3
   

Avoiding MalWare on your computer

 
 
DrewDad
 
Reply Sat 7 Nov, 2009 10:30 am
Another user brought up the subject of how to prevent your machine from getting infected while browsing the Internet. During that discussion I mentioned a (shareware) product called Sandboxie.

Sandboxie (and other similar products; this product was recommended to me by another computer professional) allows you to run your browser so that it is isolated from the rest of your computer. Any changes to the program, or add-ons that get installed, are automatically removed when you close the program.

Sandboxie is free (with a few advanced features disabled) for 30 days; after that you put up with nag screens if you want to continue using it free.

http://www.sandboxie.com/

Another option for keeping your machine safe is to run a virtual appliance. You can download the free VMware player, and then run a web browsing virtual appliance.

http://www.vmware.com/products/player/
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 3 • Views: 4,685 • Replies: 29
No top replies

 
panzade
 
  1  
Reply Sat 7 Nov, 2009 10:38 am
@DrewDad,
Thanx Dad. Just in time.
I've been begging for help with my browser hijacker that I acquired last week. It's sorta benign, but irritating. I have to redirect my searches two or three times to get the page I want. Either Google or Yahoo searches are compromised...nothing else.
None of my malware removers help and a trip through PC Pitstop , the same
DrewDad
 
  1  
Reply Sat 7 Nov, 2009 10:40 am
@panzade,
The stuff I posted will prevent malware, but will not remove existing infections.

If you run Hijack This! and post the log, I'll take a look at it.

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
panzade
 
  2  
Reply Sat 7 Nov, 2009 10:46 am
@DrewDad,
Thanks Timber
0 Replies
 
panzade
 
  1  
Reply Sat 7 Nov, 2009 10:51 am
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:42 AM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [Desktop Software] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /ini "uinstaller.ini" /fromrun /starthidden
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8065 bytes
0 Replies
 
panzade
 
  1  
Reply Sat 7 Nov, 2009 10:52 am
this 08 jumped out at me...gotta be the one...right?

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
Izzie
 
  1  
Reply Sat 7 Nov, 2009 11:04 am
@DrewDad,
You're a star DD. Thanku.

Couple questions before I do this?

1. I've read the FAQ - now, ya know I'm not too cpu savvy - does the sandboxie automatically put the browsers and email etc INTO the sandbox or is it going to ask a bunch of questions about what needs to go where? That may not even make sense, that question, but with the Norton folk last nite they asked me some questions and I just didn't know enough - they changed a lot of things in the PC Tune Up that they performed whilst I just watched them do it all from the USA.

2. How does it affect things like photobucket, web albums etc or doesn't it? eg. If i am in Picasa and upload to web albums, does that go thru the sandbox or straight off my hard drive?

3. I assume that anything done in the sandbox is deleted when the sandbox is closed down. So does that mean you have to close the sandbox each day/ every few hours / ???? I rarely turn my laptop off - should I be turning it off or just closing the browsers?

4. How does it affect the antivirus software updates if it is done on the transparency, or do the live updates (which on iobit i have running all the time) go straight into the OS.

5. How scared am I gonna be when I download this (ok, don't answer that question...) After seeing the laptop go haywire last nite - it is scary when you jack diddly about this stuff.


Thanks
BillRM
 
  1  
Reply Sat 7 Nov, 2009 11:33 am
@Izzie,
I had run sandboxie for a year now and you can allow your brower to save files into your doc section and I do so.

You also can take anything you wish to out of the sandbox and move it anywhere on your drive.

Suggest you read the docs and play with the settings.

I only empty the sandbox once a week or so and I think it is set to complain if you had not done so for 10 days.

Oh it does not care as far as I am aware of about files being uploaded by your brower only the other way around.







0 Replies
 
DrewDad
 
  1  
Reply Sat 7 Nov, 2009 02:41 pm
@panzade,
That would be my first candidate, yes.
DrewDad
 
  1  
Reply Sat 7 Nov, 2009 02:44 pm
@Izzie,
Browsers and E-mail are not automatically started in Sandboxie. Sandboxie runs a tray icon, which you can right-click->click Default Box-> click Run Browser, Run E-mail, Run Any Program, etc.

The sandboxed application can access your drive, so continue to be careful what you decide to save.

I'm currently running Sandboxie; it was simply to download and install.
panzade
 
  1  
Reply Sat 7 Nov, 2009 05:05 pm
@DrewDad,
Quote:
That would be my first candidate, yes.


Ok, so how do I remove it?
0 Replies
 
Izzie
 
  1  
Reply Sat 7 Nov, 2009 06:00 pm
@DrewDad,
OK... thank you thanks DD

no probs downloading, didn't know I installed, just it did...

I think I am in the sandbox now

if there's a [#]...[#] on the browser then I am assuming that this will be safe now... or safer than not being in it, as in i'm on the transparency

hmmmmm... so, if I open a picture off the www in the sandbox and wish to save it to my hard drive... that can't be done (because it's on the transparency.... (tried and failed, it says saved into [#]c:/..my pictures.1.jpg[#] but I can't find it in my pictures, which of course makes sense because it's on the transparency)

So how do I save pictures and know they are not infected. I guess I can't.

(never even questioned saving www pics before - do it nearly every day, last nite has got be so f.aheming spooked now - ack)


confusedIz.com????

(thank you for the advice too, BillRM)
dadpad
 
  1  
Reply Sat 7 Nov, 2009 06:03 pm
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
dadpad
 
  1  
Reply Sat 7 Nov, 2009 06:09 pm
@dadpad,
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
0 Replies
 
panzade
 
  1  
Reply Sat 7 Nov, 2009 06:23 pm
so...dad...are those malware?...and how do I dump them?
dadpad
 
  1  
Reply Sat 7 Nov, 2009 06:35 pm
Remove these if they are present in add remove programs.
LimeWire 4.18.6
My Way Search Assistant
My advice is to go here
http://forums.majorgeeks.com/showthread.php?t=35407
follow the instructions in this thread EXACTLY.
It looks complicated and time consuming but that is to idiot proof the proceedures.

I dont have a current copy of HJT but if you check the box next to the objects we have identified there should be a Remove all checked objects button somewhere in HJT.
0 Replies
 
dadpad
 
  1  
Reply Sat 7 Nov, 2009 06:38 pm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) is not malware but it does nothing as there is no file connected
0 Replies
 
BillRM
 
  1  
Reply Sat 7 Nov, 2009 06:40 pm
@Izzie,
A few comment you can have all sandbox programs shown with a border around them so you know for sure that the program is sandbox. I had picked a bright red border.

Second for added security have the programs run under reduce rights if you are running xp that can be very useful and added security.
DrewDad
 
  1  
Reply Sat 7 Nov, 2009 08:11 pm
@panzade,
HiJackThis should let you check the boxes next to the suspicious items, then you click "fix checked".
panzade
 
  1  
Reply Sat 7 Nov, 2009 08:26 pm
@DrewDad,
ok
0 Replies
 
 

Related Topics

Facebook malware warning - Question by skittybob
MalWare Help! - Question by littlek
COMPUTER MALWARE - Question by Woollcott
Computer problem - Question by edgarblythe
How to get rid of pop-up ads? - Question by salolly
Audio Commercials - Question by snood
Computer malware issue - Question by heio
 
  1. Forums
  2. » Avoiding MalWare on your computer
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.07 seconds on 12/25/2024 at 03:11:13