Pages

Wednesday, December 13, 2006

Latest SPYWARE : Project1

DEXTER'S BLOG'S

PROJECT 1 :


This is a spyware, that is present in the computer. You can remove it, using this steps:

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

[Remember to reverse this and re-hide these files & folders when your computer is fixed]

--------------------------

Download CleanUp! here….. http://www.cleanup.stevengould.org/ .......

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

--------------------------

Reboot your system in Safe Mode by repeatedly tapping the F8 key until the menu appears (or the F5 key if F8 doesn't get to the safe menu).

--------------------------

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time):

C:\dfndrdd_6.exe

C:\nwnmdd_6.exe

C:\kybrddd_6.exe

C:\WINNT\msdds.exe


--------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs
IF FOUND:

Support.com

[NB >> Comcast (the cable folks who are replacing @home in some parts of the USA) have struck a deal with Tioga to provide an "enhanced" support and self-repairing tool. This is "beta" at present and was made available to download by mistake at present. Remove.]

--------------------------

Open HijackThis and click on Scan. Check the following entries IF present (make sure you do not miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [defender] C:\\dfndrdd_6.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmdd_6.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrddd_6.exe
O9 - Extra button: Help - {45543056-5B65-47B5-AC8B-26513ACCAE8A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {BB024CF6-667D-49E8-899C-EAD756B24A2A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {F19458E2-29DA-4356-9903-125538C6C21D} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.ne
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00003/chm.chm::/files/initial.ca


Please remember to close all other windows, including browsers, before clicking “Fix checked”.

--------------------------

Delete the following Files and Folders indicated in bold IF they still exist:

C:\Program Files\Support.com
C:\\dfndrdd_6.exe
C:\\nwnmdd_6.exe
C:\\kybrddd_6.exe

If you get an error when deleting a file right click on the file and click once on properties.

Then check to see if the Read Only attribute is checked/ticked. If it is uncheck/untick it and try deleting the file again.

--------------------------

Reboot to normal mode.

--------------------------

Go here .....

www.bullguard.com/forum/12/Before-posting-a-log_24992.html

To remove spyware and to get latest updates on them:
http://www.remove-spyware.com/solutions.htm

Work through all the steps carefully repeating previous scans etc. if necessary.
This will fix this issue.

Ganesh.KB

No comments: