-
September 28th, 2005, 03:53 PM
#1
Pacisoft Virus
windows 2000 pro user here:
I visited a music video webpage and the pacisoft virus unloaded on me. it gave me two different spyware problems Apropos & SurfsideKick. I managed to clean everything pretty much, but then I ran into a problem.
I booted in safe mode so I could delete an empty folder at this directory C:\Program Files\Unismith , but that was a no no because after I deleted the empty folder entitled Unismith I was unable to boot up in regular normal mode and I got a KMODE EXCEPTION NOT HANDLED error with the following details.
0xC0000005: STATUS_ACCESS_VIOLATION
A memory access violation occurred.
Parameter 4 of the Stop error
(which is Parameter 1 of the exception)
is the address that the driver attempted
to access.
0x0000001E
0xC0000005 (memory access violation)
0x8133F19D
0x00000001
0x00000008
so I went back into safe mode and recreated the Unismith folder in the C:\Program Files\ directory and guess what ? I was able to boot up in normal mode again.
How can I fix this problem so that I can boot up normal without that specific folder ?
please any help is welcome.
by the way the malicious webpage I went to was HotCodez.com
I would love to report them for having malware on their site. Any suggestions ?
-
September 28th, 2005, 04:08 PM
#2
What did you use to clean your system?
There may still be some things left running..
Have a look with HijackThis.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 28th, 2005, 04:23 PM
#3
I suggest you give us the the crash dump file. It is located in windows directory
just serach for files named *.dmp. This seems like a rootkit case
-
September 28th, 2005, 04:24 PM
#4
what I used
Primarily I used webroot spysweeper which found about 70 or so traces of stuff, then I used ad-aware SE pro 1.06r and then I used Spybot 1.4 , and then i used xoftspy each program has latest definition files. i ran hi-jack this and no suspicious items show up as of now.
I searched for *.dmp in c drive but could not find any files of that nature.
-
September 28th, 2005, 04:29 PM
#5
Sounds like a stealthy bastard.... a rootkit is also a possibility
Did you scan in safe mode? You might want to try that too..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 28th, 2005, 04:35 PM
#6
hmm I'm not sure
well i searched for *.dmp files in c drive but found none of that nature. I am not sure what a rootkit is. although I can tell you that when i did scan with webroot spyweeper it located 2 of the problems in the memory scan.
I did scan in safe mode, but the results were the same as when I scanned in normal mode.
thanks for helping me you guys.
ok I did a rootkit scan using RK Detector and I took a screen shot of the results here http://www.boredinnc.net/ftp/Webpage/1.gif
yes there was a service installed on my system, but I managed to disable it however it still exists in the services list.
-
September 28th, 2005, 04:48 PM
#7
hmmm.....
try to clean the registry file
Click on Rar250K
and then follow link to fownload
Registry Corrector
http://getsoft.ru/?author=161&page=2
// too far away outside of limit
-
September 28th, 2005, 04:57 PM
#8
Did you also check Add/Remove Software? I've removed a lot of adware just by uninstalling it..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 28th, 2005, 05:08 PM
#9
scan results
yes Sir Dice I sure did. I try not to have too many programs installed so I pay close attention as to what is on my system. How can I delete that 1 service from my services list ? any suggestions ? here is an animated gif of my add/remove programs listed. http://www.boredinnc.net/ftp/Webpage/addremove.gif
here is the registry corrector log file Sir Babis: thanks again:
Program started 9/28/2005 at 9:05:09 AM
Check registry integrity ...
Integrity ok ...
Scan system folder ...
22563 files read ...
Check software locations...
HijackThis.exe ... Delete
0 entries cure, 1 deleted, 0 added, 0 skipped.
Check shared programs...
0 entries cure, 0 deleted, 0 added, 0 skipped.
Check help section...
0 entries cure, 0 deleted, 0 added, 0 skipped.
Check fonts ...
0 entries cure, 0 deleted, 0 added, 0 skipped.
Check device drivers ...
0 entries cure, 0 deleted, 0 added, 0 skipped.
Check extensions assotiations ...
.acl ... Delete
.aprj ... Delete
.aw ... Delete
.col ... Delete
.conf ... Delete
.det ... Delete
.dos ... Delete
.elm ... Delete
.eta ... Delete
.ffa ... Delete
.ffl ... Delete
.fft ... Delete
.ffx ... Delete
.frg ... Delete
.gst ... Delete
.idc ... Delete
.jar ... Delete
.kml ... Delete
.kmz ... Delete
.ldb ... Delete
.lex ... Delete
.nls ... Delete
.opc ... Delete
.pbk ... Delete
.pbr ... Delete
.pcb ... Delete
.pip ... Delete
.sll ... Delete
.stf ... Delete
.tuw ... Delete
.VOC ... Delete
.wll ... Delete
.xmd ... Delete
0 entries cure, 33 deleted, 0 added, 0 skipped.
Check COM entries ...
MSTTSSYN.DLL found : C:\WINDOWS\SYSTEM32\DLLCACHE\MSTTSSYN.DLL
WTTSS22.DLL found : C:\WINDOWS\SYSTEM32\DLLCACHE\WTTSS22.DLL
2 entries cure, 0 deleted, 0 added, 0 skipped.
Check ActiveX entries ...
AcroIEHelper.AcroIEHlprObj ... Delete
AcroIEHelper.AcroIEHlprObj.1 ... Delete
ActMsg.Session ... Delete
ADCS ... Delete
ComPlusMetaData.MsCorHost ... Delete
ComPlusMetaData.MsCorHost.2 ... Delete
Context.test ... Delete
Context.test.1 ... Delete
DXImageTransform.Microsoft.CrRadialWipe ... Delete
DXImageTransform.Microsoft.CrRadialWipe.1 ... Delete
HeaderFooter.HeaderFooter.1 ... Delete
MailFileAtt ... Delete
mapifvbx.object ... Delete
mapifvbx.object.1 ... Delete
Overview.Document ... Delete
SymWriter.pdb ... Delete
TimeStamp ... Delete
WBEMComLocator ... Delete
0 entries cure, 18 deleted, 0 added, 0 skipped.
Check startup list ...
0 entries cure, 0 deleted, 0 added, 0 skipped.
Check unisnstall section ...
HijackThis ... Delete
{2318C2B1-4965-11d4-9B18-009027A5CD4F} ... Delete
{3877C2CD-F137-4144-BDB2-0A811492F920} ... Delete
{5B239A98-4222-4D8C-AF38-1A8EC07F956B} ... Delete
{5D0930A0-1033-433A-8BB9-602665550DD0} ... Delete
0 entries cure, 5 deleted, 0 added, 0 skipped.
Delete temporary registry values ...
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\b ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\c ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\d ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\e ... Delete
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList ... Delete
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\MRUList ... Delete
HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 ... Delete
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey ... Delete
0 entries cure, 10 deleted, 0 added, 0 skipped.
Program finished 9/28/2005 at 9:06:03 AM
12 test(s) passed, 16864 entries scanned, 2 entries cure, 67 entries deleted, 0 entries added, 0 skipped.
Created undo file C:\Documents and Settings\greg\Desktop\RC 28-09-05-01.reg.
-
September 28th, 2005, 05:35 PM
#10
I would suggest looking for "unismith" in the registry and see if its attached to any keys.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|