TechSpot

I followed all Preliminary removal instructions, whats next?

By bluebelle
Aug 22, 2007
  1. Dear Howard,

    My pc is new and only a few days old. But i have a 10G old hard disc in this new cpu. and i also use portable hard disc and flash discs on this pc.
    Yesterday, I found VBS/Small and trojan in my pc.
    Came across this forum and followed your instructions in http://www.techspot.com/vb/topic58138.html

    Step 2
    I previously had my AVG antivirus installed on my pc. In order to follow ur instructions correctly, i uninstalled my older version and installed a new version from ur page. then i also installed Avast.

    Step 10
    After installing SmitFraudFix from http://siri.urz.free.fr/Fix/SmitfraudFix.exe
    My avast gave a security warning that the SmitFraudFix has System32: Trojan-gen in it.
    Anyway i continued following the smitfraudfix instructions but when i reboot my pc in safe mode, i couldnt find my smitfraudfix icon in the safe mode desktop. so i just did step 2 in normal mode. after finishing smitfraudfix only
    then i found out that it was because i was using the administrative account. then i redo this step again in safemode. would it change anything or spoil anything if i did once in normal mode and once in safe mode?
    Everything in the cleaning here was alright except the check in wininet.dll didnt came on. So i just finish the cleaning with a rapport.txt.
    ill include my rapport below.

    My Antirootkit scan was clean. no rootkit was found.
    Avast found alot of VBS and some other stuff in all my hard disc.

    Thats the only few things that was not expected from ur instructions.
    Ill attach the hijacklog and all below.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Delete all files in AVG Antispyware quarantine.

    Other than that, your log files are clean.

    However, it appears you`re running more than one antivirus programme. This is not recommended, will slow your system down and can cause conflicts.

    I recommend you uninstall one antivirus programme.

    I don`t think you need to run Smitfraud fix again, but you can if it`ll make you feel better.

    For your VBS problem, do the following.

    Download this TOOL. Extract it and run the Noob_kill.

    Let us know the results.

    Regards Howard :wave: :wave:

    This thread is for the use of bluebelle only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. bluebelle

    bluebelle TS Rookie Topic Starter

    Thanx!! That was real fast.

    Which antivirus do you think i should keep?
    AVG or Avast? I like both..

    Btw in my Avast the log file is as below, are any of the virus been cleaned yet?

