Computer Hope
Software => Computer viruses and spyware => Topic started by: Quinness on October 09, 2008, 08:39:22 AM
-
here are the logs from Hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:59 PM, on 10/9/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\SSUPDATE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEE9ECD-E2B6-411B-ADC3-480BCB64598E}: NameServer = 86.64.145.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7BE54E0-1517-4ED2-A79C-90ED790DB98F}: NameServer = 86.64.145.144
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 3310 bytes
-
The SASW scan log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/04/2008 at 08:13 PM
Application Version : 4.21.1004
Core Rules Database Version : 3588
Trace Rules Database Version: 1575
Scan type : Quick Scan
Total Scan Time : 00:05:23
Memory items scanned : 258
Memory threats detected : 1
Registry items scanned : 301
Registry threats detected : 26
File items scanned : 2855
File threats detected : 82
Trojan.LSP/RSVP32
C:\WINDOWS\SYSTEM32\RSVP32_2.DLL
C:\WINDOWS\SYSTEM32\RSVP32_2.DLL
C:\WINDOWS\SYSTEM32\RSVP32_2.DLL435
C:\WINDOWS\SYSTEM32\RSVP32_2.DLLEWFWE34F
C:\WINDOWS\SYSTEM32\RSVP32_2.DLLEWFWEF
Trojan.TaskDir
[taskdir] C:\WINDOWS\SYSTEM32\TASKDIR.EXE
C:\WINDOWS\SYSTEM32\TASKDIR.EXE
[taskdir] C:\WINDOWS\SYSTEM32\TASKDIR.EXE
[taskdir] C:\WINDOWS\SYSTEM32\TASKDIR.EXE
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#taskdir [ C:\WINDOWS\System32\taskdir.exe ]
HKU\S-1-5-21-1214440339-1078145449-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run#taskdir [ C:\WINDOWS\System32\taskdir.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#taskdir [ C:\WINDOWS\System32\taskdir.exe ]
C:\WINDOWS\SYSTEM32\ZLBW.DLL
Dloader-NL Trojan BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15ACE85C-0BB1-42d1-9E32-07EB0506675A}
Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b68470c-2def-493b-8a4a-8e2d81be4ea5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5753791b-f607-48ca-814e-91c14d081f9e}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{746455fe-d059-47e7-af0e-140e03f5a447}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7a7e6d97-b492-4884-9abb-c31281dcc4f2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
Trojan.Media-Codec
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{860c2f6b-ca82-4282-9187-beccbb66f0af}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2595f37-48d0-46a1-9b51-478591a97764}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d1ac752e-883f-4ed8-8828-b618c3a72152}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fe2d25c1-c1db-4b5e-9390-af1cb5302f32}
Unclassified.Deskware
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e246fae-8420-11d9-870d-000c2917de7f}
Trojan.SmitFraud Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}
Trojan.Performent
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5875b8-93f3-429d-ff34-660b206d897a}
Trojan.DELF-NJ
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b212d577-05b7-4963-911e-4a8588160dfa}
Adware.SurfSideKick
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaonenetwork[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@sextracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
Malware.SpywareSheriff
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareSheriff_is1
Malware.TitanShield
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TitanShield Antispyware_is1
Malware.Antispyware Soldier
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antispyware Soldier_is1
Trojan.Downloader-UDL2
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\CJW.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RKRYYKG.EXE
Trojan.Fake-Drop/Gen
C:\WINDOWS\DIALUP.EXE
C:\WINDOWS\INETDCTR.DLL
C:\WINDOWS\SPP3.DLL
C:\WINDOWS\SYSTEM32\ANTI_TROJ.EXE
C:\WINDOWS\SYSTEM32\DLOAD.EXE
C:\WINDOWS\SYSTEM32\IEWD.EXE
C:\WINDOWS\SYSTEM32\MSMSN.EXE
C:\WINDOWS\SYSTEM32\NETSTAT2.EXE
C:\WINDOWS\SYSTEM32\PERFONT.EXE
C:\WINDOWS\SYSTEM32\PERFORMENT202.DLL
C:\WINDOWS\SYSTEM32\POPCORN72.EXE
C:\WINDOWS\SYSTEM32\PROQLAIM.EXE
C:\WINDOWS\SYSTEM32\WIN32HP.DLL
C:\WINDOWS\SYSTEM32\WINMUSE.EXE
Trojan.Downloader-Gen/ClownP
C:\WINDOWS\PP.EXE
C:\WINDOWS\Prefetch\PP.EXE-2E0C9B8F.pf
Trojan.Downloader-Gen/Win
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\SYSTEM32\AF.EXE.EXE
C:\WINDOWS\SYSTEM32\GAME5P.EXE.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\Prefetch\AF.EXE.EXE-1711E3D3.pf
Trojan.Mailer/ZU
C:\WINDOWS\SHOW.EXE
C:\WINDOWS\Prefetch\SHOW.EXE-34F4586A.pf
Trojan.Dropper/Storm
C:\WINDOWS\SYSTEM32\AA.EXE.EXE
C:\WINDOWS\Prefetch\AA.EXE.EXE-14C1C9D6.pf
Trojan.Downloader-Gen/ABC
C:\WINDOWS\SYSTEM32\ABC.EXE
C:\WINDOWS\Prefetch\ABC.EXE-07B9AC72.pf
Trojan.Downloader-ADir/TaskDir
C:\WINDOWS\SYSTEM32\ADIR.DLL
C:\WINDOWS\TEMP\_AVAST4_\UNP166091142.TMP
Trojan.VXGame-Gen
C:\WINDOWS\SYSTEM32\GAME1.EXE
C:\WINDOWS\SYSTEM32\GAME2.EXE
C:\WINDOWS\SYSTEM32\GAME4.EXE
C:\WINDOWS\SYSTEM32\VXGAMET1.EXE
C:\WINDOWS\Prefetch\GAME1.EXE-019BA37F.pf
C:\WINDOWS\Prefetch\GAME2.EXE-382FEAC1.pf
C:\WINDOWS\Prefetch\GAME4.EXE-22FC9B4F.pf
Trojan.Downloader-Gen/Game
C:\WINDOWS\SYSTEM32\GAME3.EXE
C:\WINDOWS\Prefetch\GAME3.EXE-16CEF2F1.pf
Trojan.Downloader-Loader242
C:\WINDOWS\SYSTEM32\JRGDJIHQ.EXE
C:\WINDOWS\SYSTEM32\XTREELAV.EXE
C:\WINDOWS\Prefetch\JRGDJIHQ.EXE-16FE56C8.pf
Trojan.Downloader-Gen/Snuke
C:\WINDOWS\SYSTEM32\MA.EXE.EXE
C:\WINDOWS\SYSTEM32\PP.EXE.EXE
C:\WINDOWS\Prefetch\MA.EXE.EXE-0062ADD7.pf
C:\WINDOWS\Prefetch\PP.EXE.EXE-36C305AC.pf
Trojan.VXGame/32
C:\WINDOWS\SYSTEM32\MPSEGMENT.EXE
C:\WINDOWS\SYSTEM32\VXH8JKDQ2.EXE
C:\WINDOWS\SYSTEM32\VXH8JKDQ6.EXE
Trojan.Downlaoder-Home
C:\WINDOWS\SYSTEM32\MSMAPI32.EXE
Trojan.Zlob-BY
C:\WINDOWS\SYSTEM32\MSVOL.TLB
Trojan.Downloader-WinCom32/Rootkit-Trace
C:\WINDOWS\SYSTEM32\WINCOM32.INI
Trojan.Downloader-Gen/WO
C:\WINDOWS\SYSTEM32\WO.EXE
Trojan.Downloader-Gen/ZU
C:\WINDOWS\SYSTEM32\ZU.EXE
C:\WINDOWS\ZU.EXE
C:\WINDOWS\Prefetch\ZU.EXE-046518A3.pf
C:\WINDOWS\Prefetch\ZU.EXE-3011EB7D.pf
-
And the Malewarebytes log
Malwarebytes' Anti-Malware 1.28
Database version: 1227
Windows 5.1.2600
10/4/2008 7:57:04 PM
mbam-log-2008-10-04 (19-57-04).txt
Scan type: Quick Scan
Objects scanned: 35733
Time elapsed: 3 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 42
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ipv6mons.dll (Spyware.Bzub) -> Delete on reboot.
C:\WINDOWS\system32\asgp32.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73364d99-1240-4dff-b12a-67e448373148} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{73364d99-1240-4dff-b12a-67e448373148} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{73364d99-1240-4dff-b12a-67e448373148} (Spyware.Bzub) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y479c6d0-otrw-u5gh-s1ee-e0ac10b4e666} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9ad5667-9e22-483a-851d-03561bd6e5e3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2ffa1bd3-1cfb-4934-b503-dc8f6d489cbd} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa5b9933-1ae8-4a8d-9822-b20a6ca2b5ec} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fa5b9933-1ae8-4a8d-9822-b20a6ca2b5ec} (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ipv6mons.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\asgp32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\game0.exe.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtforum.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtsmt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtsmtspm.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtwbmail.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtaim.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtforum.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtgtal.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmticq.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtsmt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtsmtspm.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtwbmail.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtymsg.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stfv.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ace16win.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kernels64.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
-
To recap... the computer uses XP and could connect to the internet before the scans were done ..but on every search it would lead you to the same page.
The browser is Internet explorer, the internet will work when connected to a different machine. on this computer it says it's connected but it's not receiving.
-
Open HijackThis and select Do a system scan only then place a check mark next to:
- O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
- O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
- O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
- O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
- O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
- O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
- O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
- O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
Now close all windows except for HijackThis and then click Fix checked
Exit HijackThis.
----------
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
- Please download LSPFix (http://www.cexx.org/LSPFix.exe)
- Run the LSPFix.exe that you have just finished downloading.
- Check the I know what I'm doing box.
- In the Keep box you should see one or more instances of rsvp32_2.dll
- Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
- If the rsvp32_2.dll file only appears on the right sid then just click fix checked and close the program.
- When you are done click Finish>>
.
----------
Download Dial-a-Fix (http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles) by djlizard, save it to the desktop then extract it to it's own folder.
- Open the folder and run Dial-a-fix.exe
- 2 windows will open. Close the one in the background labeled Restrictive Policies
- Check the box in section 1, Empty temp folders.
- Check the box in section 2, Fix Windows Installer.
- Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
- Check all boxes in Section 5, labeled Registration Center.
- Click Go
- OK any error messages if received, but write them down and post them here.
- Restart the computer when done and then post a new HijackThis log.
.
Also let me know how everything is now?
-
Thanks Evilfantasy...
I just followed all the steps you gave.
All went well until the scan onDial-a-fix...the last 2 bowex didn't clear in No. 5 Registration center --Explorer / IE / OE / shell / /WMP and --object linking libaries (OLE)
In the scan itself it stops at --Registering imgtil.dll
Any ideas?
-
Try this.
Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe).
Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.
How is everything now?
-
I meant to get back to you sooner but had to go to work.
This is what I did..
I canceled the Dial-a-fix scan and it said it had crashed so I scanned again. It went all the way through that time. I restarted the computer and it connected to the internet no problem. They only wierd thing is the home page "Google" has boxes where it should have text but I can move from there with out any difficulty.
Are there any more steps to follow?
-
Yes theres more, we needed to get the connection fixed so it will be easier.
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
here is the Combofix log
ComboFix 08-10-09.06 - Owner 2008-10-10 17:31:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.27 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\adir.dll
C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\rsvp32_2.dll3f2tj
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\ymsgsmx.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINCOM32
-------\Service_wincom32
((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 )))))))))))))))))))))))))))))))
.
2008-10-10 06:57 . 2008-10-10 17:31 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-10-09 23:30 . 2008-10-09 23:30 <DIR> d-------- C:\Program Files\CCleaner
2008-10-09 23:28 . 2008-10-09 23:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 22:46 . 2001-08-17 14:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-10-09 22:41 . 2008-10-09 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-09 22:36 . 2008-10-09 22:36 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-10-09 22:35 . 2008-10-09 23:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-09 22:35 . 2008-10-09 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 20:02 . 2008-10-09 22:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-04 20:02 . 2008-10-04 20:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-04 19:52 . 2008-10-04 19:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-04 19:52 . 2008-10-04 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 19:52 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 19:52 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 19:39 . 2008-10-04 19:39 285 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-04 19:35 . 2008-10-04 19:35 2,400 --a------ C:\WINDOWS\system32\wpa.bak
2008-10-04 18:58 . 2008-07-18 22:10 33,992 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-10-04 18:58 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-10-04 18:58 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-10-04 18:58 . 2008-07-18 22:08 20,680 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-11 00:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-10-05 23:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-10-05 23:20 --------- d-----w C:\Program Files\Skype
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 1077277]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 25370152]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R2 EZYJOPOP;EZYJOPOP;C:\WINDOWS\System32\ezyjopop.ciq [2001-08-23 14976]
S3 PAC207;UCAM-E1C10&UCAM-G1C10 series;C:\WINDOWS\System32\DRIVERS\pfc027.sys [ ]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
O17 -: HKLM\CCS\Interface\{9BEE9ECD-E2B6-411B-ADC3-480BCB64598E}: NameServer = 86.64.145.144
O17 -: HKLM\CCS\Interface\{A7BE54E0-1517-4ED2-A79C-90ED790DB98F}: NameServer = 86.64.145.144
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 17:35:05
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EZYJOPOP]
"ImagePath"="\??\C:\WINDOWS\System32\ezyjopop.ciq"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\PAStiSvc.exe
.
**************************************************************************
.
Completion time: 2008-10-10 17:38:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-11 00:38:33
Pre-Run: 37,495,373,824 bytes free
Post-Run: 37,487,112,192 bytes free
108 --- E O F --- 2008-10-11 00:28:30
-
here is the Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:40 PM, on 10/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEE9ECD-E2B6-411B-ADC3-480BCB64598E}: NameServer = 86.64.145.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7BE54E0-1517-4ED2-A79C-90ED790DB98F}: NameServer = 86.64.145.144
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 2183 bytes
-
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Download
OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
Now run a new HijackThis scan and post the log.
Also let me know how everything is now.
-
This is the Hijackthis log after doing everything else first. Everything is running just fine now. I wont be able to post again until sunday..Iam away for the weekend...so I will say to now...Evilfantasy you are the MAN...thanks so much for seeing me through this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:53 PM, on 10/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\SSUPDATE.EXE
C:\WINDOWS\System32\msdtc.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEE9ECD-E2B6-411B-ADC3-480BCB64598E}: NameServer = 86.64.145.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7BE54E0-1517-4ED2-A79C-90ED790DB98F}: NameServer = 86.64.145.144
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 2399 bytes
-
You need to install a free antivirus now before you are back in this situation again. Avira AntiVir Personal is probably the best.
Remember to only install one antivirus!
1) Avast! Home Free Edition (http://www.avast.com/eng/download-avast-home.html)
2) AVG Free Edition (http://free.avg.com/)
3) Avira AntiVir Personal (http://www.free-av.com/)
----------
Disable the System Restore Utility to prevent re-infection from an old one
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.
Now re-enable System Restore
To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
* Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.