Honorary Members
  • Content count

  • Joined

  • Last visited

About whatnext?

  • Rank
    Regular Member

Contact Methods

  • ICQ
  1. I like Sygate, but the problem I am having is that the user interface does not usually seem to load automatically at startup. I think the program may run in the background unseen, but it is disturbing that I have to run the program manually to see the interface. It used to load automatically, though it was always slow to do so. That is why I am thinking of switching. Also, the interface only shows on the user who logs in first. That can be an inconvenience, though on the other hand, since I usually am the first to log in, it keeps other users from allowing things to access the internet, so maybe it is actually safer! I think I will try something else... probably Comodo or Online Armor. Tried ZA free once and hated it. Couldn't make heads or tails of it, couldn't get it to behave. Sygate seems easier. I am not very knowledgeable about FW's.
  2. Yay! I installed SP3 (from the big download). I had MS tech support on the phone with me, in case I experienced problems, but I didn't. Haven't yet tested all programs and peripherals, but I haven't noticed any adverse effects yet. Thank you for all the help! I will give it about a week, to make sure all is working well, then will switch from Sygate to a different FW. (Is there a reason you recommend Online Armor free over Comodo free?) After all the scans we've run, I feel comfortable whitelisting all my current programs. Oh -- I re-enabled Tea Timer. Do you think that should be ok, or will in conflict with my other anti-malware (WinPatrol free, Windows Defender, a-squared anti-dialer free)? That should bring us to the end of this thread -- thanks again!!!
  3. Spybot 1.6.2 found 5 problems, all Firefox bookmarks on a limited user acct. One bookmark was labeled "Aornum", and was from newfb.iwon.com. Four bookmarks were labeled "Spywareinfo.TrafficZ", and were from spywareinfo.com. I let Spybot fix all of these (though I thought maybe the latter were FP's?). Do you think it is necessary to re-run all the backups? (I would rather not...) I tend not to use my bookmarks much these days (other than the ones on my bookmarks toolbar. I usually just search Google again or use my Zotero snapshots. Spybot didn't find any Zotero problems.
  4. Thank you. I believe my latest ASR backup creation worked. And I used Syncback to copy all user data to the external drive, too. I have just installed SpyBot 1.6.2, and will do a full scan. If there is a problem, I will post back here. Otherwise, I am ready for SP3. Thanks very much for all the help.
  5. Thank you so much for all your help. I have not installed SP3 yet because I am having trouble getting a good backup. Tried 2ce yesterday. First time, chose backup option "backup up everything on this computer". Well, it tried to recursively backup the external drive I was backing up to! (I'd had this happen once before, but had forgotten.) So that didn't work -- drive filled up. Second time, tried using ASR wizard. Wasn't sure exactly which files it was backing up. But when it finished 2-3 hrs later, it seemed like it had tried to copy the c: drive, as I desired, and it prompted me for the floppy for the system files. (I have borrowed a floppy drive.) Problem is, according to the log, the backup failed: The operation did not successfully complete. Log did not specify a reason, but backup time was given as less than 10 min. However, there is a 70GB backup file on the external drive. Ugh... Will try again later. Might try using Macrium Reflect for the first time, if I can figure out how to make the BartPE boot diskette. Will post to PC Help forum if I have problems.
  6. I have NoScript and AdBlock Plus installed. And I do use ERUNT. I had been using CCleaner registry cleaner pretty regularly -- guess I've just been lucky that it never screwed things up. Hoping to make more progress toward SP3 today...
  7. Regarding the links you provided -- F-Secure Health Check reminded me that Spybot teatimer is turned off. Should I turn it back on? I wasn't 100% clear on how to use the hphosts site. I assume I need to download some file? I looked up one of my email providers (myway.com), and found out they are supposedly engaged in malware distribution (EMD). That was news to me -- bad news, since I have several yrs worth of correspondence on their server, and it will be hard to leave that behind! How reliable are these assessments, do you know? I have downloaded (but not yet installed) sitehound for both FF and IE. (I also recently added the web-of-trust (WOT) add-on to Firefox.) Before installing SP3, I still need to run Detect and Repair for Word, maybe another AV scan, do an incremental backup (or a new ASR backup), and toggle System Restore, And maybe run CCleaner again. Is it okay to use it to clean the registry, if I back up the changes first? Will try to get SP3 installed tomorrow or the next day. I downloaded the big version (about 20 min with DSL).
