[READ FIRST] Slow System, Lag, Crashes, Virus , Spyware, ect?

***georgeandoh*** · #1 (**permalink**) 07-31-2008, 07:49 AM

There are some coding issues but I'll play with them when i have more free time. I gathered info from many sources from what we have seen so far with members on Noeman.

What you might be experiencing is what we like to call Malware / Spyware / Trojans / bad things, here is a little "How To" to fix those issues. And after you are done scanning your system please Defrag your system; you would be surprised as to how much speed you will pick up.

This "How To" is simply to help folks that might otherwise not be familiar with some of these applications and processes. And none of these programs except the anti-virus run in your background nor do they take up any recourses other than when you run them.

==========================

Make sure you don't have any viruses. Make sure you have an up-to-date virus checker on your system, and *gasp* actually use it once in a while.

If you don't have a virus checker and can't afford to buy one, go to Trend Micro's Free online virus Scanner, House Call:
IE: [Only Registered users can see links . Click Here To Register...]
Mozilla, Firefox, etc.: [Only Registered users can see links . Click Here To Register...]

Although everyone should have an Antivirus (AV) Scanner and they should update it Daily, if you don't set it up to update automatically you will have to click the Update button.

If you're looking for an excellent AV light on resources NOD32 is for you. You can at least give it a try: [Only Registered users can see links . Click Here To Register...]

Another Good and FREE scanner is AVG: [Only Registered users can see links . Click Here To Register...]

Another thing to always do is to keep your system up to date from Microsoft (If it is a "special" copy of XP, uninstall KB892130 from the add/remove section) [Only Registered users can see links . Click Here To Register...]

If you don't have SiSoftware Sandra yet then i suggest you get it, it helps us troubleshoot your problems when you post a "help" thread in this forum. You can get the free (lite) version here. [Only Registered users can see links . Click Here To Register...]

SiSoftware Sandra (the System ANalyser, Diagnostic and Reporting Assistant) is an information & diagnostic utility. It should provide most of the information (including undocumented) you need to know about your hardware, software and other devices whether hardware or software.

This one has been popping up all over the place and people that have hated anything from Microsoft are praising this one OneCare Obtained from here [Only Registered users can see links . Click Here To Register...] OneCare protects against viruses, spyware, hackers, and other unwanted intruders. New features allow for multi-PC management to form a circle of protection, printer sharing support, and centralized backup of up to three PCs. (just Install the 90-day free trial of Windows Live OneCare)

==========================

Table of Contents:

Programs you need to disable and how to prior to cleaning your system

Winfixer / WinAntiSpyware / WinAntiVirus Popups / Virtumundo victims only

Automatic malware detection and removal steps (Run atleast one)

Antispyware Scanners (Run atleast one)

Online Anti Virus Scan (Run atleast one)

Anti-Trojan Scanner (Run atleast one)

Firefox and Add-ons

==========================

Please print out a copy of this overview and use it to check off each step as it is completed.

Throughout this guide you will see it says "post this HijackThis log to xxx" go [Only Registered users can see links . Click Here To Register...]

Save this 'checklist' of removal programs you have run, because they will be asking you to provide them with that information when it comes time to post a HijackThis log. Good Luck!

==========================

before running any automatic cleaning programs or scanners, we request that you perform a to get a list of forums that specialize in reading HijackThis logs.Reference HijackThis scan and save the results tohijackthisref.log for later posting. This Reference HijackThis log will indicate what infections were present on your system and visible to HijackThis, prior to running any preliminary anti-malware tools. This log serves as an important baseline indicator to the person analyzing your HijackThis log, so be sure to save it properly.

To download and properly install HijackThis:

* Download the [Only Registered users can see links . Click Here To Register...]
* Save the HJT Installer to to folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.
* When the Trend Micro HJT install box appears, click Install.
* HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

To obtain your Reference HijackThis Log:

* Select the Do a system scan and save a logfile option
* HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

To save the Reference HijackThis log:

* You must change the default log filename from hijackthis.log to hijackthisref.log
* The file hijackthisref.log will be saved in the C:\Program Files\Trend Micro\HijackThis folder.
* Make sure you are able to access hijackthisref.log for later posting, before moving on to the next step.

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on Open the Misc Tools Section
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

List also minor sections (Full)
List empty sections (Complete)

4. Click Generate StartupListLog
5. Click Yes at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed

PLEASE DO NOT ATTEMPT TO FIX ANYTHING WITH HIJACKTHIS. MOST OF THE HJT LOG ENTRIES ARE CRITICAL TO THE PROPER FUNCTIONING OF YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER

==========================

The Control Panel - Add/Remove Programs

The first place to look when attempting to remove spyware/adware threats is in the "Add/Remove Programs" utility in the Control Panel . Many questionable programs are installed into their own program folder, using the customary method provided by WIndows and bear recognizable names. You may find adware/spyware Toolbars (Not the trustworthy ones like Google, MSN, Yahoo or AOL), bogus search aids such as WinTools, or NavHelper (NavExcel), and a variety of other suspect programs.

