1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Badly infected computer, reformat best option??

Discussion in 'Malware and Virus Removal Archive' started by Vicki, 2008/01/17.

  1. 2008/02/16
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Deckard's Scan

    Good morning Dave!

    I did run the scan as you requested, but only saw a "main txt." file this time (no "extra txt "?) Here's that log:

    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-02-16 09:32:05
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Total Physical Memory: 495 MiB (512 MiB recommended).


    -- HijackThis (run as Owner.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:32:19 AM, on 2/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\slmdmsr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Owner\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

    --
    End of file - 5434 bytes

    -- Files created between 2008-01-16 and 2008-02-16 -----------------------------

    2008-02-16 08:30:47 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
    2008-02-16 08:30:37 8576 --a------ C:\WINDOWS\system32\drivers\foylnxmjnvqi.sys <Not Verified; Panda Software International; RKPavProc Driver>
    2008-02-16 08:14:51 0 d-------- C:\WINDOWS\system32\ActiveScan
    2008-02-16 08:14:49 0 d-------- C:\WINDOWS\LastGood
    2008-01-31 00:07:03 0 d-------- C:\Program Files\Windows Media Connect 2
    2008-01-31 00:04:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
    2008-01-30 13:14:24 0 d-------- C:\i386
    2008-01-29 09:39:42 0 d-------- C:\WINDOWS\system32\CatRoot2
    2008-01-28 07:14:12 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
    2008-01-25 07:32:06 0 d-------- C:\Program Files\Trend Micro
    2008-01-17 11:05:50 0 d-------- C:\Program Files\Windows Live Safety Center
    2008-01-17 09:40:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
    2008-01-17 09:30:24 428032 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
    2008-01-17 09:30:24 0 d-------- C:\Program Files\Webroot


    -- Find3M Report ---------------------------------------------------------------

    2008-02-15 19:02:53 56264 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
    2008-02-07 17:13:05 0 d-------- C:\Program Files\Logitech
    2008-02-07 08:03:55 0 d-------- C:\Program Files\SpywareBlaster
    2008-02-01 09:46:30 0 d-------- C:\Program Files\Kodak
    2008-01-30 13:14:07 5632 --ahs---- C:\Program Files\Thumbs.db
    2008-01-27 19:14:40 0 d-------- C:\Program Files\Google
    2008-01-22 19:24:35 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2008-01-20 10:47:37 0 d-------- C:\Program Files\Common Files
    2008-01-17 17:43:41 0 d-------- C:\Program Files\Java
    2008-01-13 10:53:27 0 d-------- C:\Program Files\QuickTime
    2008-01-12 12:08:27 0 d-------- C:\Program Files\Enigma Software Group
    2008-01-03 02:08:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
    2008-01-02 17:05:42 126976 --a------ C:\WINDOWS\system32\unzdll.dll <Not Verified; ; BCB/Delphi UnZip>
    2008-01-02 17:05:41 0 d-------- C:\Program Files\Gateway
    2008-01-02 16:37:05 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
    2007-12-23 22:04:22 618 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2007-12-23 20:44:05 0 d--h----- C:\Program Files\InstallShield Installation Information


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [12/24/2007 08:14 AM]
    "AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/24/2007 01:57 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [01/12/2008 12:20 PM]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
    play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L "

    *Newly Created Service* - FOYLNXMJNVQI
    *Newly Created Service* - RKPAVPROC
    *Newly Created Service* - SDTHOOK



    -- End of Deckard's System Scanner: finished at 2008-02-16 09:32:47 ------------

    Hoping things are looking better??

    ~Vicki~
     
  2. 2008/02/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks great! I see you did a Panda scan this morning too. Turn up anything?
     

  3. to hide this advert.

  4. 2008/02/16
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Panda scan

    While toying with this computer (to check for performance with the newly installed IE7), I decided to try and run that Panda scan from the icon you had me create some time ago.

    I was able to get the scan finished (& was pretty shocked at what it "reported "!:eek:). I originally tried to post it here but it's too big!

