Sick, sick Computer

[LAS1250]

Liz,
Ali is in class now, but we'll work on this this afternoon.
Should she disable sys restore before running pc-cillin and HT?
Last night, I had her run pc-cillin updates with sys restore on, then she disabled it to scan. I haven't spoken to her after the last scan, but I doubt she did anything yet about the trojan. We've tried following pc-cillin's directions to manually remove this before without success.
I wonder why NoAdware didn't pick up the trojan this time. I think it did before.
This would be a lot easier if her computer was home and I could work on it. We really appreciate your patience in this 3 way conversation!

 

[southernlady]

NoAdware isn't a good product to use: http://www.spywarewarrior.com/rogue_anti-spyware.htm#products altho it HAS come off the list of rouge products.

If you want a list of good ones, check here:
http://lists.gpick.com/pages/Spyware_Tools.htm or here:
http://www.majorgeeks.com/downloads31.html

Either one will give you a good listing and then check against the page I gave you: http://www.spywarewarrior.com/rogue_anti-spyware.htm#products

She needs to keep system restore disabled until her computer is clean. She could be reinfecting herself. Liz

 

[Ali7]

Hey Liz, when I was at class, my computer ran a PC-cillin scan and it said I didn't have any viruses this time. Does this mean my computer's clean now? I deleted those that you told me to delete after running the Hijack This and here is my current log. Thanks for your help!

Logfile of HijackThis v1.98.2
Scan saved at 12:21:05 PM, on 12/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Help - {839083C1-5C6D-49CE-BAA4-3E97B107A90B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {93649635-3E25-47B1-91F7-14513D68C6CC} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {D7E5EFD7-DB8C-4940-BC84-4A8DCD26643C} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

[southernlady]

Ali7, sorry it took so long to get back to you but I had a Christmas party yesterday along with some errands. Anyway, your log is clean.

Now, do this:

This article will be posted soon but here is what we recommend:

How did I get infected in the first place

This advice is reposted from the advice given by Tony Klein, the acknowledged spyware & malware expert who supports many forums on the net.

I have added a few minor updates to it

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft. Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

And some more advice:

4) Install Javacool's SpywareBlaster http://www.majorgeeks.com/download2859.html It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Let's also not forget that SpyBot Search and Destroy http://www.majorgeeks.com/download2471.html has the Immunize feature which works roughly the same way.
It can't hurt to use both.

5) Another brilliant program by Javacool we recommend is SpywareGuard. http://www.majorgeeks.com/download3045.html
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard. It now also features Download Protection and Browser Hijacking Protection!

6) IE-SPYAD https://netfiles.uiuc.edu/ehowes/www/resource.htm puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

7) The IE hosts http://mvps.org/winhelp2002/hosts.htm file blocks ads, banners, cookies, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.
Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by the DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.It Now includes most major parasites, hijackers and unwanted Search Engines!
In many cases this can speed the loading of web pages by not having to wait for these ads, banners, hit counters, etc. to load.
This also helps to protect your Privacy by blocking servers that track your viewing habits, known as "click-thru tracking".

However as time has progressed the focus of this project has changed from blocking ads/banners to protecting the user from the many parasites that now exist on the Internet. It doesn't serve much purpose if you block the ad banner from displaying, but get hijacked by a parasite from an evil script or download contained on the web site. The object is to surf faster while preserving your Safety, Security and Privacy.

Incidentally, another site with an enormous amount of information on computer security, and which is well worth a visit is http://www.wilders.org/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests. http://www.jasons-toolbox.com/BrowserSecurity/
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.

If you are using XP or windows 2000 or 2003 then this application will also help a lot to prevent hijacking
http://www.prevx.com/default.asp

And make sure your Antivirus and firewall is switched on and kept updated.

I hope NOT to see you in THIS forum again Liz

 

[Kaniver]

Liz I just wanted to jump in and tip my hat to you for being such a helpfull person. It's your kind that make this forum such a great place to be.
One quick question. Do you recommend that windows restore be disabeled as a usual practice? I normally do because of the space is saves and the problems it seems to have a potential to cause.
Also I recently installed diskkeeper and I have to say I really like this program. Like you I rarely recommend software but this one is a keeper. It sorta massages your HD......lol
Keep that helpfull attitude...I like it!

 

[southernlady]

Kaniver, I try to but there are some windows systems where you can't. and thanks for such kind words. I try to help. Some I can't cause I don't have the knowledge yet but I'm working on it. Liz

 

[LAS1250]

Liz,
Thank you for all your help. Ali is cramming for finals. I'm sure she'll be along to thank you herself once she's got some time.
I'm going to follow your suggestions for my computer, too!