After a program is uninstalled via "Add/Remove Programs", except in the most difficult cases, any remaining remnants will ordinarily be removed by the scanning programs we recommend. If you are unsure about whether or not to uninstall a specific program, you may find the answer in the

[Only Registered users can see links . Click Here To Register...]. Another very useful resource is [Only Registered users can see links . Click Here To Register...] by chaslang.

Some additional spyware databases that may provide you with information about particular threats are [Only Registered users can see links . Click Here To Register...] and the [Only Registered users can see links . Click Here To Register...] If you cannot arrive at a definitive answer after consulting these resources, then leave the program intact and mention it when you post a reply.

==========================

Please temporarily disable any real time monitoring programs.

Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable any of the following programs you may have, before running your preliminary scans and for the duration of your HJT cleanup (should you post a log). To do disable these programs, please follow the instructions provided in the respective sections. Some of these programs will automatically restart upon reboot, so you will have to repeat these disabling steps as required. After Malware Removal is complete, you should reactivate these protective programs if you do not intend to post a HijackThis log.

Spybot S&D (Teatimer)

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

Ad-Aware Ad-Watch

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically

Uncheck both of those boxes.

Spywareguard
Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

Windows Defender

Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"

TrojanHunter Guard

Disable TrojanHunter Guard by right clicking on the icon in your System Tray.
Make sure that the program, TrojanHunter itself, is also closed/not running.

Disable SpySweeper

If you have Spy Sweeper version 4:

Open it, Click Options over on the left, then Program options
Uncheck load at windows startup.
Over to the left, Click shields and Uncheck all there.
Uncheck home page shield.
Uncheck automatically restore default without notification.
Reboot your machine for the changes to take effect before running HJT.

--------------

If you have SpySweeper version 5:

To disable SpySweeper Shields

Open SpySweeper.
Click Shield Settings on the right

(or Shields on the left, depending what screen you're on).

Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Hosts File and uncheck all items.
Click Startup Programs and uncheck all items.
Close SpySweeper.

Reboot you computer, and ensure Spy Sweeper is disabled.

WinPatrol
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

CounterSpy

Right-click the running icon of CounterSpy in the system tray.
With your mouse, hover over Active Protection Status (This should be enabled).
A menu will slide out and then you need to right click on "Disable Active Protection".

AVG Anti-Spyware (formerly ewido)

Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Spyware Doctor

From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".

Prevx

Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
On the Management Console click the Protection Level drop-down menu. You will see three levels:

Code:

   Maximum
      Off
      User Defined

To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.

ProcessGuard

Right-click the blue lock ProcessGuard icon located in the system tray.
Uncheck 'protection enabled'
Click yes.

ZoneAlarm's OS Firewall

Go to the Program tab, then click "Main".
Press the first "Custom" button from the top.
Uncheck "Enable OS Firewall".
Click OK.

==========================

***georgeandoh*** · #2 (**permalink**) 07-31-2008, 08:14 AM

Winfixer / WinAntiSpyware / WinAntiVirus Popups / Virtumundo victims only Please follow the Virtumundo Removal Instructions for all versions of Windows including Vista.

This procedure is to remove Adware-Virtumundo (Vundo).Winfixer /WinAntiSpyware / WinAntiVirus and Adware-Virtumundo are not one and the same.

Persistent popups from rogue (fake) antispyware programs such as WinFixer, WinAntiSpyware, WinAntiVirus, Amaena.com, ErrorSafe, SystemDoctor and DriveCleaner which pester the user to purchase the phony program, are indicative of Adware-Virtumundo or a Vundo infection, for short, but it is also possible to have the program Winfixer program and its successors installed without Vundo accompanying it.

A fairly recent ploy used to draw users to the Winfixer website, spoofed a phony Windows Online Safety Center webpage as bait. Users were directed to the WinFixer website if they clicked the Full System Scan button, as depicted in the third screenshot. The light blue background section in the imposter image distinguishes it from the real Windows Online Safety Center. Recently, the Amaena.com website has replaced this ploy with a bacteria virus alert. This is the latest lure used to redirect users to this WinAntiSpyware or WinAntiVirus affiliate website.

If WinAntiSpyware or WinAntiVirus was installed on your computer without your consent, it is removable via the Add / Remove Programs feature in the Control Panel. Vundo is not removable via Add / Remove Programs, but the following procedure should successfully eliminate it from your system.

Operational symptoms: ( 1 & 2 are most common)

Winfixer or WinAntiSpyware / WinAntiVirus Popups
Advertising pop-ups for a variety of other phony security products, such as SysProtect.
Alerts possibly originating from the domain [Only Registered users can see links . Click Here To Register...]
Possible system instability

HJT Log Symptoms:
Matching pairs 02 BHO and 020 Winlogon Notify entries containing the same random consonant filename (typically 5-8 chars in length).
The BHO entries can be of either the MSEvents Object,ATLDistrib Object, CIEPl Object, or No Name type

Note: If you have Winfixer / WinAntiSpyware / WinAntiVirus Popups popups with none of the HJT log symptoms described below then:

You may have a new variant which suspends running when it detects HijackThis is running. You can workaround this by renaming HijackThis.exe to either HJT.exe or TJH.exe, and then rescan. This should make the signature BHO and 020 WinLogonNotify DLL entries visible.
If option 1 doesn't solve the problem, then you should determine if you have the rootkit variant installed by following the [Only Registered users can see links . Click Here To Register...]

