|
1. Been infected with spyware? Tell us about your problem. 2. Protect your PC from viruses, spyware. 3. For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware |
How to remove Video Add-on and antispyware/security toolbar 7.1
Security Toolbar 7.1 is an adware program that also installs rogue security applications and display false alert on compromised computer.
A few things you may do prior to cleaning.
Download and install HijackThis.
Download Avenger and unzip to your desktop.
Download SDFix and save the file to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Disable your Anti-Spyware Program, once your PC is clean you can re-enable.
Open notepad and copy/paste the text in the quotebox below into it:
REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
“{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{efaf6ea3-615d-4f83-8748-2f7a576fcea6}]
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.
Start HijackThis. Click “Do a system scan only.” and check the boxes next to all the entries listed below:
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{54D4F041-4839-4858-A10E-F62F0AB1AD05}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O22 - SharedTaskScheduler: caribi - {8b87dcc7-9b89-4205-aa82-076b2a1edfe0} - (no file)
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Reboot your PC.
Open the SDFix folder and double-click RunThis.bat.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:
Folders to delete:
C:\Program Files\Video Add-on
C:\Program Files\Helper
C:\Program Files\Winamp Toolbar\
Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
After that you need to check your system clean run these free malware scanners.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ
December 9, 2007 on 7:59 am | In Tutorials - "How to" | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper
VirusList posted about new variant Trojan Vundo/Virtumonde. Vundo Authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.
Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.
Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.
Read more: Virtumonde/Vundo goes file infector
December 9, 2007 on 7:10 am | In Trojan | No Comments |Submit to: Digg | SlashDot | Del.icio.us
How to make Internet Explorer more secure
Follow these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Read more:
How to use “Internet Zone Settings”
How to disable Active Scripting support
How to drop rights for safe surf
Submit to: Digg | SlashDot | Del.icio.us
New updates to Ad-Aware and SpyBot-search & Destroy
0038.0000 is now available, new definition file for Ad-Aware 2007.
SE1R207 03.12.2007 is now available, new definition file for Ad-Aware SE.
New definitions:
====================
DrProtection +2
ErrorDigger +3
Win32.Trojan.AdClicker +2
Win32.TrojanDropper.Frijoiner +19
Updated definitions:
====================
ABetterInternet.Aurora
AdvancedCleaner +5
Adware.2Search +3
Adware.Agent +30
Adware.BHO(generic) +10
Adware.CasClient
Adware.Dropper
Adware.LoopAd
Adware.TTC
Adware.VapSup
Adware.WebBuying +3
AntiVermins +2
AntivirusPCSuite +4
AntiVirusPro
Awola
BPS SpywareRemover +4
BraveSentry
DeusCleaner +3
Dialer +4
FakeAlert +10
PCPrivacyTool
PurityScan
Redirected hostfile entry
Scam.AdwareRemoverGold +4
SpyShredder
SystemDefender +3
Toolbar.Softo
UltimateCleaner +4
Win32.Backdoor.Agent +12
Win32.Backdoor.Agobot
Win32.Backdoor.Bifrose
Win32.Backdoor.Delf +7
Win32.Backdoor.Haxdoor +4
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot +7
Win32.Backdoor.Nepoe
Win32.Backdoor.Padodor
Win32.Backdoor.PcClient
Win32.Backdoor.RBot +7
Win32.Backdoor.SDBot +3
Win32.Backdoor.VB +3
Win32.Dialer.Trojan
Win32.Generic.PWS +4
Win32.Generic.Worm +3
Win32.Rootkit.Agent +6
Win32.Trojan.Agent +28
Win32.Trojan.BHO
Win32.Trojan.Delf
win32.Trojan.Dnschanger +5
Win32.Trojan.Downloader +2
Win32.Trojan.KillAV +3
Win32.Trojan.MatrixHasYou +10
Win32.Trojan.Pakes +6
Win32.Trojan.Pushdo +2
Win32.Trojan.Qhost +3
Win32.Trojan.Small +5
Win32.Trojan.Spambot
Win32.Trojan.Spy +10
Win32.TrojanClicker +7
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent +30
Win32.TrojanDownloader.Alphabet +9
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Delf +17
Win32.TrojanDownloader.NewMedia +30
Win32.TrojanDownloader.Nurech +4
Win32.TrojanDownloader.Obfuscated +6
Win32.TrojanDownloader.QQHelper +4
Win32.TrojanDownloader.SecMediaOnline
Win32.TrojanDownloader.Small +13
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB +5
Win32.Trojandownloader.Zlob +7
Win32.TrojanDropper +10
Win32.TrojanProxy.Agent.dl +9
Win32.TrojanProxy.Bobax
Win32.Trojan-PSW.Delf +5
Win32.Trojan-PSW.Lineage +4
Win32.Trojan-PSW.Sinowal +2
Win32.TrojanPWS.LdPinch +7
Win32.TrojanPWS.Lmir +2
Win32.TrojanPWS.OnlineGames +79
Win32.TrojanPWS.WebMoner +2
Win32.TrojanSpy.Banker +20
Win32.TrojanSpy.Broker +2
Win32.TrojanSpy.BZub +10
Win32.TrojanSpy.Goldun +5
Win32.TrojanSpy.Peed
Win32.TrojanSpy.Zbot +14
Win32.Worm.Autorun +2
Win32.Worm.Feebs +2
Win32.Worm.LockSky +4
Win32.Worm.Zhelatin
WinPerformance
Virtumonde +19
XPAntivirus +2
Updates to SpyBot-search & Destroy
Hijacker
+ IESearchToolbarHelper.vbs
Keylogger
+ Perfect Keylogger
Malware
+ Awola.Anti-Spyware + BPS Spyware Cops + BPS Spyware Remover + BPS SpywareStriker + BPS.SpywareZapper + IEDefender + SecureMyPC + SpyLax + SpyStriker + SpyViper + SpywareAnnihilatorPro + TrustCleaner + Vcodec.eMedia + WiperWizard
PUPS
+ Maxion.MaxnetShield
Security
+ Microsoft.Windows.RedirectedHosts
Trojan
+ Bancos.Qhost.tu + DropAgent.rtk + FakeMSUpdate.ede + Smitfraud-C.MSVPS + Virtumonde.ddc + Zlob.Downloader + Zlob.Downloader.iec + Zlob.Downloader.oid + Zlob.Downloader.vcd + Zlob.Downloader.vdt + Zlob.VideoActiveXObject
Download SpyBot-search & Destroy
Submit to: Digg | SlashDot | Del.icio.us
How to remove webcry.com hijacker
Symptom: When you do any kind of search, the search results come up like normal, however when you click on a link under the results the page goes blank and you keep getting re-directed to webcry.com
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:
O2 - BHO: (no name) - {4A4CB994-9A38-DF0F-2760-0708BFE8F63A} - C:\Program Files\****\****.dll
O2 - BHO: (no name) - {52EA2AED-161F-45A5-EBAC-0293CA8C771C} - C:\Program Files\****\****.dll
O4 - HKLM\..\Run: [*****] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\*****.dll”
Note: Where **** is a random chars, as ‘utgboudx’,’mgfaejew’
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Reboot your PC.
If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: Spyware removal - Read this before posting
December 8, 2007 on 8:45 am | In Browser Hijacking, Tutorials - "How to" | 3 Comments |Submit to: Digg | SlashDot | Del.icio.us
Found first Christmas malware
F-Secure reported about malware runs using fake Christmas Cards as the lure.
Example:
A Dear friend has sent you an ecard from http://www.123Greetings.com
Your ecard will be available with us the next 30 days.
…
To view your card,CLICK HERE
…
After run this ecard file x-mas.exe you got Zapchast mIRC-based backdoor.
Read more: Merry Christmas and so on
December 4, 2007 on 3:25 am | In Malware | 1 Comment |Submit to: Digg | SlashDot | Del.icio.us
Found some new fake codecs
Sunbelt blog reported about some new fake codecs:
codechq - codechq(dot)net
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe.
vplprocedure - vplprocedure(dot)com
Sample binary vplprocedure(dot)com/download.php?id=10581
codectime - codectime(dot)com
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codectime(dot)com(dot)/download/codectime(dot)dmg; Windows: codectime(dot)com(dot)/download/codectime(dot)exe
If you cannot remove fake codecs follow the steps in the topic Spyware removal - Read Before Posting.
December 3, 2007 on 6:42 am | In Trojan, spyware | No Comments |Submit to: Digg | SlashDot | Del.icio.us
Previous Posts:
- How to remove new rogue antispywares Malware Bell and IE Antivirus
- How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar
- How to uninstall combofix
- Found new rogue antispyware programs
- How to remove braviax.exe/cru629.dat/users32.dat malware
- VirusHeat rogue antispyware - How To Remove
- Fresh updates to Ad-Aware and SpyBot-search & Destroy
- How to remove core.cache.dsk and parportt.sys
- How to remove CID popups
- How To Remove cyberstoll.com, search-daily.com hijacker and WebHancer spyware
- How to remove Video Add-on and antispyware/security toolbar 7.1
- Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper
- How to make Internet Explorer more secure
- New updates to Ad-Aware and SpyBot-search & Destroy
- How to remove webcry.com hijacker
- Found first Christmas malware
- Found some new fake codecs
- Cannot View Hidden Files And Folders. How to fix
- Hijacker will not let me download anti spyware program - how to fix
- How to fix shell.exe, spoolvs.exe problem
Categories:
- Pop-Up Blockers and Firewalls (rss) (5)
- Adware (rss) (10)
- Anti Virus Software (rss) (11)
- Best Programs (rss) (3)
- Browser Hijacking (rss) (13)
- Critical patch (rss) (21)
- Exploits & Vulnerabilities (rss) (58)
- FAQ (rss) (8)
- Free Software (rss) (63)
- Identity Theft (rss) (8)
- Internet Browsers and Mail and News readers (rss) (12)
- Linux (rss) (4)
- Malware (rss) (11)
- Online Scanners (rss) (11)
- Phishing (rss) (2)
- Rogue Anti Spyware (rss) (34)
- Rookit (rss) (3)
- spyware (rss) (2)
- Spyware protection and removal (rss) (74)
- Tips (rss) (78)
- Trojan (rss) (35)
- Tutorials - "How to" (rss) (65)
- Updates (rss) (16)
- Virus (rss) (19)
- Worms (rss) (14)
Archives:
- May 2008 (1)
- April 2008 (1)
- March 2008 (4)
- February 2008 (3)
- January 2008 (2)
- December 2007 (7)
- November 2007 (27)
- October 2007 (4)
- July 2007 (2)
- June 2007 (3)
- April 2007 (1)
- March 2007 (6)
- February 2007 (6)
- December 2006 (1)
- November 2006 (2)
- October 2006 (7)
- September 2006 (2)
- August 2006 (10)
- July 2006 (7)
- June 2006 (22)
- May 2006 (18)
- April 2006 (12)
- March 2006 (24)
- February 2006 (33)
- January 2006 (52)
- December 2005 (50)
- November 2005 (66)
Blogroll
- Sans Org - Internet Storm Center
- Spyware RU
- Sun Belt Blog
Help Us:
- MyAntiSpyware needs your support. Please make link from your site to us.
Use the button:
MY ANTI SPYWARE Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^