Re: Danger warning! to the public and note to Databaseben

Hello, Glen! I just thought I'd stick a short post in here, letting you know
that I finally got my HijackThis! log finished. I copied it and emailed it
to you last night. I just thought I'd mention it here in case you didn't
receive the email (been known to happen!). If you didn't, please let me know
here. I have the email stored in my Sent Box and could re-send to you if you
didn't get mine from last night.

As far as my computer, I will leave it "as is" until I hear from you. I
only removed one more item that one of the tutorials said could interfere
with the HijackThis! program, which was Weatherbug. If everything checks out
OK, I will probably re-install a couple of items I un-installed earler and
will check my msconfig, as suggested, each time I re-add an item.

I'm sure you're busy, so just go over the file when you have time. This
last problem has been an interesting experience, although I cringe when I see
my 2 topics managed to "rack up" 54 posts! Anyway, no one wants problems but
this forum is so helpful, and I gain new knowledge every time I have come
here.

Thanks again.

Sue :^)

"glee" wrote:

You have a very questionable toolbar installed.....Advanced Searchbar. It's core
files are listed among those connected with toolbars which can cause undesired ads
and pop-ups:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078631

"BHOs are not stopped by personal firewalls, because they are seen by the firewall
as your browser itself. Some exploits of this technology search all pages you view
in IE and replace banner advertisements with other ads. Some monitor and report on
your actions. Some change your home page."

I suggest *at the very least* that you look at Start> Control Panel> Add and Remove
Programs, and if Advanced Searchbar is listed, that you select it and click the
Remove button. If it remove successfully, things should improve, but ideally your
system should be checked by someone with experience reading "HijackThis" logs. If
you like, you can send me a log from HijackThis via email, and I will check it for
you privately, as doing so on these groups is not preferred.

Download and unzip HijackThis from one of these locations:
http://www.majorgeeks.com/download3155.html
http://aumha.net/downloads/hijackthis.zip
Unzip to a folder *other than* your Desktop or the Temp folder (preferably make a
HJT folder on your desktop and unzip it to there), double-click HijackThis.exe, and
hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Press that, save the log somewhere you can find it (Desktop, My Documents, or
similar).
Most of what it lists will be harmless or even required, so do NOT fix anything yet.

Copy the log files and paste them into an email to me at glen.vee@xxxxxxxxx

See the "housekeeping" you should complete before you post your log:
http://aumha.org/forum/viewtopic.php?t=4075

A tutorial for using Hijack This is located here:
http://tomcoyote.com/hjt/

If there are any other problems shown in your log, I will explain what may need to
be done. Hopefully, simply uninstalling the Searchbar via Add and Remove will be
sufficient.
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/
http://dts-l.org/goodpost.htm


"MtnLadyinBlackHills1986" <MtnLadyinBlackHills1986@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:524CF463-D99B-4220-8E8A-114C7BC104C1@xxxxxxxxxxxxxxxx
Hi again, Glen. Here are the "Add-ons that have been used by Internet
Explorer" that you requested and were lost last night when Microsoft picked
the worst possible moment to make me log in:

AUDIO__MID Moniker Class - Microsoft
AUDIO__WAV Moniker Class - Microsoft
DHTML Edit Control Safe for Scripting for IE5 - Microsoft
HHCtrl Object - Microsoft
HTML Document - Microsoft
iTunesDetector Class - (Not Verified)
LSControl Class - Symantec
LSSupCtl Class - Symantec
Microsoft Scriptlet Component - Microsoft
MsnMessengerSetupDownloadControl Class - Microsoft MSN
MUWebControl Class - Microsoft
Office Update Installation Engine - (Not Verified) Microsoft
QuickTime Object - (Not Verified) Apple
RealPlayer G2 Control - (Not Verified) - RealNetwork
SearchAssistantOC - Microsoft
Shell Name Space - Microsoft
Shockwave Flash Object - Macromedia
Symantec Script Runner Class - Symantec
Symantec SmartIssue - Symantec
SymLTQueries Class - Symantec
SymSubQueries Class - Symantec
Tabular Data Control - Microsoft
Update Class - Microsoft Windows XP Pub.
Web Browser Applet Control - (Not Verified) Microsoft
Windows Genuine Advantage Validation Tool - Microsoft
Windows Media Player - Microsoft
Windows Media Player - Microsoft (NOTE: Listed twice - not a typo)
WUWebControl Class - Microsoft
XML Document - Microsoft
YInstStarter Class - Yahoo!
Advanced Searchbar - Advanced Search
Windows Messenger - (No Publisher Given)
Yahoo Messenger - Yahoo!
Adobe PDF Reader Link Helper - Adobe
Advanced Searchbar - Advanced Search (NOTE: Listed twice - not a typo)
CNavExtBho Class - Symantec
eBay Toolbar Helper - eBay
MSN Search Toolbar Helper - Microsoft MSN
PrxcnBHO Class - (Not Verified) Proxyconn
Yahoo! Toolbar Helper - Yahoo!
Advanced Searchbar - Advanced Search (NOTE: Listed 3rd time - not a typo)
eBay Toolbar - eBay
MSN Search Toolbar - Microsoft MSN
Norton AntiVirus - Symantec
Yahoo! Toolbar - Yahoo!

Whew! There they are! All this is certainly improving my typing and
proofreading skills! Ha! Good luck in going through them. Maybe you'll
find something interesting!

Thanks and good night!

Sue

"MtnLadyinBlackHills1986" wrote:

AAARRRRRHHHHHH! Glen, I wrote you a long answer to your last post, including
a very long list of Add-ons used by Internet Explorer and pressed "Post".
Pardon my language, but damn Microsoft made me log in again and when I came
back, my whole message was gone!!! I've got things to do and I'm just not up
to typing that all again. I'll try to give it a shot again tomorrow.

Sue

"glee" wrote:

Replies inline, interspersed below.....

"MtnLadyinBlackHills1986" <MtnLadyinBlackHills1986@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in message news:79D6C024-E8C1-469B-8FC7-6D65C1B0206C@xxxxxxxxxxxxxxxx
Glee, you were correct about the Norton and McAffee virus scans. My local
ISP does an email scan using McAffee before it reaches my mailbox. The
Norton is on my own system. You say that Norton says its own email scanning
is redundant, unnecessary and can cause problems? You'd think they'd remove
it from their software line.....

You'd think! By their own admission, it is redundant. As long as you have
your
resident virus scanner running in the background, the email scanner affords no
useful additional protection. yet, most A-V apps include it. Why? Because
users
*think* it makes them safer, and you give them what helps in their feeling of
security. If one supplier adds email scanning, they all must, lest they look
like
they are not trying to protect you as well as the competition.


I did run another Ad-Aware SE full scan last night, and it did not find any
more traces of a Trojan Horse.

That is good, and much as I suspected. From your original description, it was
never
a trojan horse in the first place, but a trojan downloader, which can download
its
friends, the trojan horses and other mal-ware. You may have only had it in
your
browser temporary cache. I can't tell because it is now in quarantine and you
cannot give me the exact description from when it was detected. You say it was
found in or connected to the Ntregopt file. With this trojan downloader in
quarantine, can you still find the original Ntregopt.exe file on your computer
in
the folder it has been living in all these months?


I will check out the AVG software you gave me the links for. Did you see
the post by "Joe"? He mentioned a software called "Free Home" with the
option to do a boot scan? Do you know anything about this?

The AVG Anti-Spyware app will find most trojans and spyware, and much that is
missed
by Ad-Aware and other apps. Do not confuse it with it's sister app, AVG
Anti-Virus,
which is an A-V program that you don't need, since you already have Norton.

Joe mentioned Avast Free Home A-V....it is another anti-virus program, and you
don't
need it. Your current A-V can be configured to do a boot scan when you start
the
computer, if it isn't doing it already. It won't help find a trojan, most
likely,
as they aren't loading prior to Windows.


I'm sorry to sound so confused, but I am a computer novice. I have several
people who are kind enough to want to try to help me, but I'm starting to get
"information overload".

Quite understandable, and overload is very easy to hit, even for experienced
professionals. I would not have even entered the thread except the info I saw
you
getting seemed to be too far off the mark. There appears thus far to be no
need or
reason to wipe anything out, restore anything, or go back months, for this
little
thing.


But I guess the main point to this post is: in answer to your question,
when I did a full rescan on Ad-Aware SE last night, there was NO indication
of Trojan Horse traces again. The Trojan trace info in my original post is
still quarantined in my Ad-Aware.

OK. Either install and run Ewido/AVG Anti-Spyware as described in my earlier
link,
or just run their online scanner, which I also linked. Have it quarantine or
delete
what it finds (quarantine is usually "safer" in terms of avoiding mistakes).

In you reply to DatabaseBen, you mentioned seeing a toolbar/BHO from Proxyconn,
Inc
which you disabled. That is a legitimate BHO which is the Proxyconn Web
Accelerator, used by some ISPs to speed up their dial-up access:
http://www.proxyconn.com/

You might check with your ISP as they may have included it. Regardless, you
can for
now disable it....at worst having it disabled will only slow down your web
pages
loading.

Go back to where you disabled the BHOs and toolbars, in Internet Explorer>
Tools
menu> Manage Add-Ons. In the drop-down list, select "Add-ons that have been
used by
Internet Explorer" rather than just "Add-ons that are currently loaded". If
it's
not too much work, post back with a list of what is shown there. I don't need
all
the info listed, just the Names and the first word of the Publishers list.

I can give you some links to reading on how to adjust your settings in IE to
help
prevent some of these issues, but for now I think you have more than enough to
chew
on, so I can hold those till later. Or I can simply bow out of the thread if
you
would rather work with someone else. :-) I'm easy.
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/
http://dts-l.org/goodpost.htm



"glee" wrote:

I haven't found Webroot Spysweeper's background monitoring to be very
useful, nor
the background monitoring of any other anti-spyware utilities. I do prefer
AVG
Anti-Spyware (formerly Ewido) for on-demand scanning for spyware and trojan
downloaders:
http://www.ewido.net/en/

They've also got an online scan:
http://www.ewido.net/en/onlinescan/

I am not a fan of either Norton or McAfee anti-virus, though either should
be
effective against viruses, but somewhat less so against trojans and trojan
downloaders. I can't imaging having both installed at the same time (in
fact, I
don't think they will co-habit), so I am guessing the McAfee scan you refer
to is
just an online email scan that your ISP uses prior to your receiving the
email.

Turn off the email scanning in your resident anti-virus (Norton, I
presume).....even
Symantec support states it is redundant and unnecessary, and can cause
problems.

You mentioned that the trojan downloader was quarantined (by Ad-Aware,
IIRC), so
do
you still detect any trojans or downloader when you rescan? If so, where
are
they
being found....what location on your hard drive? If they are being found in
System
Restore or in the Ad-Aware quarantine folder, then you only have to clear
the
quarantine area through the Ad-Aware interface, and or reset System Restore
to
delete old restore points.
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/
http://dts-l.org/goodpost.htm


"MtnLadyinBlackHills1986"
<MtnLadyinBlackHills1986@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in message news:B24E2E08-5C4A-43E7-A154-2031978DBB1E@xxxxxxxxxxxxxxxx
Glee, I found from talking to another person later that the NTREGOPT
program
was not the cause of the Trojan Horse, although possibly it could have
used
it to "sneak" the Trojan Horse onto my computer.

So now it appears I have a Trojan Horse on my system! I have used
security
software from 3 major companies (LavaSoft, Symantec/Norton, and Webroot),
have installed all the security downloads from Microsoft, have my firewall
up, have not added any toolbars, do not go to the so-called "dark side" of
.