Avast WEBforum
Other => Viruses and worms => Topic started by: ebozzz on April 16, 2012, 11:56:28 PM
-
I don't have much information as of yet. all I know is that the machine is a Toshiba laptop running either Windows XP or Vista. The user has told me that it will boot to the desktop but is extremely sluggish after doing so. That's all I have for now. It's going to be dropped off to me tomorrow, the 17th. Hopefully I will be able to get a little help once it arrives...
-
Hi ebozzz,
When it come in, go here http://forum.avast.com/index.php?topic=53253.0
and prepare the logs for one of our qualified removers, that could guide you through the cleansing process.
Do nothing to that laptop yet, and follow the qualified removal instructions meticulously to achieve best possible cleansing results,
polonus
-
Polonus,
I will. I've already been reading the threads in the sticky section. It appears that i can get a lot done on my own before asking for the cavalry to bail me out. I'm not going to do anything other than prepare the logs and wait for guidance. This sort of thing is simply not my area of expertise.
-
Monitoring... :)
-
Ok, I just got home from the job and have the laptop in question.
Toshiba Satellite P205
Windows Vista Home Premium 32-bit
2 GB Ram
T5300 Core2Duo (1.73 GHz x 1.73 GHz)
200 GB HDD (125 GB free)
Based on the description that my relative had provided prior to me getting the machine, I was expecting it to show significant signs of infection. My first impressions are that this machine is not running that bad. It booted into the desktop without much difficulty. I downloaded MBAM onto a flash drive, rebooted it into safe mode, install & update MBAM and I a m a little over 15 minutes into a full scan. 14 detections thus far. While this scan is running I am going to read a few of the sticky threads to get an idea about what logs will be needed. I honestly think this could very well be an easy job....
-
Clumsy me! 42 minutes into the full scan with MBAM and I accidentally closed the application. :-\
Starting over again now. There were still only 14 detections prior to my mishap....
:Edit: I have all of my other log generating resources downloaded and ready to go one the MBAM is completed. I am gonna walk away for a while so that I don't make any more mistakes!
-
Hi,
You don't have to do a full scan...a quick scan is fine. :)
-
I always do full scans but the next time I will be aware of that. I don't anticipate being back in here asking for help any time soon! ;D
Here's the MBAM log. I am getting ready to run OTL now....
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.17.06
Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.16982
Jeff :: JEFF-PC [administrator]
4/17/2012 7:05:38 PM
mbam-log-2012-04-17 (19-05-38).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 302715
Time elapsed: 45 minute(s), 41 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 14
C:\Users\Jeff\AppData\Local\Temp\Low\0.2842084884142906.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.45276379251548815.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6396976189294069.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6620275009111668.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.7480636890359736.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.789415857029859.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\bhr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eij.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eud.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\ilj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\jqi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\snc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\sri.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\Update.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
(end)
-
OTL.Txt and Extras.Txt files are also attached....