HJT Log Examples:

ATLDistrib Object
Example 1

O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\mljjj.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll

Example 2

O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\pmnlj.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll

MSEvents Object
Example 1

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll
O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll

Example 2

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayv.dll
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll

CIEPl Object- Newest Variant- adds an infected 020 AppInit_DLLs HJT entry
Example 1

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\service.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\jfwofybc.dll
O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll

Example 2

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\msvmon.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\gllrlgyd.dll
O20 - Winlogon Notify: msvmon - C:\WINDOWS\SYSTEM32\msvmon.dll

Note: Only variant with randomly named file in the AppInit_DLLs value and a constant 02 BHO CLSID=F85E86D8-F796-4C97-AAA2-26664A98A42C

No name BHO:

O2 - BHO: (no name) - {32879631-0c49-4df3-b9d1-becf87f640c0} - C:\WINDOWS\system32\uxfkqdhd.dll
O20 - Winlogon Notify: uxfkqdhd - C:\WINDOWS\system32\uxfkqdhd.dll

Additional Registry and File System Changes
If you run other diagnostic programs such as Silent Runners or Autoruns, you may encounter other registry and file system changes such those listed by McAfee SiteAdvisor [Only Registered users can see links . Click Here To Register...].

Some file addition examples are:

C:\WINDOWS\system32\SpOrder.dll
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\stera.job

The BootExecute Registry key is also changed:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se ssion Manager\BootExecute

The data value "BootStera="\\??\\C:\\WINDOWS\\system32\\stera.job " is added, so stera.job is executed at system startup.

Removal Directions:

Download [Only Registered users can see links . Click Here To Register...] by [Only Registered users can see links . Click Here To Register...] to your desktop.

1. Double-click VundoFix.exe to run the program.
2. Click the Scan for Vundo button.
3. When the scan is complete, click the Remove Vundo button.
4. If VundoFix responds with a "No infected files were found" message, right-click the list box (white box) in the main VundoFix window.

Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
You must examine your HJT log. and copy and paste the complete file path present in your 02 BHO and 020 WinLogon Notify entries into the first field of the list box.

Using our first HJT example above, this would be: C:\WINDOWS\system32\mljjj.dll

In the second field, copy and paste the same path but the filename should be spelled in reverse and an asterisk (wildcard symbol) should replace the file extension:

Using our first HJT example, this would be: C:\WINDOWS\system32\jjjlm.*

Note: You must substitute the filename found in your own HJT log for the filename used in the example

Click the Add Files button.
Click the Close Window button.
Click the Remove Vundo button.

5. You will receive a prompt asking if you want to remove the files, click Yes
6. Once you click Yes, your desktop will go blank as it starts removing Vundo.
7. When completed, it will prompt that it will shutdown your computer, click OK.
8. Restart your computer
9. A log called vundofix.txt will be created in your C:\ directory
10. Inspect C:\vundofix.txt with Notepad to be sure the fix completed properly

Please retain the log created C:\vundofix.txt should you need to post a HijackThis log.

For more information about VundoFix and Vundo threat symptoms refer to [Only Registered users can see links . Click Here To Register...] Attribune is the author of this tool.

VirtumundoBeGone - another Tool to try - if VundoFix failed to remove your infection

Some older variants of Vundo that are still in circulation may be removable with [Only Registered users can see links . Click Here To Register...] (even though they are resistant to removal with the VundoFix):

Such VundoFix-resistant variants may create HJT entries like the following:
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ljjjjjk.dll
O20 - Winlogon Notify: ljjjjjk - C:\WINDOWS\SYSTEM32\ljjjjjk.dll

Comprehensive list of Vundo related [Only Registered users can see links . Click Here To Register...], [Only Registered users can see links . Click Here To Register...] and [Only Registered users can see links . Click Here To Register...] available at [Only Registered users can see links . Click Here To Register...] (malware encyclopedia).

If VundoFix was ,unsuccessful in removing infection, download and run [Only Registered users can see links . Click Here To Register...] by Secure2K.
Note: Do .not run VirtumundoBeGone on Vista as it has not been tested on Vista platforms and was written before Vista was released)

Follow the self-explanatory prompts to run the tool.
More information on VirtumundoBeGone be found [Only Registered users can see links . Click Here To Register...]

Verify Vundo is eliminated

Perform a HJT scan using the Do a system scan only option.
Inspect the HJT log for the original Vundo entries which were present in your log.
If there are no Vundo HJT entries remaining, then continue with this guide
If the Vundo HJT entries are present with the (file missing) attribute, then you are no longer infected. You can remove the HJT entries, by checking them and clicking the Fix Checked button.

Example

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll (file missing)
O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (file missing)

5. You are still infected if:

Your Vundo HJT entries are still present without the (file missing) attribute
Your variant is of the new CIEPl Object type and the O20 - AppInit_DLLs entry remains, and cannot be removed by fixing it it with HJT

If you are still infected

If no Virtumundo HJT entries are present but your popups persist, then you should check to see if you have the rootkit variant by following the [Only Registered users can see links . Click Here To Register...]
You will need to post a HJT log - if you still have Winfixer popups even though you have exhausted all remedies, but only do so after Malware Removal is complete.

If none of this worked try running the [Only Registered users can see links . Click Here To Register...] I don't know anything about this but sabin1981 said it removed the Bug

Now it is important that you return to the [Only Registered users can see links . Click Here To Register...] and continue.
==========================

Now please complete the following automatic malware detection and removal steps.

After you have installed the scanning programs listed below, please be sure to update them. A program is only effective if it updated with the latest definitions. Updating will help provide protection against the most recently introduced security threats.

==========================

Cleaning out the Crap:
Now "Clean out the Crap". By this we mean removing all the temporary, temporary Internet and other junk files that are stored on your computer. You may accomplish this by running CCleaner. CCleaner will not only clean out the garbage, but it will also remove malicious files which may be hiding in your temp folders. Make "Cleaning out the Crap" a part of your regular maintenance routine.

CCleaner (All versions of Windows including Vista)

[Only Registered users can see links . Click Here To Register...] and Install Directions

For a basic version of CCleaner with no Yahoo Toolbar Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup

CCleaner Setup and Usage

Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
A pop up box will appear advising this process will permanently delete files from your system.
Then select the items you wish to clean up. (See Note 1 below)

In the Windows Tab:

Code:

Code:

Clean all entries in the "Internet Explorer". If you prefer to keep your cookies, uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.

				Clean all the entries in the "Windows Explorer" section.

				Clean all entries in the "System" section.

				Clean all entries in the "Advanced" section.

				Clean any others that you choose.

			
			
			In the Applications Tab:
			
				Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.

				Clean all in the Opera section if you use it.

				Clean Sun Java in the Internet Section. ==> Important: See Note 2 below before proceeding

				Clean any others that you choose.

Then click the "Run Cleaner" button and it will scan and clean your system. Click exit.

For operational help with CCleaner's setup and features please consult this [Only Registered users can see links . Click Here To Register...]

Note 1: To see a list of everything that CCleaner 'cleans' so you may customize the settings to suit your needs, click [Only Registered users can see links . Click Here To Register...]

Note 2: If you run Yahoo's website design program called [Only Registered users can see links . Click Here To Register...] do not check the option to clean out Sun Java, accessed under the Applications => Internet => Sun Java section as specified in Step 3 above.

++++++++++++++++++++++++++

ATF Cleaner (Win 98/ME/2K/XP and Vista)

Please download [Only Registered users can see links . Click Here To Register...] by Atribune.

This program is for Windows 98/ME/2K/XP and Vista

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Uncheck Cookies - only, if you choose to retain your cookies
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Uncheck Cookies - only, if you choose to retain your cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Uncheck Cookies - only, if you choose to retain your cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit. on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

==========================

***georgeandoh*** · #3 (**permalink**) 07-31-2008, 08:22 AM

Antispyware Scanners - Run at least one, preferably two - if your system is functioning well enough:

++++++++++++++++++++++++++

Ad-Aware (Win 98/Me/NT/2000/XP)

Download [Only Registered users can see links . Click Here To Register...] and install it. If you already have Ad-aware 2007, please configure it per instructions below. If you have a previous version of Ad-Aware, please install the newest build

Launch Ad-Aware and update the Definition Files by clicking on 'Check for Updates now' in the lower right hand corner. Then, to run:

Click on "Scan now"
Uncheck "Search for negligible risk entries"
Check "Search for low risk entries"
Check "Perform a full system scan"
Click the "Next" button in the lower right hand corner. to begin scanning.
When the scan has completed, select Next.
In the Scanning Results window, select the "Scan Summary" tab.
Check the box next to each "target family" you wish to remove.
Click next, Click OK.
Shutdown/restart the computer.

++++++++++++++++++++++++++

SpyBot S&D (Win 95, 98, ME, 2K, XP, 2003, PE, Vista)

Supported Operating Systems

All Versions of Windows including Vista
Can be integrated into Vista Security Center - Monitors if Spybot-S&D is up-to-date and whether the permanent protection (TeaTimer) is running or not).

Download [Only Registered users can see links . Click Here To Register...] and install it.

Run Spybot and allow it to create a backup of your registry when prompted.
Click on "Search for Updates".
If any updates are found, place a check mark next to each one.
Click on "Download Updates".
Click on "Immunize" [When it detects what has or has not been blocked, block all remaining items].
Do this by clicking the green plus sign next to immunize at the top.
Click on "Check for Problems" and if any problems are found, click on "Fix Selected Problems".
Reboot your computer.

[Only Registered users can see links . Click Here To Register...]
[Only Registered users can see links . Click Here To Register...]

++++++++++++++++++++++++++

Windows Defender (Win XP SP2, Win 2003 SP1+, Vista) - This scanner will remove the Sony XCP DRM rootkit

Windows XP and Windows Server 2003 users can find information and download links for [Only Registered users can see links . Click Here To Register...]

Please note: The Microsoft download site will require you to validate your copy of Windows before allowing you to download this program. Only systems that are fully updated with all service packs will be allowed to download.

Supported Operating Systems

Windows Server 2003 Service Pack 1
Windows XP Service Pack 2
Vista (it comes installed with the Operating System so you don't need to download it)

Download and install the [Only Registered users can see links . Click Here To Register...] by checking the use recommended settings option.
When the installation has finished, allow the program to automatically update the definitions and perform a quick scan. This will only take a few minutes, but it is not enough to ensure you have a clean system.
Following the completion of the quick scan, click the white down arrow next to Scan, and then click Full Scan. The Full Scan option will allow Windows Defender to perform an in depth scan of your entire system which is necessary to detect any hidden spyware/adware threats.
When the full scan is complete, you will be presented with your spyware scan results.
Take the default action suggested by Windows Defender to deal with all threats found.
Once you have selected an action for all threats found in the spyware scan results, you will need to reboot your computer.

For more detailed instructions consult [Only Registered users can see links . Click Here To Register...] and the [Only Registered users can see links . Click Here To Register...]

Note: Windows Defender will remove the rootkit portion of the Sony XCP DRM software.

++++++++++++++++++++++++++

SUPERAntiSpyware

SUPERAntiSypware (SAS) is free to home users

Supported Operating Systems

Windows 98, ME, 2000, XP, 2003, Vista

System Requirements

400Mhz or faster Processor with atleast 256MB RAM

Download and install [Only Registered users can see links . Click Here To Register...] using the default settings

Double-click the SUPERAntiSpyware desktop icon to launch the program.
When you are asked to update the program definitions, click Yes.

Only if you are not prompted to update the definitions or already have SAS, select Check for Updates before scanning.

Program Setup

Select Preferences | Scanning Control

Check the following Scanner Options:

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Click the Close button to leave the control center screen.

Scanning

On the main SAS screen, under Scan for Harmful Software select Scan your Computer.
On the left, make sure your primary drive (normally C:\Fixed Drive) is selected, plus any other hard drives that are connected to your system.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan.
After the scan is complete, a Scan Summary box will appear listing potential threats that were detected. Click OK.
Check all detected threats, then click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click OK and then click the Finish to return to the main menu.
Reboot your computer

Retrieving the scan report

Relaunch SUPERAntispyware
Click Preferences | Statistics/Logs
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, select the most recent and press View log. The SAS scan log will be displayed in your default text editor.
If you are posting a HJT log, and any threats (excuding cookies) were found - copy and paste the SAS Scan Log results in your HJT topic - along with your HJT log.
Click Close to exit the program.

If you have questions or need help, please refer the SUPERAntiSpyware [Only Registered users can see links . Click Here To Register...].

++++++++++++++++++++++++++

Prevx2

Please note: Prevx2 provides the cleanup option only for 30 days of free use, thereafter it will only detect and not cleanup infections.

Supported Operating Systems

Windows 2000, Windows 2003 and Windows XP - a Beta version is available for Vista (32 and 64 bit)

Download and install [Only Registered users can see links . Click Here To Register...] by clicking the Download Now button.
When the installation has finished click on the Start Trial to activate and then reboot your system.
Allow the installation scan to complete after the reboot.
If malware is already running then the Process Scan will detect and launch the Cleanup routine.
Follow the directions on the screen.

==========================

***georgeandoh*** · #4 (**permalink**) 07-31-2008, 08:27 AM

Before performing your Online AntiVirus Scan, please disable your own resident antivirus's real-time protection feature, to avoid any conflicts. Even if you have an up-to-date AntiVirus program on your system, it is still important to run an online scan, since some parasites may prevent your own anti-virus program from functioning properly or even disable it. Additionally, it does no harm to "get a 2nd opinion" with antivirus scanners because they often find different types of Spyware.

Preliminary Considerations:

Please do not re-enable your own AV's real time protection, until all the scans suggested in this tutorial have been completed.
In all cases, choose the option to save the scan report when the scan is complete.
Supported operating systems are indicated if that information was made available at the vendor's website.

Vista users

Must launch Internet Explorer as an Administrator to perform an online scan. To do so, right-click on the Internet Explorer icon in the Start Menu and select "Run as administrator" from the context menu.
Need to add the website address (url) of the antivirus scanner you are using to the Trusted Zone of Internet Explorer, for the scanner to function properly.

Launch Internet Explorer and navigate to the Antivirus scanner you have selected from the list of scanners we have suggested. (Vista Users: The ESET Nod32 Scanner is the only Vista compatible scanner that is out of Beta - so that is the scanner you should use)
On the Internet Explorer Menu or Toolbar, choose Tools | Internet Options and select the Security tab.
Choose Trusted Sites.
Click the Sites button.
Uncheck - "Require server verification (https for all sites in this zone".
The website address of the Antivirus Scanner you are using (for example, [Only Registered users can see links . Click Here To Register...] for the ESET Nod32 scanner) should appear in the open box labeled "Add this website to the zone".
Click the Add button.
Verify the url has been added to the trusted zone by inspected the Website listing in the bottom pane.
For Vista users, this will turn off Internet Explorer [Only Registered users can see links . Click Here To Register...] for the website you have just added to the trusted zone.
Click the Close button.

Perform at least one of the following scans:

The following scanners require a browser which supports active-X downloads (i.e. Internet Explorer).:

[Only Registered users can see links . Click Here To Register...] (Win 95/98/ME/NT)

The Online Panda Scan flags both viruses and spyware, but will only disinfect viruses.
Please scan 'My computer' and save the log produced at the end of scan, because the HJT Team may request to see it later.

[Only Registered users can see links . Click Here To Register...] (Win 98/ME/NT 4.0/2000/XP/Vista)

64 bit versions of Windows are supported.
The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt

[Only Registered users can see links . Click Here To Register...] (Win 2000/XP)

The F-Secure Online Virus Scanner has incorporated rootkit detection capabilities through its BlackLight engine. For Windows 2000 and XP only.

Javascript must be enabled to run this scanner.
Beta version supports Vista.

[Only Registered users can see links . Click Here To Register...] (Win 98SE/NT4.0,SP6a/2000/XP/2003/MCE 2005)

[Only Registered users can see links . Click Here To Register...]

[Only Registered users can see links . Click Here To Register...] (Win 98/ME/2000/2003/NT/XP). Please see*Note below.

[Only Registered users can see links . Click Here To Register...] (Win XP/2000 Pro/2003)

Removes viruses, spyware and hard disk clutter
Beta version supports Vista

The following scanner supports these browsers:
Internet Explorer - Netscape (6+) - Mozilla (1+) - Firefox (all):

[Only Registered users can see links . Click Here To Register...](Win 98SE/NT4.0,SP6a/2000/XP/2003/MCE 2005)

Let the online AV scanner(s) auto clean whatever is detected and then reboot your system.

Note: Only if you are so severely infected that you cannot complete an online scan, even when run overnight, you may use a temporary solution, until a full online viral scan can be performed:

[Only Registered users can see links . Click Here To Register...] detects and disinfects many harmful and prevalent infections.
[Only Registered users can see links . Click Here To Register...] detects and removes many prevalent and malicous threats.
[Only Registered users can see links . Click Here To Register...]

Note: regarding the BitDefender Online Scanner: When a threat is detected by the the BitDefender Online scanner, it will first attempt to disinfect (repair) the file, and only if it cannot be repaired, it will delete it. However, you can elect to change the secondary action from delete to "Report Only" or "Prompt for User Action", so an infected system file is not deleted. This is the safest option to guard against false positives and system files that have been "patched" by Spyware. It is also the safest option if heuristics are used in detection, which they are by default.

The options which are checked (enabled) in the image are the BitDefender default scanning options, and they may be changed.

==========================

***georgeandoh*** · #5 (**permalink**) 07-31-2008, 08:31 AM

Run atleast one Anti-trojan Scanner:

AVG Anti-Spyware Free (formerly ewido anti-spyware) runs on Windows 2000, XP and Vista (32 and 64 bit)

Only if you already have either AVG Anti-Spyware version 7.5.0.50 or the Vista compatible version 7.5.1.43, installed, then: (Otherwise proceed to Step 1)

Open AVG Anti-Spyware, make sure it is fully updated and then close it.
Do NOT run a scan yet.
Proceed to Step 2 below, so you may perform your ewido scan in safe mode.

Step 1 - Download, Install, and Update AVG Anti-Spyware Free

Please download the

[Only Registered users can see links . Click Here To Register...] installer to your desktop.

After the download is complete, double-click on the ewido install file to launch the installation process.

Follow the prompts and be sure that Launch AVG Anti-Spyware Free is checked.
- Once the AVG Anti-Spyware Free main program screen has opened, click on Update now.
- You will see an update progress bar, followed by an Update Succesful message when updating is complete.
- After the database is installed, Click Scanner | Settings
- Under How to act?
- Select Recommended Actions and choose Quarantine to set the default action for detected malware
- Under the Reports section:
- Select Automatically generate report after every scan
- De-select Only if threats were found
Once updating is 100% complete close AVG Anti-Spyware, so you can perform the AVG Anti-Spyware scan in safe mode as described in Step 2. Safe mode is preferable because often malware programs which run in normal Windows mode will not be running in safe mode. This makes it easier to safely quarantine these threats because they will not be "in use". Another advantage, is some rootkits may not run in safe mode, and if this is the case, AVG Anti-Spyware will be able to detect them and the malware they are hiding. If you have trouble starting your computer in safe mode, just perform the scan in normal Windows mode as outlined in Step 2.