    8/22/2007 12:45:30 PM SYSTEM 1372 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
    8/22/2007 12:45:31 PM SYSTEM 1372 An error has occured while attempting to update. Please check the logs.
    8/22/2007 12:54:16 PM SYSTEM 1364 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
    8/22/2007 12:54:16 PM SYSTEM 1364 An error has occured while attempting to update. Please check the logs.
    8/22/2007 3:10:05 PM SYSTEM 1400 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
    8/22/2007 3:10:06 PM SYSTEM 1400 An error has occured while attempting to update. Please check the logs.
    8/22/2007 4:27:17 PM user 1216 Sign of "VBS:Solow" has been found in "C:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002201.vbs" file.
    8/22/2007 4:57:36 PM user 1216 Sign of "VBS:Solow" has been found in "C:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002202.vbs" file.
    8/22/2007 5:15:38 PM user 1216 Sign of "VBS:Solow" has been found in "D:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002203.vbs" file.
    8/22/2007 5:35:09 PM user 1216 Sign of "VBS:Solow" has been found in "E:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002199.vbs" file.
    8/22/2007 6:09:40 PM user 1216 Sign of "Win32:RJump-B [Wrm]" has been found in "G:\System Volume Information\_restore{385327BA-1B45-4266-9D66-FCBF2352EFD8}\RP53\A0016547.exe" file.
    8/22/2007 6:09:41 PM user 1216 Sign of "VBS:Solow" has been found in "G:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002026.vbs" file.
    8/22/2007 6:09:41 PM user 1216 Sign of "VBS:Solow" has been found in "G:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002074.vbs" file.
    8/22/2007 6:09:42 PM user 1216 Sign of "Win32:RJump-B [Wrm]" has been found in "G:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002078.exe" file.
    8/22/2007 6:09:42 PM user 1216 Sign of "Win32:Shipup [Trj]" has been found in "G:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002079.exe\[PESpin]" file.
    8/22/2007 6:09:42 PM user 1216 Sign of "Win32:Shipup-B [Trj]" has been found in "G:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002080.exe\[PESpin]" file.
    8/22/2007 6:09:42 PM user 1216 Sign of "VBS:Solow" has been found in "G:\System Volume Information\_restore{911F2FA2-333C-4311-B8B9-E733E61B54A0}\RP47\A0029567.vbs" file.
    8/22/2007 6:09:43 PM user 1216 Sign of "VBS:Solow" has been found in "G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP871\A0361606.vbs" file.
    8/22/2007 6:51:32 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{2979AFC7-121E-451D-A54A-CCB938C3395B}\RP131\A0036087.vbs" file.
    8/22/2007 6:51:33 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{2979AFC7-121E-451D-A54A-CCB938C3395B}\RP131\A0036154.vbs" file.
    8/22/2007 6:51:33 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{2979AFC7-121E-451D-A54A-CCB938C3395B}\RP133\A0036438.vbs" file.
    8/22/2007 6:51:33 PM user 1216 Sign of "Win32:RJump-B [Wrm]" has been found in "H:\System Volume Information\_restore{385327BA-1B45-4266-9D66-FCBF2352EFD8}\RP53\A0016552.exe" file.
    8/22/2007 6:51:34 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002028.vbs" file.
    8/22/2007 6:51:34 PM user 1216 Sign of "Win32:RJump-B [Wrm]" has been found in "H:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP3\A0002081.exe" file.
    8/22/2007 6:51:34 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002204.vbs" file.
    8/22/2007 6:51:34 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002205.vbs" file.
    8/22/2007 6:51:35 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{911F2FA2-333C-4311-B8B9-E733E61B54A0}\RP47\A0029569.vbs" file.
    8/22/2007 6:51:35 PM user 1216 Sign of "VBS:Solow" has been found in "H:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP871\A0361605.vbs" file.
    8/22/2007 6:51:35 PM user 1216 Sign of "Win32:RJump-B [Wrm]" has been found in "H:\System Volume Information\_restore{C6601FD0-D00E-41CC-BD85-63978ABF31E9}\RP60\A0008391.exe" file.
    8/22/2007 6:51:45 PM user 1216 Sign of "Win32:perlovga" has been found in "I:\copy.exe\[MEW]" file.
    8/22/2007 6:51:45 PM user 1216 Sign of "Win32:Small-BTX [Trj]" has been found in "I:\host.exe" file.
    8/22/2007 6:52:14 PM user 1216 Sign of "Win32:Brontok-U [Wrm]" has been found in "K:\.Trashes\.Trashes`.exe" file.
    8/22/2007 6:52:15 PM user 1216 Sign of "Win32:Brontok-U [Wrm]" has been found in "K:\shell\shell.exe" file.
    8/22/2007 6:52:15 PM user 1216 Sign of "Win32:Brontok-U [Wrm]" has been found in "K:\MRA\MRA.exe" file.
    8/22/2007 6:52:16 PM user 1216 Sign of "Win32:Brontok-U [Wrm]" has been found in "K:\drawn name card\drawn name card.exe" file.
    8/22/2007 6:57:05 PM user 1216 Sign of "VBS:Solow" has been found in "C:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP4\A0002201.vbs" file.
    8/22/2007 9:03:23 PM SYSTEM 1032 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
    8/22/2007 9:03:23 PM SYSTEM 1032 An error has occured while attempting to update. Please check the logs.

    Thank you.