-
aswMBR
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-17 20:43:26
-----------------------------
20:43:26.417 OS Version: Windows 6.0.6000
20:43:26.417 Number of processors: 2 586 0xF02
20:43:26.417 ComputerName: JEFF-PC UserName: Jeff
20:43:27.322 Initialize success
20:45:13.324 AVAST engine defs: 12041701
20:45:28.238 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:45:28.238 Disk 0 Vendor: TOSHIBA_MK2035GSS DK020M Size: 190782MB BusType: 3
20:45:28.253 Disk 0 MBR read successfully
20:45:28.253 Disk 0 MBR scan
20:45:28.253 Disk 0 Windows VISTA default MBR code
20:45:28.269 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
20:45:28.300 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 189281 MB offset 3074048
20:45:28.316 Disk 0 scanning sectors +390721536
20:45:28.425 Disk 0 scanning C:\Windows\system32\drivers
20:45:39.283 Service scanning
20:46:06.130 Modules scanning
20:46:11.247 Disk 0 trace - called modules:
20:46:11.294 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:46:11.294 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a9f030]
20:46:11.309 3 ntoskrnl.exe[820a80af] -> nt!IofCallDriver -> [0x849dbf18]
20:46:11.309 5 acpi.sys[8046832a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x849dd548]
20:46:12.339 AVAST engine scan C:\Windows
20:46:14.819 AVAST engine scan C:\Windows\system32
20:48:54.439 AVAST engine scan C:\Windows\system32\drivers
20:49:09.383 AVAST engine scan C:\Users\Jeff
20:53:48.140 AVAST engine scan C:\ProgramData
20:57:04.528 Scan finished successfully
20:58:51.778 Disk 0 MBR has been saved successfully to "C:\Users\Jeff\Desktop\MBR.dat"
20:58:51.778 The log file has been saved successfully to "C:\Users\Jeff\Desktop\aswMBR.txt"
-
Rogue Killer
RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Safe mode with network support
User: Jeff [Admin rights]
Mode: Scan -- Date: 04/17/2012 21:16:16
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++
--- User ---
[MBR] 31a51cfdf3c492d70a27f5667d353202
[BSP] 998c3ec9a68bb927f8a39d896677fbf4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: USB 2.0 USB Flash Drive USB Device +++++
--- User ---
[MBR] 9ce65dd10b564194fc9c920b30411fe1
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Rogue Killer
Files 2 & 3 are attached......
-
Fabar Service Scanner
Farbar Service Scanner Version: 16-04-2012
Ran by Jeff (administrator) on 17-04-2012 at 21:30:59
Running from "C:\Users\Jeff\Desktop"
Microsoft® Windows Vista™ Home Premium (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2007-10-25 16:22] - [2007-10-25 16:22] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
-
Alright, I think that's all of the reccommended logs. I'm anxious to hear what your thoughts are. In the mean time, I am going to boot into the desktop and see if I notice any issues....
-
Hi ebozz,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Ranges: GD ([http] in Local intranet)
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell - "" = AutoRun
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
-
Jeff,
Here is the Run Fix output....
-
I got a little confused regarding what was needed on the new OTL scan so let me tell you what I did. I initially ran with just the options that were selected by default. I did not select All Users. The log for that is OTL_2. I ran the scan again with All Users selected. That log is OTL_3. I'm off to work now. I'll check back back in later today. Thanks!
-
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
- Do not use this instance of your browser for anything besides doing this scan
- When the scan is complete and the results saved, close that instance of your browser
- Open a new one the usual way and post the results in this topic.
- Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
- Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
- Click the Start button.
- Accept any security warnings from your browser.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
- Make sure that the option "Remove found threats" is Unchecked
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
- When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
- Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
- Push the Back button.
- Push Finish
http://www.eset.com/onlinescan/
----------
In your next reply please attach the logs made by Malwarebytes and ESET online scanner.
-
Jeff,
Here are the results from the most recent MBAM and ESET scans....
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.17.06
Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.16982
Jeff :: JEFF-PC [administrator]
4/18/2012 5:47:00 PM
mbam-log-2012-04-18 (17-47-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179600
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
(http://forum.avast.com/index.php?action=dlattach;topic=97275.0;attach=81209;image)
-
Talk to me! ;D
-
Hi,
I had classes last night and couldn't get back until now. Those both look good. How is your system running? :)
-
No worries Jeff! I have not noticed any problems since the removal of the 14 items that were detected on the initial MBAM scan. The only browser in use on this machine is IE 7. I did notice that that it would not load initially (stalled) but it seems that was related to a Comcast add-on.
Once I identified the add-on and disabled it, the browser loaded just fine. Currently there is no security installed so I do not want to start surfing all over the place. I think that they were using a product, McAfee maybe, that is provided to them free of charge as Comcast customers but attempted to remove/re-install the application after getting hit. The installation was blocked. I did notice that there was something in one of the logs regarding the Install Shield.
Most of the things that I have installed since beginning to work on this box have been completed from the Safe Mode with Networking. The only exception to that is the installation of Puran Disk Defragmenter that I installed last night from the normal desktop without any issues. It was definitely in need of a defrag! On the initial runs of Puran, the hard drives sectors were mostly red indicating a high degree of fragmentation. Much better now. I'm sure that had an impact on the performance.