    I do have the results saved (on the desktop) and when looking/viewing it, it shows alot of "spyware cookies" that are located in "C:\recycler\nprotect\copy of (and then different numbers, etc. listed). I think the report showed over 4000 of spyware detected?? And also 2 "rootkit "?? But these all say "not disinfected "!

    Now that has got me spooked! :eek:

    Save me Dave! :)
     
  5. 2008/02/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    C:\recycler\nprotect ....... that's in the recycle bin. Attach that log to an email to me and I'll have a look at it. :)
     
  6. 2008/02/16
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Panda scan sent

    I sent you the Panda scan text, Dave. Hopefully you received it?

    I did have to copy it from the "previously infected" ;) computer though and sent it through mine. When I tried sending it through the other one I kept getting a message to "connect to loginnet.passport.com" and to enter a username and password.

    I tried using my hotmail username & password and it opened up the e-mail, but I wasn't able to put the attachment to it?

    But at least so far that computer has been running better! :D
     
  7. 2008/02/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Click Start>Run and type cmd then hit enter to open a command window. Highlight and copy the bolded text below, then right click and paste it in the command window.

    del /q \\?\c:\recycler\nprotect\*.*
    rmdir /s \\?\C:\RECYCLER\NPROTECT
    exit
    cls


    The command window should close on it's own.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
    • Now click the Firefox link on the menu and clear out the cookies and temporary internet files.
    • Exit when done
    Reboot

    Now, please run another Panda scan and post the new log.

    What happened when trying to attach the log to the email? Error? Unable to browse for the log?
     
  8. 2008/02/16
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Command question

    Writing this from my computer, but currently have the cmd open/running on the "infected" computer. After running that command, the question came up after the C:\documents and settings\....... "Are you sure? Y/N" Don't know how to answer that as I don't know for certain what it means?:confused: Is this asking if I really want to delete this? (You had mentioned the program would open/close on its own.)

    I noticed too, that there already is an "ATF Cleaner" icon on the desktop of the infected computer, is that one okay to use or should I download another?

    In reply to the question about the e-mail attachment, I'm guessing it wouldn't let me browse for the log? When I chose the attachment option, nothing happened, no dropdown choices, no error message or anything.

    Will wait for your response before proceeding any further. See, that's why I said I'm not all that computer savvy!;)
     
  9. 2008/02/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Answer Yes you're sure.
    Yes. the ATF Cleaner already present is the same one. Just didn't remember it was already obtained. ;)
     
  10. 2008/02/16
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    New Panda scan results

    Here's the results of the new Panda scan:

    Incident Status Location

    Adware:Adware/Adband Not disinfected C:\Deckard\System Scanner\20080118142025\backup\DOCUME~1\Owner\LOCALS~1\Temp\D48.tmp
    Adware:Adware/InternetSpeedMonitor Not disinfected C:\Deckard\System Scanner\20080118142025\backup\DOCUME~1\Owner\LOCALS~1\Temp\TMP63.tmp
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\92tv5fht.default\cookies.txt[.adultfriendfinder.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\92tv5fht.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\92tv5fht.default\cookies.txt[.overture.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\92tv5fht.default\cookies.txt[.perf.overture.com/]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.com]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe


    Hope you're able to make heads or tails from this as it appears to be almost run together! At least the file isn't so big this time, but still showing "infections "?

    Next step?
     
  11. 2008/02/17
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks great Vicki! Looks like the guest account was enabled at some point, and those infected files are mostly Firefox cookies on that account. Lets go get em!

    Move ATF Cleaner to the drive root, eg; Local Disk C:

    Now open User Accounts in the Control Panel, then select the guest account, you can enable it. Once enabled, log off of the current account and the guest account will be shown on the Welcome screen. Logon and run ATF cleaner, selecting ALL and removing for both IE and Firefox. Then log off and back onto the normal user account again.

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well. The C:\Deckard's folder will be removed also.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Still haven't had a chance to review and determine what all we can remove now RE: tools. Anything in particular you see and question?

    How's the computer behaving now?
     
  12. 2008/02/17
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Got 'em!

