• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
2Stupid

Nasty on daughters PC , help appreciated

7 posts in this topic

keep getting pop ups from some messenger service , please

advise on what we should remove.

 

Thanks

 

Logfile of HijackThis v1.98.0

Scan saved at 09:39:07, on 26/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\qttask.exe

C:\Program Files\Picasa\PicasaMediaDetector.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\a2\a2guard.exe

C:\WINDOWS\System32\wssvrs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

C:\Documents and Settings\rachel rudkin\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [burnQuick Queue] C:\WINDOWS\BQTray.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [Microsoft Update] wssvrs.exe

O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunServices: [Microsoft Update] wssvrs.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

O4 - HKCU\..\Run: [Microsoft Update] wssvrs.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/ins...yFamilyTree.cab

O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/cabs/875455

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmistress.com/AxisCamControl.ocx

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup150.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{853752C6-22BF-4899-9927-7EDB741F25CD}: NameServer = 194.168.4.100 194.168.8.100

Share this post


Link to post
Share on other sites

You have a more serious problem than the popups - the WORM_RBOT.AS. But, we should be able to eliminate it with HijackThis.

 

However, first, you should move HijackThis. HJT needs to be installed in its own folder (for example - C:\HJT\ or C:\Program Files\HijackThis\). It makes backups of deleted entries, and this doesn't work properly from a Temp folder or the Desktop.

 

Once that's done, run a new HJT scan, and mark these items for removal:

 

O4 - HKLM\..\Run: [Microsoft Update] wssvrs.exe

 

O4 - HKCU\..\Run: [Microsoft Update] wssvrs.exe

 

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/cabs/875455

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Boot into Safe Mode (How to boot into Safe Mode).

 

Open Windows Explorer and reconfigure it to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.

Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.

Select: Show hidden files and folders, Ok the prompt

Uncheck: Hide file extensions for known file types

Uncheck: Hide protected operating system files

Ok the Prompt, click Apply

 

Click the Apply to all Folders button.

 

Navigate to the C:\WINDOWS\System32 folder and delete this file:

 

C:\WINDOWS\System32\wssvrs.exe

 

Reboot your computer normally.

 

For a final check on the removal of the WORM_RBOT.AS go online, and go to Trend Micro's online virus scanner.

Be sure to temporarily disable your AVG program during the online scan so the programs don't conflict.

 

If you don't have Ad-aware, I recommend you get it. Check this link for instructions on how to download, install and use Ad-aware most effectively:

 

How to use Ad-aware to remove Spyware

 

After running an Ad-aware full scan as per the above article, post a new HJT log for another look and say if the popups persist.

Edited by Fireflyer

Share this post


Link to post
Share on other sites

Hi Fireflyer

 

Done everything you said apart from Trend , for some reason

I'm not able to use it.

 

Here is the new log file.

It still seems to be there but I haven't had a pop up for 15 mins

 

Thanks for your help

 

Logfile of HijackThis v1.98.0

Scan saved at 11:34:13, on 29/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\System32\qttask.exe

C:\Program Files\Picasa\PicasaMediaDetector.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\a2\a2guard.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijack this\HijackThis.exe

C:\WINDOWS\system32\ntvdm.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [burnQuick Queue] C:\WINDOWS\BQTray.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

O4 - HKCU\..\Run: [Microsoft Update] wssvrs.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/ins...yFamilyTree.cab

O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmistress.com/AxisCamControl.ocx

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup150.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{853752C6-22BF-4899-9927-7EDB741F25CD}: NameServer = 194.168.4.100 194.168.8.100

Share this post


Link to post
Share on other sites

Although it's not showing up in the running processes, there's still a startup entry for the worm. Go ahead and fix this in HJT:

 

O4 - HKCU\..\Run: [Microsoft Update] wssvrs.exe

 

Be sure all browser and Windows Explorer windows are closed when you ckick Fix Checked in HijackThis.

 

Download Steve Gibson's Shoot The Messenger from: http://www.grc.com/files/ShootTheMessenger.exe

 

You can download it to anyplace on your computer and it will run properly - run it to disable the Windows Messenger Service that's being exploited to send the popups.

 

This will not affect the operation of MSN Messenger.

 

Post one more HJT log for, hopefully, a last look.

Share this post


Link to post
Share on other sites

Hopefully all clean now!

Thanks so much for your help , it gets me mucho brownie points from my daughter :D

 

Cheers Fireflyer

 

Logfile of HijackThis v1.98.0

Scan saved at 09:40:02, on 30/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\System32\qttask.exe

C:\Program Files\Picasa\PicasaMediaDetector.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\a2\a2guard.exe

C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [burnQuick Queue] C:\WINDOWS\BQTray.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/ins...yFamilyTree.cab

O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitch.autoregister.net/obje...EUpdateOSR2.ocx

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmistress.com/AxisCamControl.ocx

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup150.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{853752C6-22BF-4899-9927-7EDB741F25CD}: NameServer = 194.168.4.100 194.168.8.100

Share this post


Link to post
Share on other sites

Yep, you're clean now. Good job!

 

One last thing to do is to reset System Restore - otherwise, the malware might be restored if the system is set back to a point prior to the cleaning.

  1. Click Start > Control Panel > System
  2. Under the System Restore tab, place a check mark in the box next to "Turn off System Restore on all drives" and click Apply
  3. Reboot the computer
  4. Repeat step A and uncheck the box selected in step B, click Apply, a clean restore point will be created automatically (no need to reboot again)

Here are a few resource hogs you might want to remove. They aren't malware, just things that don't necessarily need to run at startup. They consume system resources even when they're not being used, and can be started manually when actually needed.

 

Real Player's system bootup would also need to be disabled within the program, as well as fixing its entry in HJT:

 

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

 

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

 

If you choose to remove any of these, check them off in HJT, make sure all browser and Windows Explorer windows are closed, and click on Fix Checked

 

Be sure to keep updated with all the Windows Critical Updates.

 

To reduce the potential for spyware infection in the future, consider installing:

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

More info and download is available at:

SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at:

IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

I'm glad I could help you get your daughter's system cleaned up - not to mention earning those brownie points!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0