    When im done with the vbs, does it mean that my pc is free for now?
    Can i uninstall all the spyware programs and leave only the antivirus?
    Its taking up alot of space. Please advise.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m not sure frrom the log, whether Avast has cleaned up the infections or not. However, a lot of those infections are in system restore points.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    As to which antivirus programme to keep, that`s completely up to you. Personally, I`ve used AVG for years without any problems.

    See below for a list of recommended programmes. You`ve already got some of them.

    AVG free or Avast antivirus programmes.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Spybot Search & Destroy.

    Ad-Aware se personal.

    Spyware Blaster.

    AVG Antispyware.

    Ccleaner.

    Providing your VBS problem is solved, you should be good to go.

    You can get rid of all the programmes you used, but I recommend you keep Spybot/Ad-Aware/Spyware Blaster/AVG Antispyware/Ccleaner.

    Just run them when you want to, about once a week or so should be fine.

    Regards Howard :)

    This thread is for the use of bluebelle only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. bluebelle

    bluebelle TS Rookie Topic Starter

    Thanx...

    I ran noob_kill..not sure if it really cleaned all the vbs...to use noob_kill is to click on all the buttons rite?

    after everything...i guess my pc is cleaned,
    but when i try to open this folder called "Trash" (i dont know where the folder came from) K:\.Trashes in my flash disk, AVG detected another virus.

    Anyway this morning my AVG did another round of scheduled scanning, and in my virus vault there are new virus that might be the old virus in my portable hard disk. i tried to heal the affected in avg but the button was not clickable. only can click on wipe objects. so what should i do?

    below is my avg results. pls let me know is this normal.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Those infections are in the system restore points of your G and H drives.

    Turn off system restore.(XP/ME only) Make sure you turn system restore off on both drives. See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Regards Howard :)

    This thread is for the use of bluebelle only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. bluebelle

    bluebelle TS Rookie Topic Starter

    Hi again,

    Im running the removal again for my pc and these are my logs.
    Nothing is found in my AVG Antirootkit scan.
    thanx.

    Howard,

    I found the HijackThis.exe in http://www.techspot.com/vb/topic58138.html
    to be the version 1.0.0.1 which is not up to date. Only can find the version v2.0.0 you recommended only in this page http://www.techspot.com/vb/topic19133.html. Maybe you would like to update the page so that the users wont confuse and download the older version.

    Also I would like to know if ipod will also be infected with virus?
    the other day, I plugged my ipod video to my sister's laptop for itunes and immediately the AVG reported VBS small in her laptop. I would like to know if its from my ipod video or from the laptop.
    So this time when i do my second virus removal I plugged in all my existing thumbdrives, portable hard drives and also my ipod video. Will it clean them?

    These logs are from my laptop that uses windows vista.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All your log files look clean.

    I`d say the problem is coming from your Ipod or Thumb Drive.

    Did you run the tool I advised?

    You might also try running this as well.

    Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
    Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

    * Double-click Flash_Disinfector.exe to run it.
    * Follow any prompts that may appear.
    * Wait until the program has finished scanning, then please exit the program.
    * Restart your computer and see if problem still persists.

    Regards Howard :)

    This thread is for the use of bluebelle only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. bluebelle

    bluebelle TS Rookie Topic Starter

    Cleaning again

    Hi Howard,

    I did another round of cleaning for my brother's pc this time. My Antirootkit scan was clean. no rootkit was found.

    Attached are the logs.
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Howard has left the forum; allow me to help you with your cleaning.

    Your AVG log shows no action taken for all the entries. Please set to the recommended actions for all to quarantine before your scan.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of bluebelle only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. bluebelle

    bluebelle TS Rookie Topic Starter

    Fresh Removal

    Hello,

    Ive done a fresh round of removal for my pc again. Please ignore all the threads on top as they are history. Ive run panda antirootkit and found nothing.

