C:\WINDOWS\system32\twex.exe a new trojan???


T

Tommies

Here is the info from Windows Defender:
Summary:
Auto Start change occurred.

This agent monitors the various mechanisms that software can use to
automatically start when you log on to Windows. Programs that auto start can
affect system performance and start without your knowledge.

Path:
C:\WINDOWS\system32\twex.exe

Detected changes:
winlogonuserinit:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\\Userinit:C:\WINDOWS\system32\twex.exe

file:
C:\WINDOWS\system32\twex.exe

Advice:
Permit this detected item only if you trust the program or the software
publisher.

Publisher:
Not available

Digitally Signed By:
NOT SIGNED

Product name:
Not available

Description:
Not available

Original name:
Not available

Creation date:
8/23/2001 8:00 AM

Size:
223744 bytes

Version:
Not available

Type:
file type unknown

Checkpoint:
Winlogon Userinit

Category:
Not Yet Classified
and result from command "dir t*" in C:\windows\system32
Volume in drive C has no label.
Volume Serial Number is ECE0-0CDE

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 117,760 t2embed.dll
08/23/2001 08:00 AM 19,200 tapi.dll
04/13/2008 08:12 PM 858,624 tapi3.dll
04/13/2008 08:12 PM 181,760 tapi32.dll
08/23/2001 08:00 AM 5,632 tapiperf.dll
04/13/2008 08:12 PM 249,856 tapisrv.dll
08/23/2001 08:00 AM 78,848 tapiui.dll
04/13/2008 08:12 PM 76,288 taskkill.exe
04/13/2008 08:12 PM 77,824 tasklist.exe
08/23/2001 08:00 AM 15,360 taskman.exe
04/13/2008 08:12 PM 135,680 taskmgr.exe
08/23/2001 08:00 AM 12,288 tcmsetup.exe
04/13/2008 08:12 PM 14,848 tcpmib.dll
04/13/2008 08:12 PM 45,568 tcpmon.dll
07/17/2004 02:46 PM 53,478 tcpmon.ini
04/13/2008 08:12 PM 45,568 tcpmonui.dll
08/23/2001 08:00 AM 19,456 tcpsvcs.exe
08/13/2007 07:32 PM 66,560 tdc.ocx
08/23/2001 08:00 AM 28,160 telephon.cpl
04/13/2008 08:12 PM 75,776 telnet.exe
08/23/2001 08:00 AM 862 termcap
04/13/2008 08:12 PM 358,400 termmgr.dll
04/13/2008 08:12 PM 295,424 termsrv.dll
08/23/2001 08:00 AM 16,896 tftp.exe
04/13/2008 08:12 PM 385,536 themeui.dll
09/01/2006 09:44 AM 1,988 ticrf.rat
04/13/2008 08:12 PM 94,208 timedate.cpl
08/23/2001 08:00 AM 4,048 timer.drv
04/13/2008 08:12 PM 61,440 tlntadmn.exe
04/13/2008 08:12 PM 78,336 tlntsess.exe
04/13/2008 08:12 PM 73,216 tlntsvr.exe
04/13/2008 08:12 PM 7,168 tlntsvrp.dll
08/23/2001 08:00 AM 13,888 toolhelp.dll
04/13/2008 08:12 PM 347,136 tourstart.exe
05/26/2008 11:21 PM 1,582,592 tquery.dll
05/26/2008 11:17 PM 221,184 tquery.dll.mui
04/13/2008 08:12 PM 259,584 tracerpt.exe
04/13/2008 08:12 PM 12,288 tracert.exe
08/23/2001 08:00 AM 31,744 tracert6.exe
08/23/2001 08:00 AM 31,232 traffic.dll
04/13/2008 08:12 PM 12,800 tree.com
04/13/2008 08:12 PM 90,112 trkwks.dll
08/23/2001 08:00 AM 52,224 tsappcmp.dll
08/23/2001 08:00 AM 8,192 tsbyuv.dll
04/13/2008 08:12 PM 93,696 tscfgwmi.dll
08/23/2001 08:00 AM 14,848 tscon.exe
08/04/2004 01:59 AM 44,544 tscupgrd.exe
08/23/2001 08:00 AM 15,360 tsd32.dll
04/13/2008 08:13 PM 12,168 tsddd.dll
08/23/2001 08:00 AM 14,848 tsdiscon.exe
04/13/2008 08:12 PM 53,248 tsgqec.dll
08/23/2001 08:00 AM 16,384 tskill.exe
08/23/2001 08:00 AM 3,286 tslabels.h
08/23/2001 08:00 AM 13,223 tslabels.ini
04/13/2008 08:12 PM 50,688 tspkg.dll
08/23/2001 08:00 AM 16,896 tsshutdn.exe
08/23/2001 08:00 AM 8,192 tssoft32.acm
07/29/2008 10:10 PM 26,112 TsWpfWrp.exe
04/13/2008 08:11 PM 223,744 twex.exe
04/13/2008 08:12 PM 57,856 twext.dll
04/13/2008 08:12 PM 101,376 txflog.dll
08/23/2001 08:00 AM 177,856 typelib.dll
08/23/2001 08:00 AM 36,352 typeperf.exe
10/23/2008 06:06 AM 62,976 tzchange.exe
12/12/2008 09:47 PM 838,618 TZLog.log
65 File(s) 8,101,303 bytes
0 Dir(s) 11,429,130,240 bytes free
However when i do "dir twex.exe" it result in "file not found", and even
more mysterious is the questioned file (twex.exe) is no where to see inside
window explorer, even window search comes up empty. But I do know that it
exist some where (alphabetically) between TsWpfWrp.exe and twext.dll

I update MRT (MS Malicious Software Remove Tool) today, but the scan results
is negative.

I have to use Recovery Console to remove it

Any idea???
 
Ad

Advertisements

E

Engel

Hello Tommies,

IMHO Time to reformat

Maybe the following articles will offer some ideas:

<http://www.aeanj.org/Cyber Notices.htm>

Cleaning a CompÑomised System
<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

When should I re-format? How should I reinstall? (#10063)
<http://www.dslreports.com/faq/10063>

Is your choice

Maybe someone else can conjure up something else to try.


Good luck


Ǝиçεl
-=-



Tommies said:
Here is the info from Windows Defender:
Summary:
Auto Start change occurred.

This agent monitors the various mechanisms that software can use to
automatically start when you log on to Windows. Programs that auto start can
affect system performance and start without your knowledge.

Path:
C:\WINDOWS\system32\twex.exe

Detected changes:
winlogonuserinit:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\\Userinit:C:\WINDOWS\system32\twex.exe

file:
C:\WINDOWS\system32\twex.exe

Advice:
Permit this detected item only if you trust the program or the software
publisher.

Publisher:
Not available

Digitally Signed By:
NOT SIGNED

Product name:
Not available

Description:
Not available

Original name:
Not available

Creation date:
8/23/2001 8:00 AM

Size:
223744 bytes

Version:
Not available

Type:
file type unknown

Checkpoint:
Winlogon Userinit

Category:
Not Yet Classified
and result from command "dir t*" in C:\windows\system32
Volume in drive C has no label.
Volume Serial Number is ECE0-0CDE

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 117,760 t2embed.dll
08/23/2001 08:00 AM 19,200 tapi.dll
04/13/2008 08:12 PM 858,624 tapi3.dll
04/13/2008 08:12 PM 181,760 tapi32.dll
08/23/2001 08:00 AM 5,632 tapiperf.dll
04/13/2008 08:12 PM 249,856 tapisrv.dll
08/23/2001 08:00 AM 78,848 tapiui.dll
04/13/2008 08:12 PM 76,288 taskkill.exe
04/13/2008 08:12 PM 77,824 tasklist.exe
08/23/2001 08:00 AM 15,360 taskman.exe
04/13/2008 08:12 PM 135,680 taskmgr.exe
08/23/2001 08:00 AM 12,288 tcmsetup.exe
04/13/2008 08:12 PM 14,848 tcpmib.dll
04/13/2008 08:12 PM 45,568 tcpmon.dll
07/17/2004 02:46 PM 53,478 tcpmon.ini
04/13/2008 08:12 PM 45,568 tcpmonui.dll
08/23/2001 08:00 AM 19,456 tcpsvcs.exe
08/13/2007 07:32 PM 66,560 tdc.ocx
08/23/2001 08:00 AM 28,160 telephon.cpl
04/13/2008 08:12 PM 75,776 telnet.exe
08/23/2001 08:00 AM 862 termcap
04/13/2008 08:12 PM 358,400 termmgr.dll
04/13/2008 08:12 PM 295,424 termsrv.dll
08/23/2001 08:00 AM 16,896 tftp.exe
04/13/2008 08:12 PM 385,536 themeui.dll
09/01/2006 09:44 AM 1,988 ticrf.rat
04/13/2008 08:12 PM 94,208 timedate.cpl
08/23/2001 08:00 AM 4,048 timer.drv
04/13/2008 08:12 PM 61,440 tlntadmn.exe
04/13/2008 08:12 PM 78,336 tlntsess.exe
04/13/2008 08:12 PM 73,216 tlntsvr.exe
04/13/2008 08:12 PM 7,168 tlntsvrp.dll
08/23/2001 08:00 AM 13,888 toolhelp.dll
04/13/2008 08:12 PM 347,136 tourstart.exe
05/26/2008 11:21 PM 1,582,592 tquery.dll
05/26/2008 11:17 PM 221,184 tquery.dll.mui
04/13/2008 08:12 PM 259,584 tracerpt.exe
04/13/2008 08:12 PM 12,288 tracert.exe
08/23/2001 08:00 AM 31,744 tracert6.exe
08/23/2001 08:00 AM 31,232 traffic.dll
04/13/2008 08:12 PM 12,800 tree.com
04/13/2008 08:12 PM 90,112 trkwks.dll
08/23/2001 08:00 AM 52,224 tsappcmp.dll
08/23/2001 08:00 AM 8,192 tsbyuv.dll
04/13/2008 08:12 PM 93,696 tscfgwmi.dll
08/23/2001 08:00 AM 14,848 tscon.exe
08/04/2004 01:59 AM 44,544 tscupgrd.exe
08/23/2001 08:00 AM 15,360 tsd32.dll
04/13/2008 08:13 PM 12,168 tsddd.dll
08/23/2001 08:00 AM 14,848 tsdiscon.exe
04/13/2008 08:12 PM 53,248 tsgqec.dll
08/23/2001 08:00 AM 16,384 tskill.exe
08/23/2001 08:00 AM 3,286 tslabels.h
08/23/2001 08:00 AM 13,223 tslabels.ini
04/13/2008 08:12 PM 50,688 tspkg.dll
08/23/2001 08:00 AM 16,896 tsshutdn.exe
08/23/2001 08:00 AM 8,192 tssoft32.acm
07/29/2008 10:10 PM 26,112 TsWpfWrp.exe
04/13/2008 08:11 PM 223,744 twex.exe
04/13/2008 08:12 PM 57,856 twext.dll
04/13/2008 08:12 PM 101,376 txflog.dll
08/23/2001 08:00 AM 177,856 typelib.dll
08/23/2001 08:00 AM 36,352 typeperf.exe
10/23/2008 06:06 AM 62,976 tzchange.exe
12/12/2008 09:47 PM 838,618 TZLog.log
65 File(s) 8,101,303 bytes
0 Dir(s) 11,429,130,240 bytes free
However when i do "dir twex.exe" it result in "file not found", and even
more mysterious is the questioned file (twex.exe) is no where to see inside
window explorer, even window search comes up empty. But I do know that it
exist some where (alphabetically) between TsWpfWrp.exe and twext.dll

I update MRT (MS Malicious Software Remove Tool) today, but the scan results
is negative.

I have to use Recovery Console to remove it

Any idea???
 
T

Tommies

Thank Engel for the links, I certainly will backlist some of the domain/ip

I don't have any problem with manually remove the trojan, and I use
HiJackThis.exe as an assisting tool and recovery console. After that I boot
to safe mode and do a full system scan and let it run overnight.

The trojan has been identified as 'infostealer.bank.c' trojan by Norton
after I manually quarantine it. Previously, Norton id the trojan but cannot
clean nor quarantine it.

My question is does Microsoft Defender and MRT have ability to remove it
from infected machine for average users. My nephew's pc have Norton antivirus
+ Windows Defender installed & up todate. However, this is not enough to
protect the pc from infection.

Microsoft please step up.

Tommies
 
K

Kayman

Thank Engel for the links, I certainly will backlist some of the domain/ip

I don't have any problem with manually remove the trojan, and I use
HiJackThis.exe as an assisting tool and recovery console. After that I boot
to safe mode and do a full system scan and let it run overnight.

The trojan has been identified as 'infostealer.bank.c' trojan by Norton
after I manually quarantine it. Previously, Norton id the trojan but cannot
clean nor quarantine it.

My question is does Microsoft Defender and MRT have ability to remove it
from infected machine for average users.
No, they won't remove this trojan. But you could run both tools to find
out, couldn't you?
My nephew's pc have Norton antivirus
Bad choice IMO.
+ Windows Defender installed & up todate.
Good.

However, this is not enough to protect the pc from infection.
Why not?
Microsoft please step up.
MSFT didn't install this Trojan, you did!

FYI:
Preferred practice is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Clean Install Windows XP
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or-- (even better because its illustrated and more reader friendly)
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

It is defenitely advantageous to create an 'image' of the operating system
and create a data/file backup of the affected PC.
The image can then restored to the impacted PC and the user's data/file is
subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less
time than scanning with complex and sophisticated AV applications.

Alas, since many users are less prepared and/or lacking the experience,
scanning with an AV apps. is the only option, unless the user consults a
computer technician.
If you're one of the many less-experienced users, try to go through the
succeeding steps 1-4:

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive (presumably WinXP (C:) and click OK.
--or--
2a.Delete files using Disk Cleanup (if on Vista)
http://windowshelp.microsoft.com/Windows/en-US/help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
--or--
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
--direct--
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
--direct--
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Both free versions of MBAM and SAS are on-demand scanners and offer no
'real-time' protection. Keep them installed and use them as
'second-opinion' scanner which is purposely (by design) recommended by
their respective authors.

*--And/Optional--*
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.kaspersky.com/support/viruses/avptool?level=2

--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/

--and/optional--
a-squared (a²) Free or a-squared (a²) Command Line Scanner
http://www.emsisoft.com/en/software/download/

--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

--and/optional
Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in
an emergency as a disinfection utility for Windows NT, Windows 2000,
Windows XP and Windows 2003.
To use the Sophos command line software follow the steps below:
a) Download SAV32CLI
http://downloads.sophos.com/tools/sav32sfx.exe
--and--
extract the contents by double clicking the file.
b) Add the latest virus identity files (IDE) to the folder; These can be
downloaded here:
http://www.sophos.com/downloads/ide/
c) Read Scanning Options with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13252.html
See removing malicious files with SAV32CLI for basic information on virus,
spyware, Trojan and worm removal with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13251.html

--and/optional--
David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of Malwarebytes©
and SuperAntispyware have an update feature; You may wish to keep a couple
of them installed in addtion to your resident AV/A-S applications and scan
frequently.

After the software is updated, it is suggested scanning the system in Safe
Mode (this does not apply to MBAM).

"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
Malwarebytes Researcher of MBAM.

How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) continually during
re-boot.

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Additional references:
How to optimize or reset Internet Explorer 7
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer 7 for Windows XP and
Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either:
http://www.thespykiller.co.uk/index.php?board=3.0
--or--
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/builds/downloading-slim

If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
--or--
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/windows-vista/setup-ccleaner-to-automatically-run-each-night-in-vista-or-xp/

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck :)
 
Ad

Advertisements

K

Kayman

Thank Engel for the links, I certainly will backlist some of the domain/ip

I don't have any problem with manually remove the trojan, and I use
HiJackThis.exe as an assisting tool and recovery console. After that I boot
to safe mode and do a full system scan and let it run overnight.

The trojan has been identified as 'infostealer.bank.c' trojan by Norton
after I manually quarantine it. Previously, Norton id the trojan but cannot
clean nor quarantine it.

My question is does Microsoft Defender and MRT have ability to remove it
from infected machine for average users.
No, they won't remove this trojan. But you could run both tools to find
out, couldn't you?
My nephew's pc have Norton antivirus
Bad choice IMO.
+ Windows Defender installed & up todate.
Good.

However, this is not enough to protect the pc from infection.
Why not?
Microsoft please step up.
MSFT didn't install this Trojan, you did!

FYI:
Preferred practice is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Clean Install Windows XP
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or-- (even better because its illustrated and more reader friendly)
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

It is defenitely advantageous to create an 'image' of the operating system
and create a data/file backup of the affected PC.
The image can then restored to the impacted PC and the user's data/file is
subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less
time than scanning with complex and sophisticated AV applications.

Alas, since many users are less prepared and/or lacking the experience,
scanning with an AV apps. is the only option, unless the user consults a
computer technician.
If you're one of the many less-experienced users, try to go through the
succeeding steps 1-4:

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive (presumably WinXP (C:) and click OK.
--or--
2a.Delete files using Disk Cleanup (if on Vista)
http://windowshelp.microsoft.com/Windows/en-US/help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
--or--
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
--direct--
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
--direct--
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Both free versions of MBAM and SAS are on-demand scanners and offer no
'real-time' protection. Keep them installed and use them as
'second-opinion' scanner which is purposely (by design) recommended by
their respective authors.

*--And/Optional--*
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.kaspersky.com/support/viruses/avptool?level=2

--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/

--and/optional--
a-squared (a²) Free or a-squared (a²) Command Line Scanner
http://www.emsisoft.com/en/software/download/

--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

--and/optional
Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in
an emergency as a disinfection utility for Windows NT, Windows 2000,
Windows XP and Windows 2003.
To use the Sophos command line software follow the steps below:
a) Download SAV32CLI
http://downloads.sophos.com/tools/sav32sfx.exe
--and--
extract the contents by double clicking the file.
b) Add the latest virus identity files (IDE) to the folder; These can be
downloaded here:
http://www.sophos.com/downloads/ide/
c) Read Scanning Options with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13252.html
See removing malicious files with SAV32CLI for basic information on virus,
spyware, Trojan and worm removal with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13251.html

--and/optional--
David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of Malwarebytes©
and SuperAntispyware have an update feature; You may wish to keep a couple
of them installed in addtion to your resident AV/A-S applications and scan
frequently.

After the software is updated, it is suggested scanning the system in Safe
Mode (this does not apply to MBAM).

"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
Malwarebytes Researcher of MBAM.

How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) continually during
re-boot.

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Additional references:
How to optimize or reset Internet Explorer 7
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer 7 for Windows XP and
Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either:
http://www.thespykiller.co.uk/index.php?board=3.0
--or--
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/builds/downloading-slim

If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
--or--
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/windows-vista/setup-ccleaner-to-automatically-run-each-night-in-vista-or-xp/

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck :)
Also ensure that your OS is updated/patched!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top