 

[southernlady]

Here is one for everyday that will also be posted soon.

Normal maintenance

Run regular maintenance on your PC...just as you would keep your house clean, your PC runs better when it's organized as well.

1) Use Disk Clean up and get rid of unneeded files. Compress old ones

2) Go thru your Add/Remove program and get rid of anything you haven't used lately, esp if you have the disk for it and can reinstall it or download it at a later date should you decide you want it again. Just letting it sit on your hard drive taking up space is ridiculous if you aren't using it.

3) Run the Disk Defrag on a periodic basis. If you have Norton Systemworks, set it up so that you can see how degragged your computer is and let it tell you when to defrag.

4) Remember to do a drive check every so often. You do this going to MY COMPUTER then SELECT YOUR DRIVE(C) right click it and go down to PROPERTIES on the pop up box select the second tab along TOOLS and click the top box CHECK ERRORS NOW.

And then ALWAYS. ALWAYS download and install any Critical Updates that Windows lets you know about. If you don't have your configuration set so that it will tell you and you aren't in the habit of checking periodically (like every other day) then set it so that
Windows WILL let you know there is a Critical Update. This step is an absolute necessity. SP2 is the exception to the rule, I still haven't done that one.

Then go and download these FREE programs:

1) Ad-aware http://www.majorgeeks.com/download506.html (removes all adverts and ad self launch programs,feed up with pop ups get it)

2) Spy-bot http://www.majorgeeks.com/download2471.html (same as ad-aware but always better two have two in this case because they'll double check everything)

3) AVG free http://www.majorgeeks.com/download886.html (ok for basic scan but know not to detect major viruses) or Avast Home Edition: http://www.majorgeeks.com/download1968.html

4) Zone Alarms http://www.majorgeeks.com/download388.html (has a free and a paid version)

5) Sygate http://www.majorgeeks.com/download3356.html (Has a free and a paid version or see the other firewall option

6) A Popup Blocker if your ISP doesnÂ’t come with one:
http://lists.gpick.com/pages/Ad~PopUp_Tools.htm


This one has been recommended by a number of people here on this web site: Google Toolbar http://www.google.com (Can only be used with IE tho)

And this one, I have personal experience with and is excellent. It can be used with ANY browser:

POW http://www.analogx.com.

Then you should download:

1) An Antivirus program:

Avast Home Edition: http://www.majorgeeks.com/download1968.html

AVG free http://www.majorgeeks.com/download886.html

Norton 2004 or 2005 http://www.norton.com (a good professional antivirus,always as up to date virus definitions)

Panda Titanium http://www.pandasoftware.com (another good one but slightly slows down computer applications etc)

AVG 7 pro http://www.grisoft.com/us/us_index.php (again its ok but i found that it takes slightly longer for virus definitions to come out)

2) There are two other Firewall options:

Norton firewall http://www.norton.com (good again stops a lot of unwanted internet activity but does become annoying if your have Bearshare, Kazaa etc installed)

Kerio http://www.kerio.com/kpf_home.html

3) For making copies of your hard drive (good if you need to transfer your hard drive contents or if your hard drive keeps crashing.:

Norton Ghost: http://www.norton.com

Drive image http://www.r-tt.com (a software program that makes a up to date recovery point separate from system restore,good if you know your computer keeps crashing)

4) For fixing Registry and disk problems:

PC Bug Doctor http://www.pcbugdoctor.com (corrects many problem but not deep registry ones)

PC Doctor Oncall http://www.pcdocrx.net/cgi-bin/view...2004/index.html (does full system check fixes almost any problems)

Ashampoo WinOptimizer Platinum Suite 2
http://www.ashampoo.com/ (Drive Cleaner, Registry Cleaner, Internet Cleaner, DLL Cleaner,

Internet Tuner, StartUp Tuner, File Wiper, and File Associator. Free up valuable space on your hard drive. Speed up general system performance.)

Norton Systemworks 2003 or 2004: http://www.norton.com

For a good listing of all this, go to: http://www.wilders.org/

I hope this list helps.

You also might want to consider an alternate browser like Firefox. If you do, let me know and I will be glad to help with the plugins and extensions. Liz

 

[LAS1250]

Again, Liz, thanks. You'll keep me so busy with maintenance, I won't have time for my games...lol.
I know you don't like NoAdware, so I guess I'll ditch that one. I downloaded AdAware SE. Do you suggest the default settings?
I also use Ace Utilities... any concerns with that program?

 

[southernlady]

The settings we use here on AdAware SE that were very detailed are my NORMAL settings, LOL.

As for Ace Utilities, I see nothing to concern me...in fact I saw a good rating at Spywareinfo.com the home of the HiJack log people. Liz