PDA

View Full Version : Help Cannot Run HijackThis (Resolved)



Mike S
2009-08-22, 07:36
Hi,

I am trying to run HijackThis scan to start the process of posting my logs. I installed it but when I try running it nothing happens.

When I try to run SpyBot scan, it opens but then quickly closes. If I rename the file, it opens and then closes right when I choose to run a scan.

I am running Windows XP on a Tablet PC.

Please help!

katana
2009-08-23, 16:53
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------
Step 1


Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.




@Echo Off
if exist "%Temp%\Katlog.txt" del /q "%Temp%\Katlog.txt"
For /R "%AllUsersProfile%" %%G in (*) DO (
@Echo Searching .. %%~nG
Echo "%%~nG"|Findstr /R "[A-Za-z]" > nul || Echo "%%~nG"|Findstr /R "[0-9]">nul&& Echo "%%~pG"|findstr "%%~nG">nul&& if exist "%%~dpG\%%~nG.exe" echo "%%~dpG">> "%Temp%\Katlog.txt"
CLS
)
If exist "%Temp%\Katlog.txt" Goto Finish
@echo No Folders Found >>"%Temp%\Katlog.txt"
:Finish
Notepad "%Temp%\Katlog.txt"
del /q %0
Exit


Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.


----------------------------------------------------------------------------------------
Step 2

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents as a reply to this topic.

Mike S
2009-08-24, 00:35
Hi Katana,

Thanks for your help

Unfortunately now, I am even unable to start up windows. I get the windows screen with the progress bar and then the screen freezes. When I power off and restart I get the windows advance options to start in safe mode. I try safe mode, the screen begins to list a bunch of the drivers. But when it gets to:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Drivers\Mup.sys

it freezes.

If I choose to restart to last known good configuration, I get the windows screen with the progress bar and then the screen turns black and freezes.

Any suggestions?

katana
2009-08-24, 00:46
Any suggestions?

Not many for this situation I'm afraid :(

Is there a Safe Mode With Networking option ? .. does that still work ?

If not, then I'm afraid that you are probably looking at a repair install at the very least.

Do you have an Install disc, or a recovery partition ?

Mike S
2009-08-25, 03:54
Yea the Safe Mode with Networking option produces the same result :(

I also don't have the recovery CD. This computer was handed down. I might have to just purchase the recovery CD from Toshiba.

Anyways I do have another question. So when the virus/malware infected the Toshiba laptop, somehow it also spread to my other Dell laptop through the network. So I started backing up all my files on the Toshiba and Dell to an external drive.

And then I clean installed Windows on my dell. When I connected the Dell to my external hard drive, my Dell got infected again :(

Is there a way for me to salvage the files on my external drive?

katana
2009-08-25, 10:50
I might have to just purchase the recovery CD from Toshiba.
Unfortunately, I suspect this is the easiest, if not only, option.


Is there a way for me to salvage the files on my external drive?

On the Dell machine, please do the following ....


----------------------------------------------------------------------------------------
Step 1

USBNoRisk

Please download USBNoRisk (http://amf.mycity.co.yu/personal/bobby/USBNoRisk/usbnorisk.exe) to your Desktop and run it by double-clicking the program's icon
wait a couple of seconds for initial scan to be done
connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
if there are more USB storage devices to scan, please take a note about the order in which these were connected
after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

----------------------------------------------------------------------------------------
Step 2

Make sure the your External drive is still connected.
You can use the following scan to either scan your entire machine, or just the external drive. Your choice.

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log, and then we can see what is causing the problem.

Mike S
2009-08-26, 00:20
Here is the log from USBNoRisk

USBNoRisk 2.5 (26 July 2009) by bobby

Started at 8/25/2009 5:09:55 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {6a5eb844-8dd0-11de-b0af-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 6a5eb844-8dd0-11de-b0af-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 8/25/2009 5:16:08 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {4f837462-90f1-11de-a5d2-000f1f28070f}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully

Content of E:\autorun.inf.blocked
----------------------------------------
autorun]
[autorun[
autorun[
[autorun
:jmp8
open=BOOTEX\thumbcache_131.exe
:jmp3
icon=%SystemDrive%\windowS\system32\SHELL32.dll,4
:jmp3
action=Open folder*to view files using*Windows*Explorer
:jmp0
shell\\\\open\command=.////BOOTEX/thumbcache_131.exe
:jle7
shell\\\\\\\explore\command=BOOTEX/thumbcache_131.exe
useautoplay=1
[AutoRun]
:GOTO NULL
----------------------------------------

No mountpoint found for E:
Sanitized mountpoint for 4f837462-90f1-11de-a5d2-000f1f28070f
----------------------------------------

----------------------------------------
Desktop.ini found at E:\BOOTEX\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at E:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
========================================

Mike S
2009-08-26, 00:24
For Kaspersky Online Scanner I am using IE6 and am getting this alert on the website:

Kaspersky Online Scanner 7.0 require Java framework version 1.5 or later.

katana
2009-08-26, 00:29
I am using IE6

You really need to update that.