  8. Here is the log from my Kaspersky online scan: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, February 13, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: Program database last update: Friday, February 13, 2009 23:24:18 Records in database: 1794250 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 252165 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 03:49:54 File name / Threat name / Threats count C:\Documents and Settings\(ADMIN_USER)\My Documents\downloaded files\a2AntiDialerSetup.exe Infected: not-a-virus:RemoteAdmin.Win32.Rejoice.l 1 The selected area was scanned. ---------- END OF KASPERSKY REPORT ----------------------------- I am guessing this is a false positive. I do have a-squared anti-dialer installed, and I do still have the installer, but I've had it there since 2007, and it's never been picked up as infected before, either by previous Kaspersky scans or any other scans. I could, of course, delete it. I just keep things so that I can see what I've installed and when. I uploaded the suspect file to jotti.org. -----JOTTI RESULTS -------- Service load: 0% 100% File: a2AntiDialerSetup.exe Status: INFECTED/MALWARE MD5: f7a634dc30e5bcdcf2d67cef45c9bc85 Packers detected: PE_PATCH.UPX, UPX Scanner results Scan taken on 14 Feb 2009 04:04:52 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found MULDROP.Trojan (probable variant) F-Prot Antivirus Found nothing F-Secure Anti-Virus Found not-a-virus:RemoteAdmin.Win32.Rejoice.l (6, 2, 606) G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found not-a-virus:RemoteAdmin.Win32.Rejoice.l NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------- END JOTTI RESULTS ----------- If you think this is a false positive, then I guess I am about ready to download and install (the BIG) SP3! I will toggle System Restore and do an incremental backup first. Thank you for the links to the ani-malware programs. I have Spyware Blaster and WinPatrol, but I will add the others. I have Secunia PSI installed, and I will try the F-Secure Health Check. I think I should also check my FW, both before and after switching from Sygate to Comodo or Online Armor. (I had been planning on using Comodo free, but I see you are recommending Online Armor free.) Thank you so much for all the help and instruction. I learned about some new programs (some of which I will not run on my own!) and feel my system is probably cleaner and better tuned than ever. And I feel a lot more secure about installing SP3 now. Thanks for all your time.
  9. Can you please leave the thread open until I get the AV scan results (later today, I expect)? Thanks!
  10. Re-installed Java. Thanks for the link and instructions. In the future, when updating Java, should I uninstall the older version before installing the newer version? I had been installing over the old, then removing the older version. (And it took me awhile to learn that you needed to uninstall the old versions -- initially, I thought maybe the new depended on the old -- so when I learned you were supposed to uninstall, I had a bit of a backlog.) Thank you again!
  11. Just curious about one thing -- if I am using FF (with the NoScript extension) -- and if I am very careful about email attachements -- how did I get the infections I mentioned in my post yesterday? Did I inappropriately allow some site in NoScript that was not as safe as I thought it was? I hope I am not straying too far off topic here --- but if you have a link to a page which suggests IE security settings for the Internet Zone, I'd appreciate it. I never use IE (except for Windows Update) if I can avoid it. So I used to have my Internet zone setting set for really high security, so that no site would work unless I put it in my trusted sites zone. But I think maybe one of IE updates I installed yesterday moved my Internet zone settings back to medium high (and my Trusted Sites to medium). Although maybe that's ok? Also, I often have a cookie problem in IE. If I want to use a site, and I have to allow cookies, I add the site to the list of sites allowed to leave cookies. But that never seems to work --it usually still tells me that I have to allow cookies. And sometimes when the information bar opens and says click here if you want to allow whatever, and then I click, and it still tells me click here to allow... I guess I've just become inexperienced with IE, since I use FF nearly exclusively.
  12. Sorry, haven't had a chance to run an online AV scan yet. High winds tonight, so don't want to run it overnight. (Already lost power once today.) Should be able to get to it tomorrow. Meanwhile, mouse died again, so I plugged in my new mouse. Installed the Logitech Setpoint software. Now I have even more stuff running at startup. And when I patched QuickTime, it also added a startup. Can you please tell me the best way to control startups (if the program itself doesn't give you an option) -- should I use Windows Defender or WinPatrol or something else? Do all these programs really need to be running all the time? Someone should invent a "close all apps" app, so you don't have to waste time exiting each one when you want to install software or run a scan. I also installed the MetaFrame Presentation Server Client (Plug-in) and Citrix Presentation Server Client. When I get to the point of installing SP3, in additon to closing AV and other security programs, should I close Sygate FW? If yes, should I turn Windows FW on? Thanks -- back soon with the results of the AV scan.
  13. Ugh, I see what you mean about Search 4.0. And I do hope you can't search across users (from a non-admin acct). I don't suppose there is any going back? I will reinstall Java, and run one more AV scan. I'll let you know what is found. I followed the link you gave for SP3. It's a bit disconcerting to have it say in all caps: DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER. But if you're sure that is the best way to do this... It does seem iffy to try to download such a huge patch from Windows Update. (I see it's 1-3 hrs, depending on your DSL speed -- I don't know mine.) Is it going to ask me for input as I install it? Will I have to make any choices? If yes, maybe I should have a MS tech support person standing by. Will it reboot multiple times? If yes, do I just log back into the admin acct each time? Thanks!
  14. Thank you for the link. As far as I can tell, I am not having any malware symptoms. The last known infections I had were (from most recent to furthest back): 1. Trojan.DNSChanger (detected and removed by Malwarebytes quick scan on 12-25-08). 2. Trace.Directory.Berm.Amazon Toolbar!A2 (detected by a-squared free smart scan on 12-25-08). I thought this might be related to Amazon's MP3 Downloader, which I had just installed. (Also, I had experienced a BSOD after the install, but possibly that was caused by connecting my mp3 player for the first time - it hasn't happened since.) I uninstalled the MP3 Downloader, and the toolbar is no longer detected. 3. AdWare_MEMWATCHER (detected by TrendMicro Housecall online scanner on 11-25-08) - After Googling, I decided the AdWare_MEMWATCHER might be a false positive related to SpyBot's Host file immunization program, so I didn't do anything about it. When I uploaded my HOSTS file to the jotti.org online scanner, ArcaVir found Adware.Softomate.K, CPSecure found Troj.W32.Qhost.ajk, but no other scanners detected anything. So I decided to treat all of these as false positives, and ignore them. 4. Heuristics.Reserved.Word.Exploit (detected by Malwarebytes quick scan on 11-25-08). Wasn't sure what to do with this, because I didn't want to be too quick to delete a system file (C:\Windows\system32\SMSS.TMP). So I started running other scans, found the problems listed above, some of which were probably false positives, but which distracted me so much that I forgot to do anything about this! Meanwhile, it is no longer being detected.... If these are all gone (or innocent), then hopefully my system is clean. Maybe I should re-run SpyBot, Ad-Aware, and maybe the a2-free quick scan? And maybe Kaspersky online or ESET NOD32 online? (I've never be able to get NOD32 to run yet -- I tried adding it to trusted sites in IE7, but that didn't work, and my security settings are too high.) OR maybe I should just leave well-enough alone, since I don't seem to have symptoms??? If I run enough scans, I'm likely to find something else! Today, I ran Windows Update and installed some high priority patches (but not SP3). I also installed two optional patches, a root certificate update and Windows Search 4.0 for Windows XP. (This last means I have another program running at startup. I don't know if that's a good thing, but I thought maybe it would speed up the Windows Search function.) I will also do the Detect and Repair option to try to solve my Word crashes. Do you think I am ready to re-install Java? And am I ready for SP3? Microsoft is offering free help with the SP3 install (and it makes me nervous that they feel they need to do this). Do you think I should I take them up on that, or just install it through Windows Update? Thanks very much, again.
  15. And here is my RootRepeal log: ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/02/10 12:45 Program Version: Version Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB6531000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79B5000 Size: 8192 File Visible: No Status: - Name: giveio.sys Image Path: giveio.sys Address: 0xF7A50000 Size: 1664 File Visible: No Status: - Name: hiber_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS Address: 0xF799F000 Size: 8192 File Visible: No Status: - Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xB38FB000 Size: 2560 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB40C9000 Size: 45056 File Visible: No Status: - Name: speedfan.sys Image Path: speedfan.sys Address: 0xF798F000 Size: 5248 File Visible: No Status: - Name: uphcleanhlp.sys Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Address: 0xB3E9F000 Size: 6752 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22b30 #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65796b8 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6579574 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf226f0 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6579a52 #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "IPVNMon.sys" at address 0xf7850b23 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657914c #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22470 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657964e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657908c #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65790f0 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22c50 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657976e #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb657972e #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb65798ae #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22990 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf228d0 #: 263 Function Name: NtUnloadKey Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xb3e9f63c #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xbaf22d60