Pacisoft Virus
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Pacisoft Virus

  1. #1
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    Pacisoft Virus

    windows 2000 pro user here:

    I visited a music video webpage and the pacisoft virus unloaded on me. it gave me two different spyware problems Apropos & SurfsideKick. I managed to clean everything pretty much, but then I ran into a problem.

    I booted in safe mode so I could delete an empty folder at this directory C:\Program Files\Unismith , but that was a no no because after I deleted the empty folder entitled Unismith I was unable to boot up in regular normal mode and I got a KMODE EXCEPTION NOT HANDLED error with the following details.

    0xC0000005: STATUS_ACCESS_VIOLATION
    A memory access violation occurred.
    Parameter 4 of the Stop error
    (which is Parameter 1 of the exception)
    is the address that the driver attempted
    to access.

    0x0000001E
    0xC0000005 (memory access violation)
    0x8133F19D
    0x00000001
    0x00000008

    so I went back into safe mode and recreated the Unismith folder in the C:\Program Files\ directory and guess what ? I was able to boot up in normal mode again.

    How can I fix this problem so that I can boot up normal without that specific folder ?

    please any help is welcome.

    by the way the malicious webpage I went to was HotCodez.com
    I would love to report them for having malware on their site. Any suggestions ?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    What did you use to clean your system?
    There may still be some things left running..
    Have a look with HijackThis.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    I suggest you give us the the crash dump file. It is located in windows directory
    just serach for files named *.dmp. This seems like a rootkit case

  4. #4
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    what I used

    Primarily I used webroot spysweeper which found about 70 or so traces of stuff, then I used ad-aware SE pro 1.06r and then I used Spybot 1.4 , and then i used xoftspy each program has latest definition files. i ran hi-jack this and no suspicious items show up as of now.

    I searched for *.dmp in c drive but could not find any files of that nature.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Sounds like a stealthy bastard.... a rootkit is also a possibility

    Did you scan in safe mode? You might want to try that too..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    hmm I'm not sure

    well i searched for *.dmp files in c drive but found none of that nature. I am not sure what a rootkit is. although I can tell you that when i did scan with webroot spyweeper it located 2 of the problems in the memory scan.

    I did scan in safe mode, but the results were the same as when I scanned in normal mode.

    thanks for helping me you guys.

    ok I did a rootkit scan using RK Detector and I took a screen shot of the results here http://www.boredinnc.net/ftp/Webpage/1.gif

    yes there was a service installed on my system, but I managed to disable it however it still exists in the services list.

  7. #7
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    hmmm.....
    try to clean the registry file

    Click on Rar250K
    and then follow link to fownload

    Registry Corrector
    http://getsoft.ru/?author=161&page=2
    // too far away outside of limit

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Did you also check Add/Remove Software? I've removed a lot of adware just by uninstalling it..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    scan results

    yes Sir Dice I sure did. I try not to have too many programs installed so I pay close attention as to what is on my system. How can I delete that 1 service from my services list ? any suggestions ? here is an animated gif of my add/remove programs listed. http://www.boredinnc.net/ftp/Webpage/addremove.gif

    here is the registry corrector log file Sir Babis: thanks again:

    Program started 9/28/2005 at 9:05:09 AM

    Check registry integrity ...
    Integrity ok ...

    Scan system folder ...
    22563 files read ...

    Check software locations...
    HijackThis.exe ... Delete
    0 entries cure, 1 deleted, 0 added, 0 skipped.

    Check shared programs...
    0 entries cure, 0 deleted, 0 added, 0 skipped.

    Check help section...
    0 entries cure, 0 deleted, 0 added, 0 skipped.

    Check fonts ...
    0 entries cure, 0 deleted, 0 added, 0 skipped.

    Check device drivers ...
    0 entries cure, 0 deleted, 0 added, 0 skipped.

    Check extensions assotiations ...
    .acl ... Delete
    .aprj ... Delete
    .aw ... Delete
    .col ... Delete
    .conf ... Delete
    .det ... Delete
    .dos ... Delete
    .elm ... Delete
    .eta ... Delete
    .ffa ... Delete
    .ffl ... Delete
    .fft ... Delete
    .ffx ... Delete
    .frg ... Delete
    .gst ... Delete
    .idc ... Delete
    .jar ... Delete
    .kml ... Delete
    .kmz ... Delete
    .ldb ... Delete
    .lex ... Delete
    .nls ... Delete
    .opc ... Delete
    .pbk ... Delete
    .pbr ... Delete
    .pcb ... Delete
    .pip ... Delete
    .sll ... Delete
    .stf ... Delete
    .tuw ... Delete
    .VOC ... Delete
    .wll ... Delete
    .xmd ... Delete
    0 entries cure, 33 deleted, 0 added, 0 skipped.

    Check COM entries ...
    MSTTSSYN.DLL found : C:\WINDOWS\SYSTEM32\DLLCACHE\MSTTSSYN.DLL
    WTTSS22.DLL found : C:\WINDOWS\SYSTEM32\DLLCACHE\WTTSS22.DLL
    2 entries cure, 0 deleted, 0 added, 0 skipped.

    Check ActiveX entries ...
    AcroIEHelper.AcroIEHlprObj ... Delete
    AcroIEHelper.AcroIEHlprObj.1 ... Delete
    ActMsg.Session ... Delete
    ADCS ... Delete
    ComPlusMetaData.MsCorHost ... Delete
    ComPlusMetaData.MsCorHost.2 ... Delete
    Context.test ... Delete
    Context.test.1 ... Delete
    DXImageTransform.Microsoft.CrRadialWipe ... Delete
    DXImageTransform.Microsoft.CrRadialWipe.1 ... Delete
    HeaderFooter.HeaderFooter.1 ... Delete
    MailFileAtt ... Delete
    mapifvbx.object ... Delete
    mapifvbx.object.1 ... Delete
    Overview.Document ... Delete
    SymWriter.pdb ... Delete
    TimeStamp ... Delete
    WBEMComLocator ... Delete
    0 entries cure, 18 deleted, 0 added, 0 skipped.

    Check startup list ...
    0 entries cure, 0 deleted, 0 added, 0 skipped.

    Check unisnstall section ...
    HijackThis ... Delete
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} ... Delete
    {3877C2CD-F137-4144-BDB2-0A811492F920} ... Delete
    {5B239A98-4222-4D8C-AF38-1A8EC07F956B} ... Delete
    {5D0930A0-1033-433A-8BB9-602665550DD0} ... Delete
    0 entries cure, 5 deleted, 0 added, 0 skipped.

    Delete temporary registry values ...
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\b ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\c ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\e ... Delete
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList ... Delete
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\MRUList ... Delete
    HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 ... Delete
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey ... Delete
    0 entries cure, 10 deleted, 0 added, 0 skipped.

    Program finished 9/28/2005 at 9:06:03 AM
    12 test(s) passed, 16864 entries scanned, 2 entries cure, 67 entries deleted, 0 entries added, 0 skipped.
    Created undo file C:\Documents and Settings\greg\Desktop\RC 28-09-05-01.reg.

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I would suggest looking for "unismith" in the registry and see if its attached to any keys.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •