# Internet Explorer running in background



## mr_mr_r (Nov 9, 2011)

Hi,

Internet Explorer keeps running in the background, I end the the process in task manager and within minutes it reopens again. The longer I leave it, the more memory it seems to use.

I have run AVG, Spybot and Malwarebytes, all of which came up with nothing.

I recently had a problem with a google redirect virus, which i think i have fixed, but it may be related.

If you need any more information just let me know and I should be able to swiftly get it for you.

Thanks in advance,

Matt

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: AMD Athlon(tm) 64 Processor 3000+, x86 Family 15 Model 47 Stepping 2
Processor Count: 1
RAM: 2046 Mb
Graphics Card: NVIDIA GeForce 6600, 512 Mb
Hard Drives: C: Total - 152625 MB, Free - 80532 MB;
Motherboard: http://www.abit.com.tw/, KN8 Series(NF-CK804)
Antivirus: AVG Anti-Virus Free Edition 2012, Updated: Yes, On-Demand Scanner: Enabled


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r, welcome to the forum.

To make cleaning this machine easier

Please* do not* uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please* do not* run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask *before* continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Let's see if you can get these to run.

Download *OTL* to your desktop.

Double click on *OTL.exe* to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*
Check the boxes beside *LOP Check* and *Purity Check*.
In the window under Custom Scans/Fixes copy and paste the following

*netsvcs*
*%SYSTEMDRIVE%\*.**
*%systemroot%\Fonts\*.com*
*%systemroot%\Fonts\*.dll*
*%systemroot%\Fonts\*.ini*
*%systemroot%\Fonts\*.ini2*
*%systemroot%\Fonts\*.exe*
*%systemroot%\system32\spool\prtprocs\w32x86\*.**
*%systemroot%\REPAIR\*.bak1*
*%systemroot%\REPAIR\*.ini*
*%systemroot%\system32\*.jpg *
*%systemroot%\*.jpg *
*%systemroot%\*.png *
*%systemroot%\*.scr*
*%systemroot%\*._sy*
*%APPDATA%\Adobe\Update\*.**
*%ALLUSERSPROFILE%\Favorites\*.**
*%APPDATA%\Microsoft\*.**
*%PROGRAMFILES%\*.**
*%APPDATA%\Update\*.**
*%systemroot%\*. /mp /s*
*CREATERESTOREPOINT*
*%systemroot%\System32\config\*.sav *
*%PROGRAMFILES%\bak. /s*
*%systemroot%\system32\bak. /s*
*%ALLUSERSPROFILE%\Start Menu\*.lîk /x *
*%systemroot%\system32\config\systemprofile\*.dat /x*
*%systemroot%\*.config*
*%systemroot%\system32\*.db*
*%PROGRAMFILES%\Internet Explorer\*.dat*
*%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x*
*%USERPROFILE%\Deskuop\*.exe*
*%PROGRAMFILES%\Common Files\*.**
*%systemroot%\*.src*
*%systemroot%\install\*.**
*%systemroot%\system32\DLL\*.**
*%systemroot%\system32\HelpFiles\*.**
*%systemroot%\system32\rundll\*.**
*%systemroot%\winn32\*.**
*%systemroot%\Java\*.**
*%systemroot%\system32\test\*.**
*%systemroot%\system32\Rundll32\*.* *
*HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU*
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs*
*%USERPROFILE%\..|smtmp;true;true;true /FP*
*%temp%\smtmp\*.* /s >*
*/md5start*
*iexplore.**
*explorer.**
*winlogon.**
*dll*
*zx.dll*
*hlp.dat*
*/md5stop*

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

*Next*

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan 









On completion of the scan click save log, save it to your desktop and post in your next reply 









There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with

both OTL log
aswMBR.log
Thanks


----------



## mr_mr_r (Nov 9, 2011)

I have run OTL.exe please find attached results.

However when I try and run aswMBR.exe nothing happens, any idea why this might be?

Let me know if you need any more information.

Thanks in advance

Matt


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

Please copy and paste your logs into your replies unless specifically requested to attach them. It's much easier to work with them when they are posted.

Do you have a blank CD and a usb device such as a flashdrive?

I see you have used TDSSKiller, please post the log. It can be found at C:\ *TDSSKiller.[Version]_[Date]_[Time]_log.txt*

It may be malware or your security programs may be interfering with aswMBR. Delete the copy you have and disable AVG, Spybot's Teatimer and Windows Defender.

Download a new copy and try it again. Run this fix first.

*Next*, Double click on *OTL.exe* 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following
*Do Not *copy the word* CODE*
please note the fix starts with the *:*


```
:Services
 
:Files
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
ipconfig /flushdns /c
 
:Commands
[purity]
[emptytemp]
[createrestorepoint]
```
Then click the* Run Fix* button at the top


Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the *OTL* log and a new *HJT* fix log.

Please post back with

TDSSKiller log
OTL log
aswMBR log if you were able to get it to run.
Thanks


----------



## mr_mr_r (Nov 9, 2011)

Hi,

Firstly apologies for not posting the previous results properly, and yes I do have blank CDs and a flashdrive.

You are right in that I did download tddskiller, however much like aswMBR i was unable to get it to run. I have disabled AVG, windows defender and spybot but still nothing happens when I run both .exe files.

When I ran OTL with your below code it crashed the system, however upon restart OTL opened up with the below code in a notepad, I assume this is what you are after:

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
File\Folder C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk not found.
File\Folder C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr not found.
File\Folder C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Matt\Desktop\Viral\cmd.bat deleted successfully.
C:\Documents and Settings\Matt\Desktop\Viral\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4327060 bytes
->FireFox cache emptied: 3424148 bytes

User: Matt
->Temp folder emptied: 2551421 bytes
->Temporary Internet Files folder emptied: 6100090 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41193425 bytes
->Google Chrome cache emptied: 10069688 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 832 bytes

User: NetworkService
->Temp folder emptied: 825116 bytes
->Temporary Internet Files folder emptied: 79078690 bytes

User: user
->Temp folder emptied: 920639749 bytes
->Temporary Internet Files folder emptied: 444396716 bytes
->Java cache emptied: 17552591 bytes
->FireFox cache emptied: 19178936 bytes
->Apple Safari cache emptied: 1019904 bytes
->Flash cache emptied: 23758 bytes

%systemdrive% .tmp files removed: 356994 bytes
%systemroot% .tmp files removed: 5235263 bytes
%systemroot%\System32 .tmp files removed: 871953 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 797 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 42613013 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2210304 bytes

Total Files Cleaned = 1,528.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 11112011_093429

Files\Folders moved on Reboot...
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

No problem.

Ok we'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We *will not* be changing any of the data on the usb device just using it for a file.

You will also need to use *FireFox* to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.

Download *GETxPUD.exe* to the desktop of your *clean* computer

Run *GETxPUD.exe* by double clicking it.
A new folder will appear on the desktop.
Open the *GETxPUD *folder and click on the* get&burn.bat*
The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
Click on* Start* and follow the prompts to burn the image to a CD

Using *FireFox*, please download and save *dumpit* to your *usb device*.

You may want to print out this part as you will not be able to view these instructions.

Leave the usb device attached to the computer 
Boot the infected computer with the CD you just burned 
with the CD in the computer, restart the computer
The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS


Once you have the computer set to boot from the CD allow it to boot 
A Welcome to xPUD screen will appear 
Click on *File *
Expand *mnt* 
sda1,2...usually corresponds to your HDD 
*sdb1* is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
(you will be able to tell if it the right one as the screen will populate with your files)
Locate the file you downloaded and saved earlier, *dumpit *
double click it to run it
a black window will open, follow the instructions to close the window when it's finished
a file called *MBR.zip* should now be placed in the right hand panel
Click the *Home* icon at top
Remove the CD and click *Power off*
Click *restart*

Once the computer has rebooted open the usb device and attach the *MBR.zip* file to your next reply.

Thanks


----------



## mr_mr_r (Nov 9, 2011)

Attached is the mbr.zip

Matt


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

Do you have aretail copy og XP? We need to use a utility that is on the disk. If you don't have a disk let me know, I'll give you instructions to create the utility we need on a disk.

Thanks


----------



## mr_mr_r (Nov 9, 2011)

I've had a look but can't seem to find a windows XP disk, I think it came preinstalled.

Could you tell me the instructions to create the utility.

Thanks in advance,

Matt


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r

Please read the instuctions and ask any questions if they are not clear.

To make the disk:

*Burn recovery console cd*
Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
Download floppy disk setup package xp pro for your operating system (XP pro) and save it to the folder you extracted the zip to.
Rename the floppy disk setup package to *Bootdisk.exe*.
Insert a blank cd into your burner.
Double-click the *RecoveryCD.bat* file and follow the prompts to burn a cd that will allow you to boot to the recovery console.
To use the disk:

Once the CD is made use it to boot the computer.

Make sure the computer is set to boot from the CD (you may have that option with the F12 key or will need to set in in the bios)
Insert the CD you made into the computer
Reboot the computer
1. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press *R *to start the Recovery Console.
3. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a *C:\windows>* prompt

type the following command and hit *enter *

*FIXMBR*

5. Answer *Y *when it asks you if you want to write a new MBR
6. Type EXIT and hit enter to reboot your machine

Your computer will now boot to windows. Once it has please try running *aswMBR* again and post the log.


----------



## mr_mr_r (Nov 9, 2011)

Thanks for the detailed instructions, all as you said, find aswMBR log below:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-16 13:05:38
-----------------------------
13:05:38.781 OS Version: Windows 5.1.2600 Service Pack 3
13:05:38.781 Number of processors: 1 586 0x2F02
13:05:38.781 ComputerName: MIKEPC UserName: Matt
13:05:43.093 Initialize success
13:07:25.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007e
13:07:25.109 Disk 0 Vendor: MAXTOR_STM3160215A 3.AAD Size: 152627MB BusType: 3
13:07:25.125 Disk 0 MBR read successfully
13:07:25.125 Disk 0 MBR scan
13:07:25.125 Disk 0 Windows XP default MBR code
13:07:25.125 Disk 0 scanning sectors +312576705
13:07:25.203 Disk 0 scanning C:\windows\system32\drivers
13:07:35.000 Service scanning
13:07:36.406 Modules scanning
13:07:51.546 Disk 0 trace - called modules:
13:07:51.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
13:07:51.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a931ab8]
13:07:51.562 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000080[0x8a91baf8]
13:07:51.562 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\0000007e[0x8a9b3030]
13:07:52.062 Scan finished successfully
13:08:18.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Matt\Desktop\Viral\MBR.dat"
13:08:18.062 The log file has been saved successfully to "C:\Documents and Settings\Matt\Desktop\Viral\aswMBR.txt"


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

How's the computer? What issues are you having?


----------



## mr_mr_r (Nov 9, 2011)

Everything seems to be running fine, I haven't noticed Internet Explorer running in the background for a while and it appears as though my google redirect virus seems to have gone for good.

Has it all been cleansed away then?

Matt


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

Sometimes these infections bring friends to the party.

*Please read through the instructions to familarize youself with what to expect when the tool runs. *

Please download ComboFix from *Link 1*or *Link 2* to *C:\*.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to C:\***


If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab

-Set to "Always ask me where to Save the files". 

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._

-----------------------------------------------------------

Double click on *ComboFix.exe *& follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:​







Click on *Yes*, to continue scanning for malware.​
When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.​
*Notes:*
1.*Do not mouse-click Combofix's window while it is running. That may cause it to stall.*
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.​
Please post back with

combofix log
How is the computer?
Thanks


----------



## mr_mr_r (Nov 9, 2011)

Please find below the log.txt

I think there may have been a slight issue when running it, after pressing yes to the Microsoft Windows Recovery Console, a pop up box came up saying something about unable to complete, I did screenshot it but it didn't work. I closed this window then the scan ran as usual, don't know if this is anything major.

Matt

ComboFix 11-11-17.01 - Matt 17/11/2011 9:32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1544 [GMT 0:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Matt\Application Data\PriceGong
c:\documents and settings\Matt\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Matt\My Documents\~WRL0754.tmp
c:\documents and settings\Matt\My Documents\~WRL1515.tmp
c:\documents and settings\Matt\My Documents\~WRL2140.tmp
c:\documents and settings\Matt\My Documents\~WRL3208.tmp
c:\documents and settings\Matt\WINDOWS
c:\documents and settings\user\WINDOWS
c:\program files\Common Files\Uninstall
c:\program files\popcorn Terms.html
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-11 09:30 . 2011-11-11 09:30	--------	d-----w-	C:\_OTL
2011-11-09 11:05 . 2011-11-09 11:05	--------	d-----w-	c:\documents and settings\All Users\Application Data\PC Tools
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2005-10-07 13:12	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-07 06:23 . 2011-07-11 00:13	230608	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2011-10-04 06:21 . 2011-07-11 00:14	16720	----a-w-	c:\windows\system32\drivers\AVGIDSShim.sys
2011-10-03 04:06 . 2011-01-05 13:06	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 01:37 . 2007-09-28 06:46	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2011-09-26 10:41	611328	------w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2006-02-28 12:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2006-02-28 12:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-23 10:31 . 2011-07-25 14:25	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 05:30 . 2011-07-11 00:13	32592	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2006-02-28 12:00	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2009-09-11 09:06	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-08-26 13:43 . 2011-08-26 13:43	204800	----a-w-	c:\documents and settings\Matt\Application DatazERBbpajkL.exe
2011-08-22 23:48 . 2006-02-28 12:00	916480	----a-w-	c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2006-02-28 12:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2006-02-28 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2006-02-28 12:00	385024	----a-w-	c:\windows\system32\html.iec
2011-11-10 13:45 . 2011-09-22 09:58	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2006-12-19 19:46	73728	----a-w-	c:\windows\system32\VirtualExpander\VEShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-08-25 2622784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX520 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE" [2005-04-07 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-24 2415456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 11:30	292136	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 11:12	288080	----a-w-	c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-08 21:29	240992	----a-w-	c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 17:51	3885408	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50	155648	----a-w-	c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-28 23:43	8466432	----a-w-	c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-28 23:43	81920	----a-w-	c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-28 23:43	1626112	----a-w-	c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18	413696	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	-c--a-w-	c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2007-10-23 04:11	524288	----a-w-	c:\windows\Samsung\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 10:48	77824	----a-r-	c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-24 09:44	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33	89456	----a-w-	c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20	866584	----a-w-	c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"WinDefend"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\ABIT\\FlashMenu\\FlashMenu.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23115:TCP"= 23115:TCP:BitComet 23115 TCP
"23115:UDP"= 23115:UDP:BitComet 23115 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 00:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [11/07/2011 00:13 32592]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [26/07/2006 10:41 16640]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [11/07/2011 00:13 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 00:14 295248]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [23/11/2004 19:45 23488]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 05:09 192776]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [17/06/2005 10:11 24064]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [14/11/2008 01:11 17184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 00:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 00:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [11/07/2011 00:14 16720]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [17/06/2005 10:11 17664]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24/05/2010 11:39 136176]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [21/04/2007 14:44 17149]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24/05/2010 11:39 136176]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-28 08:09]
.
2011-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{A1125C4A-B044-4DD6-BC32-C7A380345BF3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{C7A3B0EC-B3CE-4CFC-A7F8-2BA1F8509EC0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0CE516B5-2538-4006-8136-CB763F6FFBD2}: NameServer = 4.2.2.2,4.2.2.3
TCP: Interfaces\{C6D48E6C-2D08-4A27-83F0-6E03512E3D68}: NameServer = 4.2.2.2,4.2.2.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\gp6f2lex.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-eBayToolbar - c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-17 09:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0c,7b,dd,ef,41,8e,c9,44,bc,4c,3f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0c,7b,dd,ef,41,8e,c9,44,bc,4c,3f,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Applications]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay8\Applications]
@DACL=(02 0000)
.
Completion time: 2011-11-17 09:42:13
ComboFix-quarantined-files.txt 2011-11-17 09:41
.
Pre-Run: 85,272,264,704 bytes free
Post-Run: 85,261,611,008 bytes free
.
- - End Of File - - CFF3920550AD5AF977A0E61F7C76AE22


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_r,

*BitComet*
You have µTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.
References for the risk of these programs can be found in these links

http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.internetworldstats.com/articles...cles/art053.htm

I would recommend that you uninstall *BitComet*, however that choice is up to you. If you choose to remove this program, you can do so via *Control Panel >> Add or Remove Programs.*

*If you wish to keep it, please do not use it until your computer is cleaned.*

You have this program installed, *Malwarebytes' Anti-Malware* (MBAM). Please update it and run a scan.

Open* MBAM*

Click the *Update* tab
Click *Check for Updates*
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

One more scan to look for stragglers.

**Note*
*It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.*
*Please don't go surfing while your resident protection is disabled!*
*Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.*

Go here to run an online scannner from 
*ESET* 

(*Note*: You can use* Internet Explorer* or *FireFox* for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Tick the box next to* YES, I accept the Terms of Use.*
Click* Start*
When asked, *allow* the activex control to install
*Disable* your Antivirus software. You can usually do this with its* Notfication Tray icon* near the clock
Click* Start*
Make sure that the option* "Remove found threats"* is* Unchecked*, and the option *"Scan unwanted applications"* is *Checked*.
Click* Scan*.
When the scan completes, push *List of found threats*
Push *Export to Text file* and save the file to your desktop using a unique name, such as *ESETScan*. Include the contents of this report in your next reply.

*Note *- when ESET doesn't find any threats, no report will be created.

Push the *back* button.
Push *Finish*
*Re-enable* your Antivirus software.
If a log has been produced post it in your next reply.

Please post back with

MBAM lpg
ESET log
How's the computer?


----------



## mr_mr_r (Nov 9, 2011)

I've uninstalled that Bitcomet program, I've never used it anyway.

MBAM came up clean and ESET found one issue though, logs below.

Computer seems to be running fine now, no google redirect problems, IE doesn't run behind the scenes and no more random IE windows opening, thanks for all your help.

*MBAM:*

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8186

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/11/2011 09:20:51
mbam-log-2011-11-18 (09-20-51).txt

Scan type: Quick scan
Objects scanned: 183136
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*ESET*

C:\Documents and Settings\user\My Documents\My Pictures\craig and me\autorun.inf	INF/Autorun.gen trojan


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_m,

*C:\Documents and Settings\user\My Documents\My Pictures\craig and me*

Are these photos or a video you have set to run or play automatically when accessed?


----------



## mr_mr_r (Nov 9, 2011)

Its a folder full of pictures, I don't remember setting it up to run or play automatically when accessed.

In the folder are pictures and then *autorun.inf* and *autorun.bat* Should I delete these?

Matt


----------



## oldman960 (Apr 8, 2010)

Hi mr_mr_m,

I don't think they are necessarily malware. They may have been placed there by some software for legitamate reasons. If you zip them and attach them to your reply I'll see if I can determine what they are.

You have an old vulnerable version of java installed.

Open Control Panel > Add/Remove Programs and uninstall

*Java(TM) 6 Update 2*

Do *not* uninstall *Java(TM) 6 Update 29 *

*Next*, clear the java cache

To clear the Java Plug-in cache:

Click Start > Control Panel.
Double-click the Java icon in the control panel.
On the General tab, Click *Settings* under Temporary Internet Files.
On the Temporary Files Settings screen, Click *Delete Files*.
check all boxes
Click *OK*

We can clean up the tools that we used as your computer appears to to be malware free,

From your desktop, please delete, if present

any notepads/logs that we created
aswMBR.exe
mbr.dat
TDSSKiller
C:\ *TDSSKiller.[Version]_[Date]_[Time]_log.txt*
GETxPUD.exe
You can also remove any items saved to the usb device we used.

*Next*

Click the *Start* button, click *Run*. Copy and paste the following line into the run box and click *OK*

*C:\ComboFix.exe /uninstall*

Open *OTL* then click the *Clean Up* button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click *Yes*. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep* MBAM*. Keep it updated and use it regularly.

You should also hold onto the XP disk we made, you may find it handy some day down the road. It's actually the same program combofix failed to install on your computer. There are times when the disk version is more succesful than the installed version.

*Updates and upgrades*

You have an older version of *Adobe Reader*. You can download the current version *HERE*

You may want to consider *Foxit Reader* instead. It may be a bit lighter on resources. If you chose to go with Foxit, *decline* the *FoxIt ToolBar*.

Visit their support forum
*Foxit Forum*

In either case you should uninstall *Adobe Reader 7* first. Be sure to move any PDF documents to another folder first though.

*Some Recommendations and prevention tips*Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. 
I suggest either for a resident antispyware program.

*Windows Defender*
*OR*
*Winpatrol*

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click *FIREWALL* for links and tutorials to good, free and paid for firewalls. (*Note*: Zone Alarm is becoming bloatware IMO)

You should also use *Spyware Blaster* to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

*OR*
A guide to understanding and using the hosts file.
Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
*HOSTS*

*Please read the info on disabling the DNS Client before* installing a custom hosts file.

-Secure your *Internet Explorer*

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to* Prompt*
Change the Download unsigned ActiveX controls to* Disable*
Change the Initialize and script ActiveX controls not marked as safe to *Disable*
Change the Installation of desktop items to* Prompt*
Change the Launching programs and files in an IFRAME to *Prompt*
Change the Navigate sub-frames across different domains to *Prompt*
When all these settings have been made, click on the *OK* button.
If it prompts you as to whether or not you want to save the settings, press the *Yes* button.
Next press the* Apply* button and then the *OK* to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the *Windows Update Site *(using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System

- Keep your antivirus program *updated*, as well as any other security programs you have.

-More tips and programs can be found *HERE*

Attach the 2 files if you would like me to have a look otherwise you can click the "Mark Solved" button at the top.


----------

