Post by: mkishline on September 19, 2005, 11:11:59 AM
Logfile of HijackThis v1.99.1
Scan saved at 10:43:46 AM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\DOCUME~1\JACQUE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carthage.edu/ (http://\"http://www.carthage.edu/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106075183765 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106075183765\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on September 19, 2005, 10:27:41 PM
Quote
elitebar at least
Can you let me know why you posted with that title
I don't see signs of elitebar
May I suggest the following for now
==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
I like to run Ewido in safe mode
Please Restart into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job
Restart back to Normal mode
Post the report from Ewidos
Are you controlling any entries on startup with msconfig?
Could you also redownload hijackthis from my signature below and save it too a permanent folder on your hard drive
Run hijackthis from the new location and post a fresh log
Post by: mkishline on September 27, 2005, 06:01:55 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:43:46 AM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\DOCUME~1\JACQUE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carthage.edu/ (http://\"http://www.carthage.edu/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106075183765 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106075183765\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:42:50 PM, 9/20/2005
+ Report-Checksum: FC127D25
+ Scan result:
HKU\S-1-5-21-1454471165-1580818891-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\jacqueline@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jacqueline\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\Del99.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\DelA6.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\DelA8.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\i79.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\res9A.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\resA9.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jacqueline\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\cnjgbfc.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\jsyvxl.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\pygvu.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\wimatae.exe -> Trojan.Pakes : Cleaned with backup
::Report End
Post by: guestolo on September 28, 2005, 09:21:52 PM
I just want to check one thing
From below
Download FindQoologic.zip and UNZIP it to your C:/ directory
Double click on Find-Qoologic.bat
Wait till a text file opens and post the contents back here
Post by: mkishline on September 29, 2005, 11:12:25 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD
FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL
WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM
ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup
files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup
»»»»»»»»»»»»»»»»»»»»»»
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
Post by: guestolo on September 29, 2005, 10:42:03 PM
You should disable system restore and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
IE-Spyad is compatible with SP2 as well
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"