    My problems is that:
    1) AVG found a lot of Trojans
    2) Whenever i open my drive C,D,E,F or G i get this window message, "Your computer was infected by unknown trojan. It's dangerous for your system (critical files can be lost)! Its OK to download the antispyware program to clean your system! (Recommended) OK Cancel

    Attached are my logs. Please analyze.

    Thank you in advance.
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Reboot your computer in SafeMode.

    Restart your computer
    • Just before the computer begins to startup and before loading Windows press F8
    • A selection menu should appear
    • Select the line that says “Safe Mode”
    • At logon prompt, log in as the usual user.
    • During Windows Start process it will prompt you if you would like to continue running in SafeMode, press Yes
    • You should now see your Desktop but in a low resolution mode only.
    • Make sure no other application or windows is open.
    Double-click on the Smitfraudfix.exe file which you downloaded earlier on your desktop. Press any key when the credit screen displays to proceed to removal procedure.

    Press 2 on your keyboard, then Enter, to execute the selection - Clean (SafeMode Recommended)

    It will begin to scan and clean your system thoroughly.

    After that process, it will then run a Disk Cleanup tool to remove any unwanted files on your computer. It may take some time to complete this process.

    After Disc Cleanup, it will show another prompt:
    Do you want to clean the registry? (y/n). Press the Y button and then press the Enter to begin cleaning your registry.

    This tool will also check if your wininet.dll is infected and will prompt:
    Replace infected file? Press Y and then Enter to replace you wininet.dll with the clean version.

    A reboot may be needed to complete the process. It will reboot your computer automatically, if not please restart your computer manually.

    It will generate the report that can be found at the root of the system drive, usually at C:\rapport.txt. Post this log.

    From Normal mode run HJT and post the resulting log as well.
     
  13. bluebelle

    bluebelle TS Rookie Topic Starter

    Hello Kritius,

    Ive followed all the steps you asked me to do which are:
    1) Cleaning with Smitfraudfix on Safe Mode - attached is the rapport.txt report.
    2) Running Hijackthis in Normal Mode - attached is the HJT log

    Please find my Anti-spyware log and combofix log on top.

    Please let me know what are the results. Thanx.

    P/S: Looks like my rapport.txt is too big in this forum. Is it possible i copy paste the log here?
     
  14. bluebelle

    bluebelle TS Rookie Topic Starter

    Is it alright if i zip the rapport.txt? Here.
     
  15. kritius

    kritius TS Guru Posts: 2,084

    Sorry about the delay but ive been away for a couple of days

    Ok lets run Kaspersky Online Scan
    Please do an online scan with Kaspersky Online Scanner. Please use Internet Explorer as it uses ActiveX.

    Click on Kaspersky Online Scanner and click Accept

    You will be promted to install an ActiveX component from Kaspersky, so click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:

        • Extended (if available otherwise Standard)
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK
    • Now under select a target to scan select My Computer.
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button and save the file to your desktop.

    Post the log back here
     
  16. bluebelle

    bluebelle TS Rookie Topic Starter

    Kaspersky Report

    Hello Kritius,

    Ive done the online scanner. Here is the report.
     
  17. kritius

    kritius TS Guru Posts: 2,084

    Ok,
    Delete the three tools from step 10 by dragging them to the recycle bin,
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    Empty the recycle bin

    Please download ATF cleaner
    Make sure that all browser windows are closed.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Empty anything that you have in the quarantine folders.

    do the Kaspersky scan again using the same instructions as in my earlier post.

    Run HJT and select do a system scan and save a log file.

    Post the two logs back here

    How is the computer running?
     
  18. bluebelle

    bluebelle TS Rookie Topic Starter

    Kaspersky and HJT logs

    Alright...ive done everything you asked me to. Attached are the logs.
    Im not sure if the pc is running faster. But the first time i use Kaspersky the download of updates took about 4 hours. This second time around it only took 2 mins.

    I have a few questions that i dont understand.
    1) Howcome the Flash_Disinfector.exe recommended by Howard from this forum gave my thumbdrives a folder named autorun.inf and it cant be deleted and looks like they are infected.
    2) Why the 3 tools in step 10 have to be deleted? Is it infected?
    3) Should I do a fresh round of installation and removal again from Step 1-15? Looks like my pc is still infected.
    4) How do I make sure they are totally clean once and for all?

    Thank you so much for your time and attention. :)
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Ok, they can be deleted beacuse they arnt necessary and can hold things in their backup files, it looks like the only infected files are to do with Housecall from the 15 steps so you can get rid of it and also spyware doctor seems to have something, if your not paying for it I would also advise getting rid of it.

    There is also this,
    C:\WINDOWS\wmpdxm.dll

    Boot into safe mode and search for this then delete it, if you cant let me know and we'll try another thing to get rid of it.

    Dont know about the flash disinfector, if you cant get rid of it let me know and we'll get out the big unistallers.
     
  20. bluebelle

    bluebelle TS Rookie Topic Starter

    Im not really sure what am I supposed to do. Can you give me more instructions?
     
  21. kritius

    kritius TS Guru Posts: 2,084

    Boot into safe mode and search for this C:\WINDOWS\wmpdxm.dll then delete it, if you cant let me know and we'll try another thing to get rid of it.

    If you don't pay for spyware doctor then unistall it and reinstall it later.

    If you have anything to do with Housecall left over on your computer after running through the 15 steps then get rid of it.

    How is the computer running now?
     
  22. bluebelle

    bluebelle TS Rookie Topic Starter

    From the first Kaspersky report, Ive deleted C:\WINDOWS\wmpdxm.dll, Spyware Doctor and Housecall from my system. I used the below to search for their files. I can just delete the file just like that right?
    C:\Documents and Settings\user\.housecall6.6\Quarantine\MalwareCore 7.3.exe.bac_a03408 Infected: not-a-virus:FraudTool.Win32.MalwareWipe.q skipped
    C:\Documents and Settings\user\.housecall6.6\Quarantine\wmpdxm.dll.bac_a03408 Infected: Trojan-Downloader.Win32.Delf.fpc
    C:\WINDOWS\wmpdxm.dll Infected: Trojan-Downloader.Win32.Delf.fpc
    J:\S O F T W A R E EXE\Spyware Doctor\sdsetup.exe/file83 Infected: not-a-virus:Monitor.Win32.KeyLogger.dq
    J:\S O F T W A R E EXE\Spyware Doctor\sdsetup.exe Inno: infected - 1

    After that I did another round of Kaspersky and this is what I found.
    C:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP2\A0000198.dll Infected: Trojan-Downloader.Win32.Delf.fpc
    C:\System Volume Information\_restore{6CE80203-D14E-444C-87A5-AEEB8C07D53D}\RP2\change.log Object is locked

    I also deleted the file.

    Did another 3rd round of Kaspersky and HJT and at last no more infection.

    I hope the pc is fine now.

    Attached are the log files. Please take a look. thank you.
     
  23. kritius

    kritius TS Guru Posts: 2,084

    A few more things to do,

    Have HJT fix this entry

    O8 - Extra context menu item: &Search - ?p=ZK

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    You should get a firewall as well, either, these firewalls are all free,


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

    Next we remove all used tools.

    Please download OTMoveIt2 and save it to desktop.
    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      Re-enable system restore with instructions from tutorial above
      • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      • Next press the Apply button and then the OK to exit the Internet Properties page.
      • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

      • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
      • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

        This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

        Instructions for Spybot S & D

      • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

        A tutorial on installing & using this product can be found here:

        Using SpywareBlaster to protect your computer from Spyware and Malware

      • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
      Follow this list and your potential for being infected again will reduce dramatically.

      Here are some additional utilities that will enhance your safety
      • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
      • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
      • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
        Using Winpatrol to protect your computer from malicious software

      Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

      Happy surfing and stay clean!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...