Note: This new version of AVG Anti Spyware (7.5.1.43) corrects the inability to run in safe mode that was present in the recently released v.7.5.1.36. If you previously installed AVG Anti Spyware v.7.5.1.36, please uninstall it and replace it with this newer version (v. 7.5.1.43). Then proceed to Step 2.

Step 2 - Perform AVG Anti-Spyware scan in safe mode and save the scan report
- Boot into Safe Mode
- Restart the computer
- Watch the screen while it is black. After the BIOS memory check is done, start tapping the F8 key
- If done correctly, the Windows Advanced Options Menu will appear.
- Select Safe Mode from the options menu. Starting Windows in Safe Mode may take several minutes
- Logon on using your usual account name
- Perform the AVG Anti-Spyware scan
- Select the Scanner icon at the top
- Click the Scan tab
- Select Complete System Scan.
- If a threat is found, make sure Quarantine is set as the action to apply, and then click Apply all actions
- Allow the scan to complete
Note: Do not, proceed to Step 3 - Save the scan report until you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the Apply all actions button.
- Save the scan report
- Select the Reports icon at the top.
- Select the Save report as button in the lower left hand corner of the screen
- Save the report to a location which you will remember, so it is readily available if a staff member requests to see it. If you post a hijackthis log, please include it in your topic. By default, the scan report is saved to a reports sub-folder within the AVG Anti-Spyware 7.5 folder:
On Win 2k and XP systems, the default scan report location for both AVG AS v. 7.5.0.50 and v.7.5.1.43 is:
- C:\Program Files\AVG Anti-Spyware 7.5\Reports\
On Vista platforms, the default scan report location for AVG AS v.7.5.1.43 is:
- C:\Users\<user name>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\
- Close AVG Anti-Spyware and reboot your system back into Normal Mode
For more detailed instructions regarding AVG Anti-Spyware setup and scanning features, please consult the [Only Registered users can see links . Click Here To Register...](pdf) by DieHard

++++++++++++++++++++++++++

TrojanHunter Trial

Note: TrojanHunter runs on Windows 95, 98, ME, NT, 2000, XP and Vista.
- Download and Install the 30-day trial of [Only Registered users can see links . Click Here To Register...]
Note: If you already have TrojanHunter v. 5.0, please update it and configure to match the settings we recommended in Step 3.
- There is no updating feature available within the trial version of TrojanHunter itself, so you must download a compressed ruleset and unzip all the files within it to the TrojanHunter folder, as outlined in the [Only Registered users can see links . Click Here To Register...].
- To set up TrojanHunter Click Options and check mark everything except Display log messages & Log NTFS Alternate Data Streams. Then close TrojanHunter, because the scan can be performed more effectively in safe mode.
- Now, boot into safe mode, by restarting your computer while tapping the F8 key. Once the Windows Advanced Options Menu appears, select Safe Mode and wait until the Safe Mode desktop appears.
- Once in safe mode, reopen TrojanHunter and check all the boxes (green) beside your main hard drive folders, then click on Full Scan.
- When the scan is finished, click File | Save Scan Report on the Main Menu. The scan report will be saved to the TrojanHunter Program Folder.
- Reboot normally.

Note: If Nod32 Antivirus's active protection is running during your scan, AMON (the Nod32 file system monitor) will detect and quarantine a randomly named EXE file in your user profile temp directory. This file is SAFE and created during TrojanHunter's execution. Please disable AMON during your TrojanHunter scan, or run the scan in safe mode as suggested. The program is fully functional and free to first time users for only 30 days.

For more detailed instructions regarding TrojanHunter setup and scanning features, please consult the [Only Registered users can see links . Click Here To Register...][/list]

***georgeandoh*** · #6 (**permalink**) 07-31-2008, 08:34 AM

A new Vundo infection which has recently cropped up, is being installed with a rootkit.
The infected user will complain of persistant Winfixer popups but the HJT log will not have any of the usual visible Vundo indications. A hidden service called DP1112 and a Blacklight log which contains an entry for C:\WINDOWS\qaz4.txt will confirm the presence of the rootkit. Refer to the screenshots for what the user will see.

Symptoms:

A hidden rootkit service will be running but will not be visible in the HJT log.
The typical 02 and 20 Vundo entries will not be visible until the service is removed.come
The rogue service will be visible in [Only Registered users can see links . Click Here To Register...] and the HJT Startup List run in SAFE Mode
Visual/operational indicators include have two separate fake warning windows

One, a phony security center warning generated by the amaena.com, a Cool Web Search domain
The other, an Add/Remove Programs warning generated by the winfixer.com website.

Both images are generated by the rogue websites themselves and appear within the open Internet Explorer or browser window.

