• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1073
  • Last Modified:

XP Media Center -- hijacked???? Help!!

I have a brand new (less than 2 weeks) computer running xp media centeer, a few days ago I got a windows popup which said the machine was infected with spyware and linked me to a 'Tresla??' site where i downloaded and installed A-V-P premium edition ,on top of my already running mcaffee -- now getting alerts from a-v-p which say Changing "Cookies" from "C:\Documents and Settings\LocalService\Cookies" to "C:\Documents and Settings\LocalService\Cookies"  and asking me to either allow or disallow the change.  Also, I named my new computer with a 'lower case' first letter then the 2nd letter was 'uppercase' -- now, the entire computer name is uppercase.  My system is Pentium D, dual core with 2 gigs of memory, and i use a broadband connection yet i am finding slow connection speeds and email retrieval, when in theory i believe it should be rather swift.  Have I been hi-jacked?  There are currently three other users using the broadband modem.   HELP!!
0
eMused
Asked:
eMused
  • 20
  • 14
  • 4
  • +2
1 Solution
 
war1Commented:
Greetings, eMused !

1. Try to uninstall the A-V-P Premium spyware program from Control Panel > Add/Remove Programs

2. Use SmitFraudFix to remove these type of spyware

SmitFraudFix for Smitfraud, Win32.puper, AVGold, Security iGuard, Spyware Vanisher, quicknavigate.com, updateSearches.com, startsearches.net, Virtual Maid, SpySheriff, PSGuard, SpyAxe, WinHound, AlphaCleaner, AdwarePunisher, SpywareQuake
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip 

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.


Best wishes!
0
 
eMusedAuthor Commented:
So are you saying that this A-V-P [anti-virus-pro] download that is recommended by by windows xp media center [along with a few others] is what is actually causing my problem?  It wasn't cheap and there is an ongoing monthly contract -- I just want to make sure I understand that this might be the cause and I will take appropriate action regarding getting a refund, etc.
0
 
war1Commented:
I am not exactly sure what A-V-P program is.  Often when you visits various websites, you get a advertisement that you have spyware and to download these types of programs.  These programs turn out to be spyware themselves and not very good at removing spyware.  They will slow your computer down as well as send out information about you.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
eMusedAuthor Commented:
I wasn't visiting sites and looking or clicking on ads.  I was working on a project on my machine when a small circular red icon with an "!" in the middle located in the system tray initiated the pop-up message regarding the spyware.  The text in the pop-tu message said to click the windows balloon and I would be linked to a site to select the appropriate remedy.  Anti-Virus_Pro is a product from AVG.  

Also, I accidently hit the split points button on this forum and don't know if I messed something up or not -- I didn't mean to hit that -- sorry.  
0
 
war1Commented:
>> when a small circular red icon with an "!" in the middle located in the system tray initiated the pop-up message regarding the spyware.  The text in the pop-tu message said to click the windows balloon and I would be linked to a site to select the appropriate remedy. >>

This is one of the way spyware programs get installed in your computer.

>> Anti-Virus_Pro is a product from AVG.

So A-V-P stands for Anti-Virus-Pro?  Here is what Symantec say about Anti-Virus-Pro

http://www.symantec.com/avcenter/venc/data/antiviruspro.html
0
 
war1Commented:
Since you know what A-V-P stands for, uninstall it from from Add/Remove Programs, or follow Symantec auto or manual removal methods.
0
 
eMusedAuthor Commented:
I don't use Symantec  -- I have McAffee installed.  I did, however follow the link to the symantec center -- and it appears that while it may be the same program, the troubles we from a trial version.  I purchased the version with the premium service attached.  I have run a hijackthis scan and would appreciate your having a look at it as well.  I have had the unfortunate experience of being hijacked and it was horrendous at best.  I would love to know of a listing of what you should enable or disable in a new machine so that there is a moderate amount of safety . . . I will upload the hijack this log and take aspirin for the headache this spyware/hijack issue is causing
0
 
eMusedAuthor Commented:
here is the hijack this analysis link -- thank you so much for your help so far -- I am so glad I found this site -- waiting eagerly for more info!  

The following analyses has been stored temporarily
Analysis 2       20.05.2006, 22:51:40
0
 
jhanceCommented:
>>A-V-P [anti-virus-pro] download that is recommended by by windows xp media center

A-V-P is NOT from AVG.  It's a PHONY anti-virus/anti-spyware that tricks users in to buying and installing something that fixes what they messed up.

AVG is a legit company that makes a first-rate (IMHO) anti-virus program.
0
 
war1Commented:
eMused,

We need the link to the saved analyzed page (Did you click on Save button at the bottom of the Analyzed page?)
0
 
eMusedAuthor Commented:
Let me try again -- there that looks better-  http://www.hijackthis.de/logfiles/0c176653b7fda6b341b3f6263846eb42.html  

I read through this but have done nothing other than that.  I apologize, I should have made sure the link worked before sumbitting -- crazy weekend -- two graduating [college and prep school].  

When I returned last night I found that McAffee had blocked four attempts of:

"2006/05/20 21:14:32 82.224.69.138:45470 (vil93-3-82-224-69-138.fbx.proxad.net) 192.168.1.105:16518 IDS: 'NewTear' Attack.  A computer at vil93-3-82-224-69-138.fbx.proxad.net  has sent traffic to your computer that was blocked by our Intrusion Detection System (IDS).  The 'NewTear' attack attempts to exploit a problem in the Microsoft TCP/IP stack and how it handles incorrect UDP headers."

This was four times blocked the previous day:

"2006/05/19 22:31:05 192.168.1.101:137 (YOUR-W04GTXLD67) 192.168.1.105:137 NETBIOS Name A computer at YOUR-W04GTXLD67  has attempted an unsolicited connection to UDP port 137 on your computer.
UDP port 137 is commonly used by the "NETBIOS Name" service or program. NetBIOS is used for Windows file sharing.  It can be exploited to access files on your computer.  Your computer is being protected from this type of potential attack. The source IP is a 'non-routable' IP."

and this once on the 19th

"2006/05/19 13:02:37 192.168.1.104:138 (CHRIS-0RL8V0AB5) 192.168.1.105:138 NETBIOS DatagramA computer you were communicating with at CHRIS-0RL8V0AB5  has attempted to access a different port than expected (UDP port 138).
UDP port 138 is commonly used by the "NETBIOS Datagram" service or program. NetBIOS is used for Windows file sharing.  It can be exploited to access files on your computer. Your computer is being protected from this type of potential attack. The source IP is a 'non-routable' IP."

In each of those cases, I followed the recommended instructions from McAffee and traced and reported  the event.  This is the sort of thing that totally messes me up and I want to panic -- and thankfully, is exactly how I found out about this site!!

I have turned off the A-V-P; haven't had a chance to uninstall it yet; I'll work on that when I get back from son's prep school graduation; would rather have y'all look at the analyzed page  before I touch anything.  Thanks again so much!!
0
 
Tim HolmanCommented:
Go to www.ewido.com, download, install and run the 14 day eval to remove this and clear up your machine.
0
 
war1Commented:
eMused,

As I said before, you should uninstall Anti-Virus Pro from Add/Remove Programs.  Also, you should run the SmitRemFix that I posted above.  Intell321.exe is part of SpyAxe.

Put a check mark next to the following items in HijackThis log and click "Fix Checked"

C:\Program Files\Anti-Virus-Pro\App.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [3d9e029f.exe] C:\WINDOWS\system32\3d9e029f.exe
O4 - HKCU\..\Run: [3d9e029f.exe] C:\Documents and Settings\Mary Emery\Local Settings\Application Data\3d9e029f.exe
O4 - HKCU\..\Run: [Anti-Virus-Pro] "C:\Program Files\Anti-Virus-Pro\App.exe" hide
O4 - Startup: .protected
O4 - Global Startup: .protected

If you did not install this download manager, have HijackThis remove it also

O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-ac tivex-2.0.5.1.cab
0
 
eMusedAuthor Commented:
Hi War -- I have uninstalled the program and downloaded the fix as posted by you on the

"2. Use SmitFraudFix to remove these type of spyware
SmitFraudFix for Smitfraud, Win32.puper, AVGold, Security iGuard, Spyware Vanisher, quicknavigate.com, updateSearches.com, startsearches.net, Virtual Maid, SpySheriff, PSGuard, SpyAxe, WinHound, AlphaCleaner, AdwarePunisher, SpywareQuake
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip"

Should that be run in safe mode?  When I downloaded the file, and then extracted it, McAffee went nuts.  Will wait to hear before proceeding.  Also, the link to the website that the desktray icon referred me to is:  "www.teslaplus.com/search.php?wmid=174&sub=0&q=Removers"  To say that I am not pleased with their blatant audacity of would be an understatement.  

I am not sure about O16 - DPF -- I may have installed it to run any number of things I have need to run.  I should also let you know that I use VoIP with a linksys  cordless internet phone and am wondering if that download manager may have something to do with that or with my graphics programs . . .  thanks so much so far!!  eMused
0
 
war1Commented:
Temporarily disable McAfee antivirus while running SmitFraudFix.  Follow the instructions here to use it http://www.geekstogo.com/forum/index.php?showtopic=109268

Have you uninstall A-V-P software from Add/Remove Programs.  A-V-P program could be all or part of your problem.
0
 
eMusedAuthor Commented:
War1 -- I did indeed uninstall that from the Add/Remove Programs as you previously suggested.  Am going to follow your instructions and go to the link you just posted and run the SmitFraudFix
0
 
eMusedAuthor Commented:
Hi again -- I disabled McAffee, ran the SmitFraudFix per the directions at the link and have rebooted.  Should I now re-run the HijackThis program or just go to the results I got previously and fix those items you listed yesterday morning?  Thanks for your patience with my limited knowledge in this area.  So much to learn.
0
 
rpggamergirlCommented:
Hi,
You also need to delete these files if still present: Hijackthis only removes the registry entry and disable them from running at startup, but their files are still intact. You can delete them either manually or with Killbox.
C:\WINDOWS\system32\3d9e029f.exe
C:\WINDOWS\system32\intell321.exe
C:\Documents and Settings\Mary Emery\Local Settings\Application Data\3d9e029f.exe


Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\3d9e029f.exe
C:\WINDOWS\system32\intell321.exe
C:\Documents and Settings\Mary Emery\Local Settings\Application Data\3d9e029f.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
0
 
eMusedAuthor Commented:
Hi rpggamergirl -- just to make absolutely certain I am clear in what I have or have not already done.  I ran the hijackthis program but DID NOT delete anything that came up nor did I click the 'autofix' button after the initial run.  I uninstalled from add/remove programs the a-v-p program; ran the smitfraudfix as per war1 instructions; have rebooted and that is where we are.  Thanks!!  eMused
0
 
war1Commented:
eMused,

You have done things in the correct order.  Yes, delete the items from the HijackThis log that I posted above.  You may find one or more items from above missing, as the previous fixes may have removed them.
0
 
eMusedAuthor Commented:
THANKS War1!!  Off to do that bit -- will let you know how it goes.  eMused
0
 
rpggamergirlCommented:
What I was trying to say was:
 Clicking "Fix Checked" in hijackthis only disable those entries from running.
Clicking "Fix checked" in hijackthis means deleting the registry entries of those programs but it does not mean that files are being deleted so I suggested deleting the files:

Fixing these entries below does not mean deleting their files:(their files still exist because hijackthis does not delete them) Fixing these entries means "disabling them from running.
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [3d9e029f.exe] C:\WINDOWS\system32\3d9e029f.exe
O4 - HKCU\..\Run: [3d9e029f.exe] C:\Documents and Settings\Mary Emery\Local Settings\Application Data\3d9e029f.exe


That's why I suggested to Killbox these entries so they are gone from your system and not just staying there waiting to activate again.
C:\WINDOWS\system32\intell321.exe
C:\WINDOWS\system32\3d9e029f.exe
C:\Documents and Settings\Mary Emery\Local Settings\Application Data\3d9e029f.exe

0
 
eMusedAuthor Commented:
Hi War1 et al -- I went to the hijackthis log; the only file there to check and 'fix' [ie hjt either fixes or deletes according to their info] was  "04 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE"; I used the search assistant to look for intell321.exe' 3d9e029f.exe; and .protected.  There were no results for the .exe searches [I addded the advanced options of searching system folders. hidden files and folders, and all subfolders].  Using those same parameters, four ".protected" files were found in hidden folders.  Each contained 0 bytes.  The folders were C:\; C:\WINDOWS\inf; C:\WINDOWS\system32\drivers\etc; and C:\Program Files\Internet Explorer\PLUGINS.  Should I delete those empty files or will they disappear on reboot?  Finally, I searched for "App.exe hide" and no results were returned.  There were a number of hits when I searched plain "App.exe" but they looked 'legitimate'.  Lastly, I am not sure about the akamitools.com.edgesuite.net/dlmanager/ . . . I am not sure what to do about that.  I did purchase for my a program which I used on my ASUS notebook that was called Security Task Manager I believe -- it listed all programs and gave quite a detailed summary of where they were located, etc.  I think I purchased a multiple machine license with that if you think I should run that on this machine -- just remembered having it on the notebook.  

I am most hopeful -- and becoming eMused once again -- will await your word . . .  
0
 
war1Commented:
eMused,

>> I used the search assistant to look for intell321.exe' 3d9e029f.exe; and .protected.

If you are not there, then they must have been deleted by another spyware or trojan remover. So only the registry entries remained, which you deleted via HijackThis.

>> The folders were C:\; C:\WINDOWS\inf; C:\WINDOWS\system32\drivers\etc; and C:\Program Files\Internet Explorer\PLUGINS.  Should I delete those empty files or will they disappear on reboot? >>

No, you do not have to delete these files.

dlmanager.akamaitools.com is a download manager.  Leave it alone for now.

Do you have any sign of mailware?  Popups?  Webpage hijack?  Slow computer?  If not, looks like you are clean.
0
 
eMusedAuthor Commented:
War1 -- So far so good -- the only 'slow' part is MSN's mail -- hit the send/receive icon and it seems slower to me than it used to [not that it was ever lightning fast but certainly much faster than it is now] -- by slow I mean 1 MINUTE 20 SECONDS from the time I click send/receive until MSN finishes checking for mail.  Other than that all looks ok right now.  Any insight regarding the MSN issue?  War1 -- you are on a pedestal in my book -- my most sincere thanks!!!!  eMused [again, thanks to you]
0
 
eMusedAuthor Commented:
I may have spoken too soon.  My VoIP phone rang and at the same time I got a DEP error message window pop-up that said "To help protect your computer, Windows has closed this program."  Is this a fluke????
0
 
eMusedAuthor Commented:
The technical details for the DEP error are:

"C:\DOCUME~1\MARYEM~1\LOCALS~1\Temp\WERc73c.dir00\explorer.exe.mdmp
C:\DOCUME~1\MARYEM~1\LOCALS~1\Temp\WERc73c.dir00\appcompat.txt"  and then when I went to report this problem to Microsoft, I got message  that said "In order to correctly diagnose this problem, the following information is required:  
Additional data that describes the application's condition is required. Large sections of the files you were using may be included, and this information may take a long time to transfer over a slow connection.

Registry Keys:
HKLM\Hardware\Description\System\CentralProcessor\0

Component Information:(BINARY) 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
Identifier:(SZ) x86 Family 15 Model 4 Stepping 4
ProcessorNameString:(SZ)               Intel(R) Pentium(R) D CPU 2.80GHz
VendorIdentifier:(SZ) GenuineIntel
FeatureSet:(DWORD) A0073FFF
~MHz:(DWORD) 00000AE9
Update Signature:(BINARY) 00 00 00 00 06 00 00 00
Update Status:(DWORD) 00000002


WQL Query Results:

instance of Win32_Processor
{
      AddressWidth = 32;
      Architecture = 0;
      Availability = 3;
      Caption = "x86 Family 15 Model 4 Stepping 4";
      CpuStatus = 1;
      CreationClassName = "Win32_Processor";
      CurrentClockSpeed = 2793;
      CurrentVoltage = 15;
      DataWidth = 32;
      Description = "x86 Family 15 Model 4 Stepping 4";
      DeviceID = "CPU0";
      ExtClock = 800;
      Family = 2;
      L2CacheSize = 0;
      Level = 15;
      LoadPercentage = 5;
      Manufacturer = "GenuineIntel";
      MaxClockSpeed = 2793;
      Name = "              Intel(R) Pentium(R) D CPU 2.80GHz";
      PowerManagementSupported = FALSE;
      ProcessorId = "BFEBFBFF00000F44";
      ProcessorType = 3;
      Revision = 1028;
      Role = "CPU";
      SocketDesignation = "Microprocessor";
      Status = "OK";
      StatusInfo = 3;
      Stepping = "4";
      SystemCreationClassName = "Win32_ComputerSystem";
      SystemName = "EMUSEMENT";
      UpgradeMethod = 4;
      Version = "Model 4, Stepping 4";
};


instance of Win32_Processor
{
      AddressWidth = 32;
      Architecture = 0;
      Availability = 3;
      Caption = "x86 Family 15 Model 4 Stepping 4";
      CpuStatus = 1;
      CreationClassName = "Win32_Processor";
      CurrentClockSpeed = 2793;
      CurrentVoltage = 15;
      DataWidth = 32;
      Description = "x86 Family 15 Model 4 Stepping 4";
      DeviceID = "CPU1";
      ExtClock = 800;
      Family = 2;
      L2CacheSize = 0;
      Level = 15;
      LoadPercentage = 3;
      Manufacturer = "GenuineIntel";
      MaxClockSpeed = 2793;
      Name = "              Intel(R) Pentium(R) D CPU 2.80GHz";
      PowerManagementSupported = FALSE;
      ProcessorId = "BFEBFBFF00000F44";
      ProcessorType = 3;
      Revision = 1028;
      Role = "CPU";
      SocketDesignation = "Microprocessor";
      Status = "OK";
      StatusInfo = 3;
      Stepping = "4";
      SystemCreationClassName = "Win32_ComputerSystem";
      SystemName = "EMUSEMENT";
      UpgradeMethod = 4;
      Version = "Model 4, Stepping 4";
};

HELP!
0
 
war1Commented:
Is the problem repeatable?  Or does it occur only once in a while.

You have lots of programs loading at startup and running in the background.  One or more of these programs may be interfering with the VoIP phone.

Try disabling the startup programs one at a time and see which one is interferring.  Go to Start > Run and type msconfig.  Go to Startup tab.  Select to hide the Windows sign components.  Then uncheck one at a time and see which program is causing the problem.
0
 
eMusedAuthor Commented:
War1, et al
This was the first time it happened [I get LOTS of calls through VoIP], but I have only had the machine for two weeks;  I will disable as you suggested [some can stay that way as far as I am concerned] and update as appropriate.  I did reboot the machine and had added the option of a hijackthis scan at start-up -- there a few entries that puzzled me [actually, more puzzle me but these stood out for some reason]:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: Digital Line Detect.lnk = ?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

eMused [still] [will keep on slogging through!]
0
 
war1Commented:
eMused, the above files are good files. Do not delete

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

This file is incorrectly misidentified by HJT as missing.

For troubleshooting, you can run HijackThis at startup.  But you have many startup programs already.  The many startups can slow your computer down.
0
 
eMusedAuthor Commented:
I went to msconfig and clicked the startup tab as suggested [there wasn't a place to hide the windows sign components].  All boxes were checked and the "enable all" tab was buttony; the "disable all" button was active but I didn't select that.  I 'unchecked' a number of boxes correlating to programs I didn't necessarily want to run at startup; then got a restart prompt; did so and when windows rebooted, a message saying that msconfig was coming up in selective mode or something like that came on and said to check the 'general' box to start normally -- the general box reopts the apps that i de-opted!?!
0
 
Tim HolmanCommented:
It would have been a lot quicker to follow my previous comment to get everything cleared up properly - I've been doing this sort of stuff for several years, and although my comments are brief, they work....  :P

Back to the DEP - do you use MSN for VoIP?  Can you unnistall, and reinstall your VoIP application?
DEP is there to prevent programs executing in places where they shouldn't, as if they're allowed to just execute anywhere, then malware can compromise your machine and someone else will become the new owner.   Under no circumstances disable DEP - it's a sure sign that there is still unwanted applications on your machine, in which case, Ewido will clear these up.  

Also, did you ever got to Control Panel and see if you had a System Restore point from before these issues you can roll back to?


0
 
eMusedAuthor Commented:
Hi Tim -- I appreciate your sense of humor.   When you added your comment, I was not certain that the A-V-P program wasn't from Grisoft who, as you are most certainly aware, purchased Ewido.  I

 do not use MSN for VoIP. I use Skype with a dedicated number for calls to non-VoIP phones.  I generally take the Skype calls on a Linksys cordless internet phone.  I have been using Skype and the Linskys on my ASUS notebook and an older desktop for quite some time without incident.  I did uninstall and reinstall Skype.  I'm not at all sure that is what caused the DEP.  I would not under any circumstances disable DEP -- you are correct in your intimation that would be a foolhardy maneuver.  

The computer was delivered on 16 May, sealed in its original box.  Upon unpacking and setting up, I made sure that System Restore was enabled and at a maximum level.  I have not had a DEP before yesterday, nor have I had one since that occasion.  I receive an average of 20 to 40 VoIP calls per day without incident.  

I'd be interested to know if the Ewido program will be in conflict with McAfee and how it is 'better'? [I take it that is your opinion] or differs from SmitFraudFix.  Thanks in advance!  \

eMused<still>
0
 
Tim HolmanCommented:
There will be no conflicts.  It's just specifically aimed to clear up Malware, rather than viruses, although now Grisoft have taken it on board, expect the whole product to do both.
McAfee is OK, but if you're tight on resources, then BitDefender or Kaspersky are a lot more compact and are faster...  Ewido I'd only use for the one-off cleansing, especially if you've already bought AV.
0
 
eMusedAuthor Commented:
Sorry about the time-lapse -- work interfering with troubleshooting my machine -- they have some nerve!!  Actually Tim, I did NOT buy an AVG product -- what I bought was dubbed a spyware program and it was removed from my machine at the add/remove programs level.  All was working fairly well -- no more DEP messages anyway.  I just had a rather troubling reboot and have a hijack this log if someone would like to have a go at looking at this -- I do think it is all the same situation -- sadly.  I promise not to move from my chair and to respond promptly to any and all suggestions.  Thank you.  Let me know what to do with the hjt log . . . eMused?????
0
 
war1Commented:
eMused,

Glad you do not have any more DEF message.  Yes, post your HijackThis log and I'll let you know you are cleared of spyware.
0
 
eMusedAuthor Commented:
0
 
war1Commented:
eMused,

Did you install the MSN Toolbar?  If so, your HijackThis log looks clean. :-)
0
 
eMusedAuthor Commented:
I think i did as a matter of fact.  Would you mind telling me what this entry is?  O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

I have one other question War1 and then I'll go back to my research -- is there a resource on this site that tells you how to configure a firewall [ie McAffee] sso that inbound attempts of possible hijackings don't continually occur?  I trace all those bloody rotten bits and half the time I find out [after I'm told to report them] that they are legit . . . .
0
 
war1Commented:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon is for Motherboard Monitor.

There is no area on the EE site to show how to configure McAfee firewall.  Most attempts at entry of a firewall are internet noise.  You need to follow safe computing habits. Do not click on links in email. Do you open attachment that you are not expecting, even from someone you know.  Do not click on links in nefarious websites.
0
 
Tim HolmanCommented:
HJT is only designed to pick up hijacked IE clients - it won't check or scan your system for any other type of malware, except the obvious ones that appear in startup directories.
I hate to keep repeating myself, but only with an in depth Ewido scan can you make sure you're almost 100% clean. :)
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 20
  • 14
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now