    Things are looking better now (I hope!) :D

    I did get the ATF cleaner moved to the drive root. I wasn't sure how to do that, (inexperience again), but opened up "My computer ", selected "local drive C: ", and "dragged/dropped" ATF there. Hope that was a "correct" procedure to use??:confused:

    Then proceeded with the "guest account" and all you had instructed me to do. Ran the AFT cleaner and the only thing I questioned was when it asked me "are you sure you want to delete Firefox passwords "....I chose yes.

    Everything was cleaned (both IE & Firefox) according to ATF.

    I then went back and "inactivated" the guest account.

    Ran the combo fix uninstall as you instructed, but I do have a question here:

    How can I go about "testing" any of these to see if there is any conflicts?

    Here is a list of the items/tools that were added to the desktop in our attempt to fix the infected computer:



    • DrWeb.csv
    • DSS.exe
    • i.e.-rereg.zip
    • i.e.-rereg
    • HostsXpert
    • extra. text
    • Hijackthis
    • HJTInstall.exe
    • Panda Scan
    • HostsExpert.zip
    • main.txt
    • hijackthis.log
    • ProcessExplorer(zipped folder)
    • Process Explorer
    • Iexplore.ext (text)
    • Dial-a-fix v0.60.0.24 (zipped folder)
    • Dial-a-fix
    • fix.reg (rubics cube)
    • IEexport. txt
    • Activescan. txt.
    • cureit.exe
    And this one (that I don't believe we put on our desktop, but what is it & where should it go?)-WindowsXP-KB 835935-SP2-ENU.exe


    If some of these should be saved, can I move them to a new folder on the desktop? (Maybe create a folder and call it "Seldom used" or something?). And if any can be deleted, I should use the "add/remove" option if they are shown in there, correct?

    Just out of curiousity, I did rerun that Panda scan....and NO report to show! It came up clean!:D

    So far that computer seems to be working okay! But I haven't done a whole lot with it. I also have a question about the "add-on's" that we disabled. Should they be re-enabled now? I only question it because of the icon with the red line through it (when hovering it says "manage add-on's)

    This is beginning to look alot more encouraging for me! (You too I hope!);)

    I also would like any recommendations if there is anything else that needs to be done to help prevent this from happening again! (i.e programs that should be installed, etc.).

    Currently installed is Ad-Aware 2007, Spybot S&D, AVG 7.5 & Spyware Blaster and Windows firewall (but you maybe knew all this already?);)

    Any other reports, scans, etc. that I should/need to do?

    Thanks Dave!
    ~Vicki~
     
  13. 2008/02/17
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Well done Vicki! :)

    That is the Service Pack 2 setup file we extracted to get the i386 folder. You can delete it, along with everything else you listed.
    The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

    2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

    Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
    Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

    Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

    Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

    Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive.

    Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc.


    Geri has posted some very helpful information and recommendations regarding future protection in the following link.

    http://www.windowsbbs.com/showthread.php?t=67958

    Unless you have other problems to report, I'd say we're done. Congratulations! :)
     
  14. 2008/02/19
    Vicki

    Vicki Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    403
    Likes Received:
    7
    Thank You So Very Much!!!

    This was definitely news I wanted to hear:

    Also wish to thank you for your in-depth explanation on the "autorun/autoplay" functions that I was questioning. I haven't experimented with any of those devices yet, at least I know now I have an idea what I can possibly expect! ;)

    I did either add/remove, or delete those tools we had installed. So the desktop is looking more like it was when we started!

    I can't begin to express how much I've appreciated all your help & guidance! Never would have made it through any of this without your expertise (& patience!)

    If I should come across any further issues/questions, I'll be back! Would it be preferred that I start with a new thread or continue with this one? (If a new one is recommended, I say let's close this one!:D)

    Thanks again Dave, and best wishes for continued success with all those who request your assistance!

    ~Vicki~
     
  15. 2008/02/20
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Vicki, it was a pleasure helping you. You're most welcome!
    I'd say start a new topic if other issues arise. I'll mark this one resolved.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.