Symptoms - A Closer look:
1 & 2 are sufficient to confirm the presence of the rootkit

1. The BlackLight Log

The following entry will be present:

06/28/08 11:15:29 [Info]: Hidden file: C:\WINDOWS\qaz4.txt

2. Hidden Non-Plug and Play Driver

In the Device Manager, a hidden Non-Plug and Play Driver will be listed called DP1112. To verify this:

Right-click My Computer
Click Properties --> Hardware --> Device Manager
On the toolbar menu, click View --> Show Hidden devices.
Double-click Non-Plug and Play Drivers
An entry called DP1112 should be present in the list of drivers

3. The HijackThis Startup List

This entry will be visible in service listing under the category:
Enumerating Windows NT/2000/XP services

DP1112: \??\C:\WINDOWS\system32\Drivers\DP.sys (autostart)

4. Rootkit Revealer Log

C:\WINDOWS\qaz4.txt 1/28/2006 10:57 PM 3.56 KB Hidden from Windows API

5. The Registry

These two keys will be present which define the hidden service DP1112:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\DP1112]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\DP1112\Security]

Detection and Removal
Note: - After these instructions were written, the VundoFix by Attribune was updated to remove the rootkit variant, so you need only complete Step 8 of these instructions for complete removal of Vundo and its rootkit.

However, You may still want to continue because:

You may use this method to verify the presence of the rootkit by performing steps 1 and 2.
This procedure provides a valuable illustration of how to accomplish manual removal of a rootkit
The particular rootkit used to hide Vundo in this example, is not threat specific and has been known to accompany other malware threats.

The [Only Registered users can see links . Click Here To Register...] is a valuable rootkit detector which is offered in both a graphical user interface and command line version. BlackLight is able to detect rootkit hidden files which may not visible using conventional Windows tools such as Windows Explorer, the Windows Search function, or even the DOS directory command (dir).
1. Download the [Only Registered users can see links . Click Here To Register...] by clicking Accept and then clicking Download on the next page.

Save to a folder of your choice or the desktop.
Start the program by double-clicking on its icon.
Click Accept
Click Scan - see Note
When the scan is complete, press Next
Only rename C:\WINDOWS\qaz4.txt if present, even if other hidden items are found
Close all other programs before continuing, and then select Next -] Finish.
Select Restart now to reboot the computer so the changes take effect
After the reboot, the hidden items should be renamed and visible on the computer.
Re-run BlackLight to verify that C:\WINDOWS\qaz4.txt is no longer found.

Note: While scanning, it is important to observe the following precautions:

Close all browser, program and Explorer windows.
Disconnect from the internet to prevent background programs from autoupdating during the scan.
Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.

For more detailed instructions please refer to the [Only Registered users can see links . Click Here To Register...]

2. Stop and delete the service DP1112 via the command prompt

Click start -] Run -] type cmd -] Click OK
Type or paste sc stop DP1112 at the command prompt
Hit enter
Type or paste sc delete DP1112 at the command prompt
Hit enter
Close the command prompt window

3. Reboot to make the Vundo files visible to Windows and HJT
4. Confirm DP1112 is no longer present in the Device Manager

Right-click My Computer
Click Properties --> Hardware --> Device Manager
On the toolbar menu, click View--> Show Hidden devices.
Double-click Non-Plug and Play Drivers
Verify that DP1112 is no longer present in the list of drivers

5. Enable viewing of [Only Registered users can see links . Click Here To Register...]
6. Delete the file C:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt
7. Delete C:\WINDOWS\system32\Drivers\DP.sys
8. Download [Only Registered users can see links . Click Here To Register...] by [Only Registered users can see links . Click Here To Register...] to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
When the scan is complete, click the Remove Vundo button
You will receive a prompt asking if you want to remove the files, click yes
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Restart your computer
A log called vundofix.txt will be created in your C:\ directory
Inspect C:\vundofix.txt with Notepad to be sure the fix completed properly
Please retain C:\vundofix.txt should you need to post a HijackThis log.

9. Run WinPFind to make sure there are no undetected infected files remaining

Download [Only Registered users can see links . Click Here To Register...] by [Only Registered users can see links . Click Here To Register...]
Right Click WinPFind.zip and extract all to C:\ folder (do not open the program yet, as it should be run Safe Mode)
Boot into Safe Mode by doing the following:

Restart the computer
Once the BIOS memory check is done, start tapping the F8 key
If done correctly, the Windows Advanced Options Menu will appear.
Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

Once in Safe Mode, Double-click WinPFind.exe located within the C:\ WinPFind folder
Click on Start Scan
Wait for the scan to finish (it may take over 30 minutes)
The results will be displayed when you see Scan Complete
A log file called WinPFind.txt will be automatically generated in the WinPFind folder
If you see an Umonitor entry bearing the same creation date as the other infected files you've removed with a random consonant executable file name similar to this:

Checking %System% folder...

Umonitor 1/28/2006 10:57:20 AM 57364 C:\WINDOWS\SYSTEM32\ljbpjbqn.exe

This file should be located on your system and deleted.

10. Run an online [Only Registered users can see links . Click Here To Register...]

==========================
==========================

Now once your system is clean stop useing Internet Explorer and get FireFox

Install FireFox from here: [Only Registered users can see links . Click Here To Register...]

then get these Add-Ons

Adblock Plus:


<<< The Web Hosting >>>