Trojan Problems (RESOLVED)

Hello. I havent been here for a while but need some input on a problem ive been experiencing.

Im running:

Windows XP Pro SP2 (currently fully updated)
Kaspersky Anti-Hacker firewall 1.7
Norton Systemworks 2002
Spyware Doctor (PC Tools)
Spybot 1.4
Ad-Aware SE Personal Build 1.06r1 (the free version)

A while ago I got a Norton AV alert whilst I was using Internet Explorer.

The Norton log was like this:

Date: 10/04/2006, Time: 02:10:32, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\zhopaizdupla.exe
is infected with the Download.Trojan virus.
Unable to repair this file.
Date: 10/04/2006, Time: 02:10:32, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\zhopaizdupla.exe
is infected with the Download.Trojan virus.
Access to the file was denied.

Upon checking the log, I also found this which I hadnt noticed before:

Date: 27/03/2006, Time: 02:35:40, Administrator on SIDBOT-KK8S9ZG1
The file C:\WINDOWS\system32\voblaizdupla.exe is infected with the Download.Trojan virus.
The file was quarantined.
Date: 27/03/2006, Time: 02:35:40, Administrator on SIDBOT-KK8S9ZG1
Virus scanning completed.
Master boot records:
...
Boot records:
...
Files:
Scanned: 100131
Infected: 1
Repaired: 0
Quar'ed: 1
Deleted: 0

which as you can see was about two weeks before the first one.

Anyway, I scanned the PC with Norton and nothing showed this time. I ran Spyware Doctor and it only found a few tracking cookies.

A week later, and again while using IE I got this:

Date: 17/04/2006, Time: 11:20:16, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\zhopaizdupla.exe
is infected with the Download.Trojan virus.
Unable to repair this file.
Date: 17/04/2006, Time: 11:20:16, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\zhopaizdupla.exe
is infected with the Download.Trojan virus.
Access to the file was denied.

Again, after the alert I scanned again and nothing significant was found.

I decided that I should make sure that I was fully updated with Windows, so did this. I also decided to stop running an Apache webserver that I have. According to Norton AV, Spyware Doctor, Spybot S&D and Ad-Aware, my PC was squeaky clean.

Perhaps a week ago, Kaspersky firewall said that a service called phqghume.exe was trying to 'call-out'. I blocked the service, stopped the process and found the exe itself in my system32 folder. It deleted with no problems. Again, scans showed little that was bad.

Today, I opened IE and was on the force9 (UK ISP) home page and I got this:

Date: 04/05/2006, Time: 16:05:36, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\cvdjneir.exe
is infected with the Trojan.Adclicker virus.
Unable to repair this file.
Date: 04/05/2006, Time: 16:05:36, Administrator on SIDBOT-KK8S9ZG1
The file
C:\WINDOWS\system32\cvdjneir.exe
is infected with the Trojan.Adclicker virus.
Access to the file was denied.

I couldnt find the file and an initial AV scan turned up nothing. I then ran all scans with updated definitions, in Safe Mode. The only thing that looked suspicious and a possible culprit was this from Spyware Doctor:

Infection Name Location Risk
Advertising C:\Documents and Settings\Administrator\Cookies\administrator@adtec h[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt Medium
Known Bad Sites C:\Documents and Settings\Administrator\Cookies\administrator@keywo rdmax[1].txt High
Tracking Cookie(s) C:\Documents and Settings\Administrator\Cookies\administrator@blues treak[1].txt Medium
Advertising C:\Documents and Settings\Administrator\Cookies\administrator@ads.p ointroll[2].txt

I've fixed the bad things and re-scanned and everything is clean, apparently.

Any ideas as to why this is happening? Im beginning to get paranoid that I have something very horrible that is hidden away and its going to start stealing info from me or something like that.

Many sincere thank-yous for any help, advice and guidance

Cookies are not a high risk item that would be responsible for the issues noted.



When you are searching for a file you need to ensure as follows:

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here




Please download, install, update and scan your system with the free (trial) version of Ewido TROJAN scanner
[Developed for Windows 2000 and XP]:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

REBOOT.




Post your latest HijackThis log as per instructions (last section) in the READ FIRST Procedures found here:

Read This First - IMPORTANT Instructions

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

OK, here's the Ewido log. (I left the Radmin stuff as this is an application I have and didnt want to mess with the files)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 08:32:26, 05/05/2006
+ Report-Checksum: 2A93881F

+ Scan result:

[3716] C:\WINDOWS\System32\r_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.22 : Ignored
C:\Program Files\Radmin\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored
C:\Program Files\Radmin\radmin.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.22 : Ignored
C:\Program Files\Radmin\r_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.22 : Ignored
C:\WINDOWS\system32\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored
C:\WINDOWS\system32\r_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.22 : Ignored
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3qo95pmm.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad1.c lickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt .euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.r ealcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfk4kkdjaao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkoumc5wbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkyohcjelp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkyojd5scq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfl4qlcpedq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfloaid5odp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgk4cgc5cko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgk4gkc5sfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkikndjshp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkocgazwao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkoehczceq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgloghdpkfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkoupc5oho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjl4wjcjgbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjloqhajweo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlykpd5cep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmyagdpaao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image .masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacod a[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\system32\hwdwerxf.wsr -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\system32\xcwdgpjj.oau -> Hijacker.Small.js : Cleaned with backup

::Report End

I rebooted, installed and ran HJT:

Logfile of HijackThis v1.99.1
Scan saved at 08:51:51, on 05/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\r_server.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mister Fink
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119361647656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146077637890
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76E950A7-CBDB-4EBB-9BBD-81A134D6BFE5}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thanks again

HijackThis log is showing as clean. Let us know if your issue(s) remains unresolved.


Your main problems may have been (as resolved by Ewido):

C:\WINDOWS\system32\hwdwerxf.wsr -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\system32\xcwdgpjj.oau -> Hijacker.Small.js : Cleaned with backup

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Well that is good to know. Thank's very much for the help!

Can I ask, as you can probably see my security measures, is there anything else you can recommend that I do to stop trojans? Spyware Doctor touts itself as a trojan detection tool but obviously here it has failed. Should I buy Ewido and run it along side Spyware Doc?

With respect to Trojans:
If you have had a history with trojans and accordingly would prefer to catch them before they get established, you would certainly benefit by Ewido's 'active protection' feature. Keep in mind that no one tool is ever going to be a complete 'Swiss Army Knife' solution. I have rarely seen any trojans on my PC and accordingly don't presently NEED Ewido's 'active protection'. I do use SpySweeper which is simliar to Spyware Doctor.





To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Accordingly and of further note; it is very unsafe to run with admin rights on any PC that you browse the Internet with.


(Windows XP) To Turn OFF System Restore.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
4. Click Apply.

REBOOT.

To Turn ON System Restore.

1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
2. Create new System Restore points.

(Windows ME) See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
   http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
   http://www.microsoft.com/windows/ie/default.asp
   
   • http://www.securityfocus.com/news/11273
     If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
   
   
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
   AVG: http://free.grisoft.com/doc/1
   Avast: http://www.avast.com/eng/avast_4_home.html
   
   
3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
   Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
   Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
   Microsoft Windows Defender beta 2 : http://www.download.com/Microsoft-Wi...ml?tag=lst-0-1
   
   
4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
   Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
   *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
   Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
   
   It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
   
   
5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components.
   Mozilla Firefox: http://www.mozilla.org/products/firefox/
   
   
6. Consider increasing your browser security by using these programs:
   SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
   SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
   • If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
     
   • IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
     http://www.spywarewarrior.com/uiuc/resource.htm
   
   
7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
   • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
   • Next select ‘Open host file manager’ button.
   • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
   • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
     
     EXCERPT:
     Quote:

     #start of lines added by WinHelp2002 # [Misc A - Z] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 e.abnad.net 127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona] . . . #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:

• Keep all of these programs up-to-date, and
• Use them on a regular basis.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

marvellous. lots to keep me busy and hopefully keep my pc clean