Blocking infested applications

frivolous_fay

Hello,

Have spent a good few hours of this weekend getting rid of the crap on my mum's PC.

Someone *cough* installed limewire, zango and some other nasties, and there has been quite a lot of spyware / rogues to deal with. Right now I'm trying to tackle Registry Defender Platinum...

I anticipate that all this junk may well be installed again as soon as I'm out of the way. So... is there anything I can do to prevent zango and limewire being put back on... short of setting up a super secret administrator password?

TIA...

Domokun

Block its internet access in the firewall too, then if *cough* they *cough* manage to get it back on, it'll be blocked from internet access.

frivolous_fay

Much as I'd like to put a secret admin password on, it would cause a riot, because I'd then have to make sure the stuff (music etc) belonging to the *cough* malicious element was still accessible, and we aren't on speaking terms...! (It's not my mum )

I noticed that Limewire was on the list of exceptions on the firewall, so I have removed it, but I'm not sure what to do about Zango. It's XP Media Edition btw.

Still battling Registry Defender Platinum ... /spit

Reluctant_spender

Give MalwareBytes a blast - it is normally very good at remove rogue software.

Malware Bytes

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

frivolous_fay

So far SAS has got rid of some, Trend got rid of a few but failed to deal with 1 of the ones it picked up. Malwarebytes has picked up 45 infected files so far. Registry Defender has to go!

Reluctant_spender

can you post the malwarebytes log when complete?

Browntoa

this stops other users having acces to install programs

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

and it's free

Windows SteadyState can also return your computer and hard disk to its exact condition before the user touched it, simply by rebooting.

frivolous_fay

I'll take a look at steadystate. Having glanced at the blurb, I think it depends on having different user accounts setup?

The problem here is that there is only one user account, not password protected, and 2-4 people using it.

I'd love to set up separate user areas... but I don't know how I could do it without someone screaming that some of their stuff was missing (ie. ended up on the wrong account)

I leave here in a day and I don't really want to leave a lit fuse behind me

frivolous_fay

It was the full scan I did, log below.

frivolous_fay

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 2
27/10/2008 22:31:17
mbam-log-2008-10-27 (22-31-16).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 195276
Time elapsed: 1 hour(s), 11 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 63
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 262
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\!!2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\!!621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\!!56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\!!56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\!!1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\!!9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\!!0d987fb6-2cb1-4189-b6a1-5e8185e9a899} (Rogue.Registry.Defender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!1efb6596-857c-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!2c247f23-8591-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!35053a22-8589-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!66833fe6-8583-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!8e3867a3-8586-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bdd1f04b-858b-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce32-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce33-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce34-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce35-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce36-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce37-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce38-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce39-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce3a-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c27cce3b-8596-11d1-b16a-00c0f0283628} (Rogue.RegistryDefender) -> Quarantined and deleted successfully.

Reluctant_spender

That cleared out some crap!

Give this online scanner ago;

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)

• You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
• Now click Start
• Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
• Click Start (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan
  The Onlinescan will now start and scan your pc (please let it run to completion)
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
• Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  The Scan results will now open in Notepad
• Click into the text area, right-click and chose "select all"
• Right-click again and chose "copy"
• Close Notepad

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.