PC sends spam after infection with Smitfraud-C, Torpig and Virtumonde

[shelf life]

hi tverhoog,

ok good. thanks for all the info. i see you got rid of the .dll, only guessing really at it being malware. the online scan found some files also.

still sending out those e-mails? if so then:

lets try another rootkit tool.

please download Rootkit unhooker from here:

http://rku.nm.ru/

it will add afolder to root drive C:\
double click the skull icon in the folder
click the report tab, then the scan button.
after the scan. File>save report
post file in next reply.

shelf life

 

[tverhoog]

Hi shelf life,

We have done something right because Avast Mail Scanner tells me that since the reboot which deleted xnosixr.dll and the F-secure scan no spam has been sent.

Here is the unhooker scan report anyway:

>SSDT State
NtAllocateVirtualMemory
Actual Address 0xB54B4B30
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtCreateKey
Actual Address 0xF74EF0D0
Hooked by: sptd.sys

NtCreateThread
Actual Address 0xB54B46F0
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtEnumerateKey
Actual Address 0xF74F4E2C
Hooked by: sptd.sys

NtEnumerateValueKey
Actual Address 0xF74F51BA
Hooked by: sptd.sys

NtMapViewOfSection
Actual Address 0xB54B4470
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtOpenKey
Actual Address 0xF74EF0B0
Hooked by: sptd.sys

NtOpenProcess
Actual Address 0xF7A688AC
Hooked by: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

NtProtectVirtualMemory
Actual Address 0xB54B4C50
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtQueryKey
Actual Address 0xF74F5292
Hooked by: sptd.sys

NtQueryValueKey
Actual Address 0xF74F5112
Hooked by: sptd.sys

NtSetValueKey
Actual Address 0xF74F5324
Hooked by: sptd.sys

NtShutdownSystem
Actual Address 0xB54B4990
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtTerminateProcess
Actual Address 0xF7A68812
Hooked by: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

NtWriteVirtualMemory
Actual Address 0xB54B4D60
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

>Shadow
>Processes
>Drivers
>Stealth
>Files
Suspect File: C:\Documents and Settings\Tobias Verhoog\Local Settings\Application Data\Microsoft\Messenger\tverhoog@hotmail.com\SharingMetadata\Working\database_3ED0_1915_D018_D4CD\fsr00371.log Status: Hidden
Suspect File: C:\Documents and Settings\Tobias Verhoog\Local Settings\Temp\hsperfdata_Tobias Verhoog\2456::$DATA Status: Hidden
>Hooks
tcpip.sys+0x00003CFA, Type: Inline - RelativeCall at address 0xB3F41CFA hook handler located in [Teefer.sys]
tcpip.sys+0x0000544E, Type: Inline - RelativeCall at address 0xB3F4344E hook handler located in [Teefer.sys]
tcpip.sys+0x0000A4E0, Type: Inline - RelativeCall at address 0xB3F484E0 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xB3F7CF28 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xB3F7CF54 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xB3F7CF60 hook handler located in [Teefer.sys]
wanarp.sys+0x000053FD, Type: Inline - RelativeCall at address 0xBA73D3FD hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xBA73DB4C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xBA73DB1C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xBA73DB3C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xBA73DB28 hook handler located in [Teefer.sys]
[1296]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[1424]ashMaiSv.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0042D170 hook handler located in [wblind.dll]
[1424]ashMaiSv.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0042D098 hook handler located in [wblind.dll]
[1448]vmware-tray.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0040A0C0 hook handler located in [wblind.dll]
[1448]vmware-tray.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0040A1E8 hook handler located in [wbhelp.dll]
[1448]vmware-tray.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0040A230 hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041D244 hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0041D21C hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0041D274 hook handler located in [wbhelp.dll]
[1528]nvsvc32.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0041D26C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->gdi32.dll-->GetPixel, Type: IAT modification at address 0x00401660 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x00401624 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004014BC hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004015FC hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0040146C hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump at address 0x7C84467D hook handler located in [msnmsgr.exe]
[1532]msnmsgr.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x004017F8 hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00401830 hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0040174C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x004018BC hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x004017DC hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0040182C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x00401734 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x00401848 hook handler located in [wblind.dll]
[1788]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[1940]xfire.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0045E258 hook handler located in [wblind.dll]
[1940]xfire.exe-->user32.dll-->CallWindowProcA, Type: IAT modification at address 0x0045E5EC hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x0045E424 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x0045E498 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0045E584 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0045E3F8 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0045E4C4 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0045E470 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0045E454 hook handler located in [wblind.dll]
[1944]Smc.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x005E65B4 hook handler located in [wblind.dll]
[1944]Smc.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x005E67FC hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x005E68CC hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x005E6A04 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x005E69C8 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x005E69F8 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x005E6818 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x005E684C hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x005E6814 hook handler located in [wblind.dll]
[1964]rundll32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001034 hook handler located in [wblind.dll]
[2008]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[2128]vmware-authd.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040E128 hook handler located in [wblind.dll]
[248]gnotify.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0045E250 hook handler located in [wblind.dll]
[248]gnotify.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0045E124 hook handler located in [wblind.dll]
[248]gnotify.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0045E2F4 hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->SetLayeredWindowAttributes, Type: IAT modification at address 0x0045E2E4 hook handler located in [wblind.dll]
[248]gnotify.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x0045E32C hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0045E2E8 hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0045E33C hook handler located in [wblind.dll]
[268]ashDisp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004070A0 hook handler located in [wblind.dll]
[268]ashDisp.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0040708C hook handler located in [wblind.dll]
[268]ashDisp.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x004071C8 hook handler located in [wblind.dll]
[2864]vmount2.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004261C4 hook handler located in [wblind.dll]
[2864]vmount2.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004261F8 hook handler located in [wblind.dll]
[3020]LVComSer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041E0B8 hook handler located in [wblind.dll]
[3020]LVComSer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0041E0AC hook handler located in [wblind.dll]
[3020]LVComSer.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0041E264 hook handler located in [wbhelp.dll]
[320]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[340]LClock.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040A030 hook handler located in [wblind.dll]
[340]LClock.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0040A1B4 hook handler located in [wblind.dll]
[348]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[3680]cmd.exe-->gdi32.dll-->GetPixel, Type: IAT modification at address 0x0044F024 hook handler located in [wblind.dll]
[3680]cmd.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x0044F020 hook handler located in [wblind.dll]
[3680]cmd.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0044F058 hook handler located in [wblind.dll]
[3680]cmd.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x0044F19C hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0044F21C hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0044F1BC hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0044F170 hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0044F1EC hook handler located in [wbhelp.dll]
[488]LVComSer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041E0B8 hook handler located in [wblind.dll]
[488]LVComSer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0041E0AC hook handler located in [wblind.dll]
[488]LVComSer.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0041E264 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0051812C hook handler located in [wblind.dll]
[5284]vmware.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x005180F8 hook handler located in [wblind.dll]
[5284]vmware.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x00518560 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00518478 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x005184A8 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00518364 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0051855C hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x00518424 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x00518584 hook handler located in [wblind.dll]
[5284]vmware.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x00518520 hook handler located in [wblind.dll]
[544]ashServ.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00413104 hook handler located in [wblind.dll]
[544]ashServ.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x00413120 hook handler located in [wblind.dll]
[544]ashServ.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0041339C hook handler located in [wblind.dll]
[5508]firefox.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x00968144 hook handler located in [wblind.dll]
[5508]firefox.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x009682A4 hook handler located in [wblind.dll]
[5508]firefox.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x009685B8 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x009686E4 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00968644 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SendMessageW, Type: IAT modification at address 0x00968788 hook handler located in [wblind.dll]
[5508]firefox.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00968628 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x00968780 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x009685C0 hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x006542B0 hook handler located in [wblind.dll]
[5936]vmware-vmx.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00654194 hook handler located in [wblind.dll]
[5936]vmware-vmx.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x006547FC hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00654710 hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x00654800 hook handler located in [wbhelp.dll]
[704]avgas.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004A32C4 hook handler located in [wblind.dll]
[704]avgas.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004A3324 hook handler located in [wblind.dll]
[704]avgas.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x004A34D4 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x004A3464 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x004A34E8 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x004A34EC hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x004A3428 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x01001150 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x010010A8 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x010011D0 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->CallWindowProcW, Type: IAT modification at address 0x010013A4 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x010014D8 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x01001378 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x010015A8 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->LoadImageW, Type: IAT modification at address 0x0100137C hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x01001348 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->SendMessageW, Type: IAT modification at address 0x010013D8 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0100132C hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x010015AC hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x01001478 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x01001450 hook handler located in [wblind.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

 

[shelf life]

hi tverhoog,

ok good. i was getting worried, much longer and your isp may have been contacting you about being a spam bot

i guess that dll and the f-secure (which also scans for rootkits)scan took care of it. first time ive seen a problem like that and a clean hjt log and malware scanners not finding anything. it had to be a rootkit. had to be more than just that .dll, nothing i saw though.

and now for the bad news:

dont know how long you had it on your computer and not all rootkits have backdoors or capture traffic like passwords etc. it would be a good idea to at least change all your passwords you use online. also i would repeat that online scan at f-secure. some even reccomend a reformat of the computer after rootkit activity.malware is getting much more invasive these days.
-------------------------
if you dont reformat last thing to do is to make new restore points. its possible for malware to get archived. making a new one will clean out anything. like this:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

shelf life

 

[tverhoog]

Hi Shelf Life,

Great! My PC hasn't behaved suspicious anymore. I was getting worried about my ISP as well. I have deleted the system restore files and will change all of my passwords. I will keep track of any strange behavior of my computer and will reformat if the symptoms return. I will also keep my security programs up-to-date.

Many, may thanks to you Shelf Life for helping me get rid of this malware. I think it's great work you guys are doing here and I will absolutely donate to the spybot forum because you and Spybot S&D have saved me a lot of trouble.

Thanks Again! :bigthumb:

 

[shelf life]

hi tverhoog,

good. glad to help. see my prevention page for avoiding malware, link below.
happy safe surfing.

shelf life