\system32\604262\604262.dll (file missing) - {4F006697-FB04-4B67-86BB-0DCA9C0514B4}(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}--------------------------------------------------Enumerating Download Program Files:[Symantec RuFSI Utility Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dllCODEBASE = [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url][Shockwave Flash Object]InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocxCODEBASE = [url="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]https://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url]--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\system32\webcheck.dllSysTray: C:\WINDOWS\system32\stobject.dll--------------------------------------------------End of report, 5,221 bytesReport generated in 0.016 secondsCommand line options:   /verbose  - to add additional info on each section   /complete - to include empty sections and unsuspicious data   /full     - to include several rarely-important sections   /force9x  - to include Win9x-only startups even if running on WinNT   /forcent  - to include WinNT-only startups even if running on Win9x   /forceall - to include all Win9x and WinNT startups, regardless of platform   /history  - to list version history only

Please tell me what you are thinking.
  • 0

#6
kahdah
Posted 16 August 2008 - 01:16 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Your log looks a lot better just wanting to run an online scanner to double check.
============================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: 604262 helper - {4F006697-FB04-4B67-86BB-0DCA9C0514B4} - C:\WINDOWS\system32\604262\604262.dll (file missing)


Now click on Fix Checked and then close Hijackthis.
===================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\604262
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
sagarmr
Posted 17 August 2008 - 07:08 AM

sagarmr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HI kahdah,
After fixing O2 - BHO: 604262 helper - {4F006697-FB04-4B67-86BB-0DCA9C0514B4} - C:\WINDOWS\system32\604262\604262.dll (file missing), by Hijack This I downloaded and run OTMoveIT2.
Here is the report by OTMoveIt
File/Folder C:\WINDOWS\system32\604262 not found. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08172008_112845
After that,I used AFT cleaner and then scan my system Kaspersky Online Scanner. It found nothing to show up as a report.
Whats next? Am I safe now?. Anyway, Thank you very much for your support.
  • 0

#8
kahdah
Posted 17 August 2008 - 07:11 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yep all clean :)
=============
Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart yor computer when prompted.
This will remove what tools we used.
===============
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP