garymbam Posted October 14, 2010 ID:327306 Share Posted October 14, 2010 MBAM shows a registry key infected with "generic.bot.h". When I remove it and rescan, it keeps reappearing. Log below. Any thoughts how to remove this (or is it possibly a false alert?)Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4824Windows 6.0.6002 Service Pack 2Internet Explorer 7.0.6002.1800510/14/2010 2:50:07 PMmbam-log-2010-10-14 (14-50-07).txtScan type: Quick scanObjects scanned: 147674Time elapsed: 7 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00aa00b6015n} (Generic.Bot.H) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Gammo Posted October 16, 2010 ID:328042 Share Posted October 16, 2010 Hi,Please download DDS and save it to your desktop.Disable any script blocking protection.Double click dds.com to run the tool..When done, DDS will open two logs (DDS.txt and Attach.txt).Save both reports to your desktop.Please include the contents of DDS.txt in your next reply.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Please download Rootkit Unhooker and save it to your DesktopDouble-click on RKUnhookerLE to run itClick the Report tab, then click ScanCheck Drivers, Stealth and uncheck the restClick OKWait until it's finished and then go to File > Save ReportSave the report to your DesktopCopy the entire contents of the report and paste it in a reply here.Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
garymbam Posted October 17, 2010 Author ID:328830 Share Posted October 17, 2010 Reports are below in the following order1 Rootkit Unhooker2 DDS TxtthxRkU Version: 3.8.388.590, Type LE (SR2)==============================================OS Name: Windows VistaVersion 6.0.6002 (Service Pack 2)Number of processors #2==============================================>Drivers==============================================0x8C006000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7004160 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)0x82452000 C:\Windows\system32\ntoskrnl.exe 3846144 bytes (Microsoft Corporation, NT Kernel & System)0x82452000 PnpManager 3846144 bytes0x82452000 RAW 3846144 bytes0x82452000 WMIxWDM 3846144 bytes0x8C800000 C:\Windows\system32\DRIVERS\NETw4v32.sys 2289664 bytes (Intel Corporation, Intel Link to post Share on other sites More sharing options...
Gammo Posted October 18, 2010 ID:329380 Share Posted October 18, 2010 Hi,Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them: Click meIf you can't disable them then just continue on.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply. Link to post Share on other sites More sharing options...
garymbam Posted October 19, 2010 Author ID:329506 Share Posted October 19, 2010 Unfortunately ComboFix does not appear to have worked. I ran ComboFix rebooted and reran MBAM and have the same generic.bot.h. result. Both Combofix log and MBAM logs are below.CombofixComboFix 10-10-18.01 - Gary 10/18/2010 19:49:43.2.2 - x86Microsoft Link to post Share on other sites More sharing options...
Gammo Posted October 19, 2010 ID:329762 Share Posted October 19, 2010 Hi,Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfind44bba855-cc51-11cf-aafa-00aa00b6015n:regHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components /sClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
garymbam Posted October 19, 2010 Author ID:330073 Share Posted October 19, 2010 SystemLook log below:SystemLook 04.09.10 by jpshortstuffLog created at 18:00 on 19/10/2010 by GaryAdministrator - Elevation successful========== regfind ==========Searching for "44bba855-cc51-11cf-aafa-00aa00b6015n"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}]========== reg ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]@="Microsoft Windows Media Player""IsInstalled"= 0x0000000000 (0)"Version"="11,0,6002,18311""ComponentID"="WMPACCESS""LocalizedName"="@%SystemRoot%\system32\wmploc.dll,-128""StubPath"="C:\Windows\system32\unregmp2.exe /ShowWMP""DontAsk"= 0x0000000002 (2)"Locale"="*"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]@="Internet Explorer""LocalizedName"="@C:\Windows\system32\ie4uinit.exe,-21""ComponentID"="IEACCESS""Dontask"= 0x0000000002 (2)"IsInstalled"= 0x0000000001 (1)"Locale"="*""StubPath"="C:\Windows\system32\ie4uinit.exe -UserIconConfig""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]@="Browser Customizations""LocalizedName"="@C:\Windows\system32\iedkcs32.dll,-3052""ComponentiD"="BRANDING.CAB""IsInstalled"= 0x0000000001 (1)"Locale"="*""StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP""Version"="6,0,6000,16386"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]@="Java (Sun)""ComponentID"="JAVAVM""IsInstalled"= 0x0000000001 (1)"KeyFileName"="C:\Program Files\Java\jre6\bin\regutils.dll""Version"="5,0,5000,0""Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]@="""Version"="11,0,6000,6324"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]@="Microsoft Windows Media Player 11.0""IsInstalled"= 0x0000000001 (1)"Version"="11,0,6002,18311""DontAsk"= 0x0000000002 (2)"Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]"ComponentID"="Director""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10,1,4,20""Locale"="EN"@="Adobe Shockwave Director 10.1.4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]"ComponentID"="Director""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10,1,4,20""Locale"="EN"@="Adobe Shockwave Director 10.1.4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]@="Themes Setup""LocalizedName"="@%SystemRoot%\system32\themeui.dll,-2682""ComponentID"="Theme Component""IsInstalled"= 0x0000000001 (1)"Locale"="EN""StubPath"="%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll""Version"="1,1,1,9"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]@="Offline Browsing Pack""ComponentID"="MobilePk""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3C3901C5-3455-3E0A-A214-0B093A5070A6}]"Locale"="""Version"="4,0,30319,0""ComponentID"=".NETFramework"@=".NET Framework"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]"IsInstalled"= 0x0000000001 (1)"Dontask"= 0x0000000002 (2)"Locale"="*""ComponentID"="MailNews""CloneUser"= 0x0000000001 (1)"StubPath"=""%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE""Version"="6,0,6002,18005"@="Microsoft Windows Mail 7"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]"Version"="11,0,6000,6324"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}](Unable to open key)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]@="Internet Explorer Help""ComponentID"="HelpCont""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]@="Microsoft Windows Script 5.7""ComponentID"="MSVBScript""IsInstalled"= 0x0000000001 (1)"Locale"="EN""Version"="5,7,6002,18222"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]@="Internet Explorer Setup Tools""ComponentID"="GenSetup""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]@="Browsing Enhancements""ComponentID"="ExtraPack""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005""KeyFileName"="%SystemRoot%\system32\msieftp.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]@="Microsoft Windows Media Player""IsInstalled"= 0x0000000001 (1)"Version"="11,0,6000,6324""ComponentID"="Microsoft Windows Media Player""LocalizedName"="@%SystemRoot%\system32\wmploc.dll,-128""StubPath"="%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI""DontAsk"= 0x0000000002 (2)"Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]@="MSN Site Access""ComponentID"="MSN_Auth""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="4,9,9,2"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]@="Address Book 7""Version"="6,0,6002,18005""IsInstalled"= 0x0000000001 (1)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}]@=".NET Framework""Locale"="""ComponentID"=".NETFramework""Version"="2,0,50727,0"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]@="Windows Desktop Update""LocalizedName"="@%SystemRoot%\system32\shell32.dll,-32969""ComponentID"="IE4_SHELLID""IsInstalled"= 0x0000000001 (1)"Locale"="en""StubPath"="regsvr32.exe /s /n /i:U shell32.dll""Version"="6,0,6002,18287"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]@="Internet Explorer""LocalizedName"="@C:\Windows\system32\ie4uinit.exe,-20""ComponentID"="BASEIE40_W2K""IsInstalled"= 0x0000000001 (1)"Locale"="en""StubPath"="C:\Windows\system32\ie4uinit.exe -BaseSettings""Version"="7,0,6000,16386"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]"IsInstalled"= 0x0000000001 (1)"ComponentID"="DOTNETFRAMEWORKS""StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install""DontAsk"= 0x0000000002 (2)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]@="Dynamic HTML Data Binding""ComponentID"="Tridata""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]@="Internet Explorer Core Fonts""ComponentID"="Fontcore""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]"IsInstalled"= 0x0000000001 (1)"Version"="2,1,4025,0""ComponentID"="Windows Movie Maker v2.1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}]@="Adobe Flash Player""ComponentID"="Flash""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10.0.45.2""Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]@="HTML Help""ComponentID"="HTMLHelp""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]@="Active Directory Service Interface""ComponentID"="ADSI""IsInstalled"= 0x0000000001 (1)"Locale"="EN""Version"="5,0,00,0"-= EOF =- Link to post Share on other sites More sharing options...
Gammo Posted October 20, 2010 ID:330365 Share Posted October 20, 2010 Hi,1. Please download The Avenger by Swandog46 to your Desktop.Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):Registry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted.4. The Avenger will automatically do the following:It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)On reboot, it will briefly open a black command window on your desktop, this is normal.After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.5. Please copy/paste the content of c:\avenger.txt into your reply.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Download TFC to your desktopOpen the file and close any other windows.It will close all programs itself when run, make sure to let it run uninterrupted.Click the Start button to begin the process. The program should not take long to finish its jobOnce its finished it should reboot your machine, if not, do this yourself to ensure a complete clean~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Start Malwarebytes' Anti-MalwareOnce the program has loaded, click the "Update" tab and click the "Check For updates" button.Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
garymbam Posted October 21, 2010 Author ID:330699 Share Posted October 21, 2010 Unfortunately this does not appear to have worked either. Avenger rebooted only once. I saw no black box. But I did get the log below. Ran TFC and then (after reboot) MBAM. MBAM has same result after a couple of tries - still show generic.bot.h infection, seems to remove it and then finds it on rescanning. Beginning to get nervous - whatever this is, it sure is persistent.Logs:AvengerLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows Vista*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}" not found!Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existCompleted script processing.*******************Finished! Terminate.MBAMMalwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4863Windows 6.0.6002 Service Pack 2Internet Explorer 7.0.6002.1800510/20/2010 8:57:51 PMmbam-log-2010-10-20 (20-57-51).txtScan type: Quick scanObjects scanned: 139502Time elapsed: 7 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00aa00b6015n} (Generic.Bot.H) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Gammo Posted October 21, 2010 ID:331022 Share Posted October 21, 2010 Hi,Please download OTM Save it to your desktop. Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::Processes:Services:Reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}]:Filesipconfig /flushdns /creg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}" /f /c:Commands[purity][resethosts][emptytemp][emptyflash][createrestorepoint][reboot]Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.Click the red Moveit! button.Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.Close OTM and reboot your PC.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Link to post Share on other sites More sharing options...
garymbam Posted October 22, 2010 Author ID:331395 Share Posted October 22, 2010 OTM log belowAll processes killed========== PROCESSES ==================== SERVICES/DRIVERS ==================== REGISTRY ==========Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}\ not found.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}\ not found.========== FILES ==========< ipconfig /flushdns /c >Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.C:\Users\Gary\Desktop\cmd.bat deleted successfully.C:\Users\Gary\Desktop\cmd.txt deleted successfully.< reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}" /f /c >C:\Users\Gary\Desktop\cmd.bat deleted successfully.C:\Users\Gary\Desktop\cmd.txt deleted successfully.========== COMMANDS ==========C:\Windows\System32\drivers\etc\Hosts moved successfully.HOSTS file reset successfully[EMPTYTEMP]User: All UsersUser: Default->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Flash cache emptied: 0 bytesUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Flash cache emptied: 0 bytesUser: Gary->Temp folder emptied: 804 bytes->Temporary Internet Files folder emptied: 5899991 bytes->Java cache emptied: 0 bytes->Flash cache emptied: 0 bytesUser: Public->Temp folder emptied: 0 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 90 bytes%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 6.00 mbRestore point Set: OTM Restore PointOTM by OldTimer - Version 3.1.16.1 log created on 10212010_201922Files moved on Reboot...C:\Users\Gary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P68P0AYW\iframe[1].htm moved successfully.C:\Users\Gary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FHFCC8QL\index[2].htm moved successfully.C:\Users\Gary\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.Registry entries deleted on Reboot... Link to post Share on other sites More sharing options...
garymbam Posted October 22, 2010 Author ID:331566 Share Posted October 22, 2010 I should also mention that MBAM still shows generic.bot.h - unclear to me from the OTM log whether OTM thinks it was successfully removed. Link to post Share on other sites More sharing options...
Gammo Posted October 22, 2010 ID:331788 Share Posted October 22, 2010 Hi,Run SystemLook againCopy the content of the following codebox into the main textfield::regfind44bba855-cc51-11cf-aafa-00aa00b6015n:regHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components /sClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
garymbam Posted October 22, 2010 Author ID:331870 Share Posted October 22, 2010 Thanks for your patience with this. System Look log below:SystemLook 04.09.10 by jpshortstuffLog created at 17:08 on 22/10/2010 by GaryAdministrator - Elevation successful========== regfind ==========Searching for "44bba855-cc51-11cf-aafa-00aa00b6015n"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}]========== reg ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]@="Microsoft Windows Media Player""IsInstalled"= 0x0000000000 (0)"Version"="11,0,6002,18311""ComponentID"="WMPACCESS""LocalizedName"="@%SystemRoot%\system32\wmploc.dll,-128""StubPath"="C:\Windows\system32\unregmp2.exe /ShowWMP""DontAsk"= 0x0000000002 (2)"Locale"="*"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]@="Internet Explorer""LocalizedName"="@C:\Windows\system32\ie4uinit.exe,-21""ComponentID"="IEACCESS""Dontask"= 0x0000000002 (2)"IsInstalled"= 0x0000000001 (1)"Locale"="*""StubPath"="C:\Windows\system32\ie4uinit.exe -UserIconConfig""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]@="Browser Customizations""LocalizedName"="@C:\Windows\system32\iedkcs32.dll,-3052""ComponentiD"="BRANDING.CAB""IsInstalled"= 0x0000000001 (1)"Locale"="*""StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP""Version"="6,0,6000,16386"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]@="Java (Sun)""ComponentID"="JAVAVM""IsInstalled"= 0x0000000001 (1)"KeyFileName"="C:\Program Files\Java\jre6\bin\regutils.dll""Version"="5,0,5000,0""Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]@="""Version"="11,0,6000,6324"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]@="Microsoft Windows Media Player 11.0""IsInstalled"= 0x0000000001 (1)"Version"="11,0,6002,18311""DontAsk"= 0x0000000002 (2)"Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]"ComponentID"="Director""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10,1,4,20""Locale"="EN"@="Adobe Shockwave Director 10.1.4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]"ComponentID"="Director""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10,1,4,20""Locale"="EN"@="Adobe Shockwave Director 10.1.4"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]@="Themes Setup""LocalizedName"="@%SystemRoot%\system32\themeui.dll,-2682""ComponentID"="Theme Component""IsInstalled"= 0x0000000001 (1)"Locale"="EN""StubPath"="%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll""Version"="1,1,1,9"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]@="Offline Browsing Pack""ComponentID"="MobilePk""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3C3901C5-3455-3E0A-A214-0B093A5070A6}]"Locale"="""Version"="4,0,30319,0""ComponentID"=".NETFramework"@=".NET Framework"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]"IsInstalled"= 0x0000000001 (1)"Dontask"= 0x0000000002 (2)"Locale"="*""ComponentID"="MailNews""CloneUser"= 0x0000000001 (1)"StubPath"=""%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE""Version"="6,0,6002,18005"@="Microsoft Windows Mail 7"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]"Version"="11,0,6000,6324"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}](Unable to open key)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]@="Internet Explorer Help""ComponentID"="HelpCont""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]@="Microsoft Windows Script 5.7""ComponentID"="MSVBScript""IsInstalled"= 0x0000000001 (1)"Locale"="EN""Version"="5,7,6002,18222"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]@="Internet Explorer Setup Tools""ComponentID"="GenSetup""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]@="Browsing Enhancements""ComponentID"="ExtraPack""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005""KeyFileName"="%SystemRoot%\system32\msieftp.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]@="Microsoft Windows Media Player""IsInstalled"= 0x0000000001 (1)"Version"="11,0,6000,6324""ComponentID"="Microsoft Windows Media Player""LocalizedName"="@%SystemRoot%\system32\wmploc.dll,-128""StubPath"="%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI""DontAsk"= 0x0000000002 (2)"Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]@="MSN Site Access""ComponentID"="MSN_Auth""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="4,9,9,2"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]@="Address Book 7""Version"="6,0,6002,18005""IsInstalled"= 0x0000000001 (1)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}]@=".NET Framework""Locale"="""ComponentID"=".NETFramework""Version"="2,0,50727,0"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]@="Windows Desktop Update""LocalizedName"="@%SystemRoot%\system32\shell32.dll,-32969""ComponentID"="IE4_SHELLID""IsInstalled"= 0x0000000001 (1)"Locale"="en""StubPath"="regsvr32.exe /s /n /i:U shell32.dll""Version"="6,0,6002,18287"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]@="Internet Explorer""LocalizedName"="@C:\Windows\system32\ie4uinit.exe,-20""ComponentID"="BASEIE40_W2K""IsInstalled"= 0x0000000001 (1)"Locale"="en""StubPath"="C:\Windows\system32\ie4uinit.exe -BaseSettings""Version"="7,0,6000,16386"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix](No values found)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]"IsInstalled"= 0x0000000001 (1)"ComponentID"="DOTNETFRAMEWORKS""StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install""DontAsk"= 0x0000000002 (2)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]@="Dynamic HTML Data Binding""ComponentID"="Tridata""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="7,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]@="Internet Explorer Core Fonts""ComponentID"="Fontcore""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]"IsInstalled"= 0x0000000001 (1)"Version"="2,1,4025,0""ComponentID"="Windows Movie Maker v2.1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}]@="Adobe Flash Player""ComponentID"="Flash""IsInstalled"=01 00 00 00 (REG_BINARY)"Version"="10.0.45.2""Locale"="EN"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]@="HTML Help""ComponentID"="HTMLHelp""IsInstalled"= 0x0000000001 (1)"Locale"="*""Version"="6,0,6002,18005"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]@="Active Directory Service Interface""ComponentID"="ADSI""IsInstalled"= 0x0000000001 (1)"Locale"="EN""Version"="5,0,00,0"-= EOF =- Link to post Share on other sites More sharing options...
Gammo Posted October 22, 2010 ID:331897 Share Posted October 22, 2010 Hi,I've asked the other experts for some assistance. I'll post back to you when we've found a possibility solution for your problem. Link to post Share on other sites More sharing options...
Gammo Posted October 23, 2010 ID:332214 Share Posted October 23, 2010 Hi,Backing Up Your RegistryDownload ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)Install ERUNT by following the prompts(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)Start ERUNT(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)Choose a location for the backup(the default location is C:\WINDOWS\ERDNT which is acceptable).Make sure that at least the first two check boxes are tickedPress OKPress YES to create the folder.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Please download ZipIt from here:Download 1Double-click ZipIt! to run it.Then copy the content of the following codebox and paste it into the textfield of ZipIt:::info::ERUNT back-up::info::GammoC:\WINDOWS\ERDNTThen, just click the Zip button.When finished, and if successful, a new file will have been created on your Desktop. You will be notified of what the file name is when the process has been completed.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Click here to send me a private message (PM).Enter a Message Title and and a small message.Then attach the .zip file that has been created on your desktop by ZipIt! to the PM.To attach a file, do the following:Under the reply panel is the Attachments PanelBrowse for the attachment file you want to upload, then click the green Upload button Link to post Share on other sites More sharing options...
garymbam Posted October 23, 2010 Author ID:332279 Share Posted October 23, 2010 I have the Zipit file (86MB!) but do not have an attachment panel in messenger. Can I post this file on the forum or is there some other way to get it to you? Link to post Share on other sites More sharing options...
Gammo Posted October 25, 2010 ID:333426 Share Posted October 25, 2010 Hi,We have the file.Set Windows to check for hard disk errors the next time you start you computer. Use method one of this article: How to Run Check Disk at Startup in Vista. Make sure you check both options during step 7.After scheduling the disk check, please restart your computer so that the disk check will take place. This will take about 30 minutes or so to finish, depending on how big your hard drive is. Do not stop chkdsk once it has started, let it finish.NOTE: Method one of the article may not always run a disk check when the computer restarts on some computers. So if the computer restart only takes a few minutes (like normal), then the disk check didn't take place. Please tell me if you suspect that the disk check didn't take place.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~After the disk check, please run another quick scan with MBAM. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Link to post Share on other sites More sharing options...
garymbam Posted October 26, 2010 Author ID:334015 Share Posted October 26, 2010 Incredibly, MBAM still finds it, thinks it has removed it and it is still there on sucessive scans. MBAM log below.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4950Windows 6.0.6002 Service Pack 2Internet Explorer 7.0.6002.1800510/26/2010 6:19:18 AMmbam-log-2010-10-26 (06-19-18).txtScan type: Quick scanObjects scanned: 140326Time elapsed: 6 minute(s), 13 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00aa00b6015n} (Generic.Bot.H) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
garymbam Posted October 28, 2010 Author ID:335312 Share Posted October 28, 2010 Are you still with me on this? Link to post Share on other sites More sharing options...
Gammo Posted October 28, 2010 ID:335319 Share Posted October 28, 2010 Hi,Yes, try this please:Please download and unzip Icesword to its own folder on your desktopClose all windows and disconnect from the Internet. Then run IceSword.exe.Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015N}Then reboot your PC and run Malwarebytes' Anti-Malware again. Perform a quick scan with it and post the log file of the scan in your next reply. Link to post Share on other sites More sharing options...
garymbam Posted October 28, 2010 Author ID:335337 Share Posted October 28, 2010 I can't run IceSword. I get the following error: "Initialize failed[1]!"Tried three times, all without internet or open windows and once in safe mode w/o networking. Same error each time. Any thoughts? Link to post Share on other sites More sharing options...
Gammo Posted October 29, 2010 ID:335912 Share Posted October 29, 2010 Hi,The registry key appears to be a corrupted entry in the registry.Please add the entry to the ignore list:Start Malwarebytes' Anti-MalwareOnce the program has loaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Select the registry entry, and click Ignore.Then click the Exit button to close MBAM.The registry entry shouldn't be detected anymore in future scans. Link to post Share on other sites More sharing options...
garymbam Posted October 29, 2010 Author ID:336125 Share Posted October 29, 2010 Done and it no longer shows up. Thanks for your patience and help with this. Link to post Share on other sites More sharing options...
Gammo Posted October 29, 2010 ID:336147 Share Posted October 29, 2010 Hi,Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. Remove Combofix now that we're done with it.Please press the Windows Key and R on your keyboard. This will bring up the Run... command.Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")Please follow the prompts to uninstall Combofix.You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Download OTC to your desktop and run itA list of tool components used in the Cleanup of malware will be downloaded.If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.Click Yes to begin the Cleanup process and remove these components, including this application.You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Please download JavaRa to your desktop and unzip it to its own folderRun JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.Accept any prompts.Open JavaRa.exe again and select Search For Updates.Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Keep a backup of your important filesNow, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Make proper use of your anti-virus and firewallYou should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Keep all your software updatedIt is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Use a safer web browserInternet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Some other security programsIt is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.SpywareBlaster to help prevent spyware from installing in the first place.MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Be carefulHaving security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Slow computer?If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!Cheers,Gammo Link to post Share on other sites More sharing options...
Recommended Posts