I've been primarily updating outdated software while waiting for your responses. There were some really old versions of Java, Flash, Adobe Acrobat Reader, etc., on this laptop. Quite a bit has been updated at this point. So, what do you think? Anything else we need to look at?
-
Hi,
Sounds like you have a lot of it covered. You already seemingly did the updates I was going to have you do anyway. Oh...by the way...I didn't see you list it but be sure to update Internet Explorer to IE8. Even if the browser is not used, Internet Explorer is the browser that Windows uses to do all updates so we want to make sure that is secure and up-to-date.
I would suggest that you choose one of the following antivirus programs so that we can keep the system more secure. I personally recommend Avast and use it myself, but Microsoft Security Essentials is good too.
I would recommend that you install one of these free Antivirus programs immediately. Just choose one:
Microsoft Security Essentials (http://www.microsoft.com/security/pc-security/mse.aspx)
Avast (http://www.avast.com/en-au/free-antivirus-download)
----------
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
----------
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
-
Jeff,
My users on my home network primarily operate from a Linux environment but we do have a few Windows XP Pro & Windows 7 clients. My ISP use to provide Windows Live One Care free of charge and after Microsoft did away with that product, they went to a Norton's product that I did not like at all. After doing some research combined with some actual usage of various options, I decided to go with avast Internet Security (6 licenses) for my Windows needs. It's been a few years now and I'm still happy with that decision. As I stated in my previous post, they are probably going to use the free option from Comcast but I plan to certainly make the suggestion of using avast Free along with a good firewall.
Your suggestions are very good advice. It's not my machine therefore I can't just go making wholesale changes without some sort of approval. There are certainly some things installed on it that need to be discussed with my relative. For example, Google Desktop. I've personally never used it but if I am not mistaken it has been discontinued. If I am correct, it will probably be best to remove it. A few other things with similar concerns also need to be addressed.
Let me start the clean up process. I will check back in once completed or if I run into anything unexpected. I truly appreciate the help that you have provided...
-
Sounds like a plan. I am glad that I was able to help. :)
-
You know, cleaning up the infection on this laptop was easy! It's taking care of a lot of the neglected items that is generating the most work. Updating old drivers, removing unneeded software and updating old software that is still in use. It appears that updates for Service Pack 1 for Vista were refused so it would not allow me use the Windows Update function to do so. I've had to go directly to the Microsoft site to get SP 1. Hopefully once I have it installed and all updates are completed, Windows Update will offer any future updates normally. I think that I should be able to wrap this up today.... ;)
-
I think that I should be able to wrap this up today....
8)
-
This is becoming a severe headache. Apparently the owner of this laptop refused to update the OS to SP 1 when it was offered so now it is very difficult to get it installed. Support for Windows Vista without any service packs installed ended on April 12, 2010...... >:(
-
Well when jeffce has given you the OK, this could be helpful later on such a machine: http://fixitcenter.support.microsoft.com/Portal
First get this independant download of Service Pack 1
Vista SP1 download: http://www.microsoft.com/download/en/details.aspx?id=30
polonus
-
Polonus, I have already attempted to install the independent download of Vista SP 1. It fails. I'm back at the Microsoft site now researching and trying to sort it out....
-
Success. finally! I had to download and install the Windows Genuine Advantage anti-piracy jazz. Once that installed SP 1 completed successfully. Ok, now to finish this up!
-
Sounds good ebozz! What other malware related questions do you have? :)
-
Jeff,
Everything is good now. Upgraded Vista to Service Pack 2, IE 9 has been installed, third party applications updated, outdated/unused software removed, hard disk has been defragged and the registry has been cleaned. I just gave the laptop back to it's owner and provided an explanation of what tasks I performed, with your assistance of course. I also shared some of your recommendations. Thank you Sir! ;)
Polonus, thanks to you as well. Working on this machine just solidified my reasons for becoming a Linux user! :D
Take care guys. I am going back to lurking mode and hopefully I won't have to ask for assistance any time soon. It's great to know that if I do need help that there are people like you available.....
-
You are more than welcome and I am glad that we could help! :)
Take care!