PDA

View Full Version : Need help removing cmdService



MichaelHolmes
2005-12-27, 02:06
Hello,

SpyBot S&D detects cmdService, but says it can't remove it, perhaps because it's in use. It asks whether it can ran again on my next restart, and I say OK and restart. On restart, it goes through the search again, locates the file but still can't remove it.

Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:45 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\aupdate.exe
C:\WINDOWS\qacvwgb.exe
C:\WINDOWS\z00098.exe
C:\windows\system32\rldsregl.exe
C:\WINDOWS\poklozeA.exe
C:\WINDOWS\SYS99.exe
C:\WINDOWS\win3208424-2071813.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe
O4 - HKLM\..\Run: [qacvwgb] C:\WINDOWS\qacvwgb.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\kwinmsaw.exe CORN001
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe
O4 - HKLM\..\Run: [{2A-A2-2D-D0-ZN}] C:\windows\system32\rldsregl.exe CORN001
O4 - HKLM\..\Run: [poklozeA] C:\WINDOWS\poklozeA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKLM\..\Run: [win3208424-2071813] C:\WINDOWS\win3208424-2071813.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Zwh] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinmsaw.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135030712048
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135030670568
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: bnelggdh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks!

Mike Holmes

shelf life
2005-12-27, 23:04
hi,

cmdservice seems to be a fasle positive in spybot. you have quite afew other nasties to get rid of.

first thing is to go get ewido security,install update but do scan with it yet.
will your out there also check for updates for spybot and your AV. then we will use hjt and boot into safe mode

ewido:
1. Download Ewido and install
Ewido Security Suite. It is a free trial version of the program:

http://www.ewido.net/en/download/

2. Install ewido security suite
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen

You will need to update ewido to the latest definition files.

1. On the left hand side of the main screen click update
2. Then click on Start Update

The update will start and a progress bar will show the updates being installed.
---------------------------------------
next run hjt:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R3 - URLSearchHook: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll

O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll

O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll

O2 - BHO: (no name) - {DD11E271-7BC9-203F-EDDA-2177B46433C8} - C:\WINDOWS\System32\tkkanmkz.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe

O4 - HKLM\..\Run: [qacvwgb] C:\WINDOWS\qacvwgb.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\kwinmsaw.exe CORN001

O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe

O4 - HKLM\..\Run: [{2A-A2-2D-D0-ZN}] C:\windows\system32\rldsregl.exe CORN001

O4 - HKLM\..\Run: [poklozeA] C:\WINDOWS\poklozeA.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe

O4 - HKLM\..\Run: [win3208424-2071813] C:\WINDOWS\win3208424-2071813.exe

O4 - HKCU\..\Run: [Zwh] C:\WINDOWS\System32\r?gsvr32.exe

O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinmsaw.exe

O20 - AppInit_DLLs: bnelggdh.dll
-------------------------------------------
now restart computer into SAFE MODE. you reach safe mode by tapping the f8 key during reboot. chose the first option, SAFE MODE.

once in safe mode run ewido, spybot and your antivirus app

ewido:
launch ewido:
1. Click on scanner
2. Click on Complete System Scan and the scan will begin.
3. NOTE: During some scans with ewido it is finding cases of false positives.**
o You will need to step through the process of cleaning files one-by-one.
o If ewido detects a file you KNOW to be legitimate, select none as the action.
o DO NOT select "Perform action on all infections"
o If you are unsure of any entry found select none for now.
4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
5. Click Save report.
6. Save the report .txt file to your desktop.

Now close ewido security suite.
------------------------------------
also in safe mode do this;

Click Start>Run then type %temp%
Hit OK. Delete all the files you can.

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
---------------------------------------------
reboot normally, rescan and post a new hjt log as well as the saved ewido log......shelf life

MichaelHolmes
2005-12-28, 06:20
shelf life,

Thanks for your help! I did as you suggested -- it took a while, but hopefully it will be worth it.

I am attaching the HJT and ewido log files. Thanks again!

Mike Holmes

shelf life
2005-12-28, 15:30
attached logs for easier viewing

Logfile of HijackThis v1.99.1
Scan saved at 11:12:08 PM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\sfi2.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [omf] C:\WINDOWS\omf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135030712048
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135030670568
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:50:24 PM, 12/27/2005
+ Report-Checksum: FBF93033

+ Scan result:

HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp\sfitb -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2167575981-881969237-6368699-1007\Software\DR_S\dp\sfitb\145 -> Adware.Searchforit : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Marguerite\Application Data\Mozilla\Profiles\default\2wnl413u.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@adopt.specificclick[3].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@entrepreneur.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@reduxads.valuead[2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marguerite\Cookies\marguerite@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temp\99_app99.exe -> Dropper.Agent.xw : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temp\adwsetup_upd.exe -> Dropper.Agent.abb : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temp\i9.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temporary Internet Files\Content.IE5\HPC2K3H3\omf[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Marguerite\Local Settings\Temporary Internet Files\Content.IE5\R2BZK346\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wjkocnajoeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Michael\Local Settings\Temp\i46.tmp -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016905.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016909.dll -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017030.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017067.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017110.exe -> Downloader.VB.hw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017113.exe -> Adware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017117.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017118.exe -> Dropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017119.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017426.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017435.exe -> Dropper.VB.kk : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP30\A0017471.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017522.exe -> Downloader.Adload.k : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017528.exe -> Downloader.Adload.k : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017562.exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017647.exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0017729.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP51\A0018067.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018417.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018418.exe -> Adware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP60\A0018419.exe -> Dropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018557.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018558.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP62\A0018562.exe -> Downloader.VB.hj : Cleaned with backup
C:\WINDOWS\gcdxamf.exe -> Dropper.Agent.mu : Cleaned with backup
C:\WINDOWS\pf79.exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\WINDOWS\SYSTEM32\aupdate.exe -> Downloader.Adload.k : Cleaned with backup
C:\WINDOWS\SYSTEM32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\fran-hot.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\sate.exe -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\zdinst_CORN001.exe -> Spyware.ZenoSearch : Cleaned with backup

shelf life
2005-12-28, 15:50
hi MichaelHolmes,

good. looking better. few more to go. same thing. we will use hjt, boot into safe mode and run ewido, spybot and your antivirus again. check for updates to them first.

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar

O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)

O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca2.dll

O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\sfi2.dll (file missing)

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [omf] C:\WINDOWS\omf.exe

O18 - Filter: text/html - (no CLSID) - (no file)
--------------------------------------------
reboot into safe mode by tapping the f8 key during restart. chose the first, SAFE MODE option. run ewido etc in safe mode..

also in safe mode go to start>settings>control panel>click the internet options icon> under the program tab click on reset web settings
--------------------------------------------
reboot computer normally, rescan and post a new hjt log.........

MichaelHolmes
2005-12-29, 05:07
Hi shelf life,

I ran through the process that you described. Here is the new HJT log.

Thanks!

Mike

Logfile of HijackThis v1.99.1
Scan saved at 10:02:35 PM, on 12/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marguerite\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135030712048
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135030670568
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

shelf life
2005-12-29, 17:38
hi MichaelHolmes,

last log looks good to me. if everythings good on that end i leave you with this:

All it takes is a few changes:


Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

Also download, install and keep updated- Antivirus Software (and use only one):
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm)
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser.
Like Firefox (http://www.mozilla.org/products/firefox/),
And Pegasus Mail for a safer e-mail, no tweaking needed. (http://www.pmail.com/)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser.
look here (http://www.codecutters.org/outlook/)
and here (http://www.tames.net/security/oesettings.htm)


Install a firewall. A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
Zone Alarm (http://www.zonelabs.com/store/content/home.jsp)
Kerio Personal Firewall (http://www.kerio.com/us/kpf_home.html)
Outpost Firewall (http://www.agnitum.com/products/outpost/)
Sygate Personal Firewall (http://smb.sygate.com/products/spf_standard.htm)
Tiny Firewall (http://www.tinysoftware.com/home/tiny2?s=5375286922906434776A0&&pg=content05&an=tf6_home)
BlackIce (http://www.digitalriver.com/dr/v2/ec_dynamic.main?SP=1&PN=10&sid=26412)



Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft AntiSpyware (beta version) (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
CleanUp (http://www.stevengould.org/software/CleanUp/index.html) cleans out temps,history, autoforms etc

AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Security Suite (http://www.ewido.net/en/)
Trojan Hunter (30 day trial version) (http://www.misec.net/)
TDS-3 trail version (http://tds.diamondcs.com.au/) discontinued as of 07/05
Tauscan trial version (http://www.agnitum.com/products/tauscan/)


Learn More:
Browser Checkup (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes site (http://security-central.us/SafeHex/index.htm)
Home Computer Security (http://www.cert.org/homeusers/HomeComputerSecurity/)
Wilders Security Advisors (http://www.wilders.org/index.htm)

Watch what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. Do you trust the source?

MichaelHolmes
2005-12-31, 20:22
Hi shelf life,

Thanks for all of your help! I have implemented most of the suggestions in your last post, and will continue and get the system in better shape. I've installed the Windows updates, a new browser and Pegasus email so far.

I'll make a contribution to the forum. You saved us some bucks by enabling me to fix these problems myself!


Thanks again,

Mike Holmes
:)

shelf life
2005-12-31, 21:51
hi MichaelHolmes,

glad to help. happy safe surfing

tashi
2006-01-07, 21:30
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.

Glad we could help. :)