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.

Mike S
2009-08-26, 00:56
I should have the external drive connected during the ActiveScan scan correct?

Btw just in case I didn't mention, after my Dell was infected when I connected to the external drive, I reformatted my Dell so it should not be infected with anything.

katana
2009-08-26, 01:06
I should have the external drive connected during the ActiveScan scan correct?

Yes, it is the external drive we are trying to scan :)

Mike S
2009-08-26, 05:33
ActiveScan Notes:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-25 22:30:19
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.4903.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@tribalfusion[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@xiti[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@ad.yieldmanager[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@www.burstbeacon[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@questionmarket[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@target[1].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@smartadserver[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@citi.bridgetrack[2].txt
02540669 Trj/Buzus.AH Virus/Trojan No 1 Yes No E:\BOOTEX\thumbcache_131.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 5~
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 5~
;===================================================================================================================================================================================
210618 HIGH MS09-019 5~
208379 HIGH MS09-014 5~
203806 HIGH MS08-078 5~
203508 HIGH MS08-073 5~
201250 HIGH MS08-058 5~
209273 HIGH MS08-045 5~
194861 HIGH MS08-031 5~
191617 HIGH MS08-024 5~
191613 HIGH MS08-020 5~
187735 HIGH MS08-010 5~
187733 HIGH MS08-008 5~
182048 HIGH MS07-069 5~
182046 HIGH MS07-067 5~
179553 HIGH MS07-061 5~
176382 HIGH MS07-057 5~
170906 HIGH MS07-045 5~
170904 HIGH MS07-043 5~
164913 HIGH MS07-033 5~
160623 HIGH MS07-027 5~
157260 HIGH MS07-020 5~
157259 HIGH MS07-019 5~
156477 HIGH MS07-017 5~
150253 HIGH MS07-016 5~
150249 HIGH MS07-013 5~
150248 HIGH MS07-012 5~
150247 HIGH MS07-011 5~
150243 HIGH MS07-008 5~
150242 HIGH MS07-007 5~
150241 MEDIUM MS07-006 5~
141033 MEDIUM MS06-075 5~
141030 HIGH MS06-072 5~
137571 HIGH MS06-070 5~
137568 HIGH MS06-067 5~
133387 MEDIUM MS06-065 5~
133379 HIGH MS06-057 5~
129977 MEDIUM MS06-053 5~
129976 MEDIUM MS06-052 5~
126092 MEDIUM MS06-050 5~
126087 HIGH MS06-046 5~
108738 HIGH MS06-004 5~
126083 HIGH MS06-042 5~
126082 HIGH MS06-041 5~
123421 HIGH MS06-036 5~
120818 HIGH MS06-025 5~
120815 HIGH MS06-022 5~
120814 HIGH MS06-021 5~
117384 MEDIUM MS06-018 5~
114666 HIGH MS06-015 5~
114664 HIGH MS06-013 5~
108738 HIGH MS06-004 5~
108738 HIGH MS06-004 5~
96574 HIGH MS05-053 5~
93395 HIGH MS05-051 5~
93454 MEDIUM MS05-049 5~
;===================================================================================================================================================================================

katana
2009-08-26, 11:59
OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop

Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )



:Files
E:\BOOTEX\thumbcache_131.exe
:Commands
[Purity]
[EmptyTemp]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.


- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Mike S
2009-08-26, 15:07
All processes killed
========== FILES ==========
E:\BOOTEX\thumbcache_131.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Ed
->Temp folder emptied: 10238062 bytes
->Temporary Internet Files folder emptied: 152626594 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 4834 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 57783 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 157.52 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08262009_080159

Files moved on Reboot...

Registry entries deleted on Reboot...

katana
2009-08-26, 18:29
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



Uninstall OTMoveIt (OTM.exe)
Open OTMoveIt Click Cleanup,
When a box pops up click YES.


You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Mike S
2009-08-26, 20:56
Thank you so much for your help!