Win32/Cryptor problem

Hi again

I removed the Adobe and Macafee programs but the Adobe Reader 8.1.2 Security Update 1 (KB403742) was not on the add/remove list?

OTMoveIt3 results below:

========== FILES ==========
c:\windows\popcinfo.dat moved successfully.
c:\windows\system32\UACpabbpiktpjboyee.dat moved successfully.
c:\program files\AskSearch\bin moved successfully.
c:\program files\AskSearch moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05042009_174735

Hello.
Good work, but not done yet.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll (file missing)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

I want to track down that suspicious looking file and have it scanned.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
*ziswin*

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 18:04 on 04/05/2009 by exs149 (Administrator - Elevation successful)

========== filefind ==========

Searching for "*ziswin*"
C:\Documents and Settings\Default User\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [22:37 03/06/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\isdprofiler\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [22:25 03/06/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\uis403\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [13:09 22/07/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\uis595\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [13:45 04/08/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\WINDOWS\system32\nls\ENGLISH\ziswinr.dll --a--- 73728 bytes [05:14 08/06/2004] [05:14 08/06/2004] 10AA3E0FBC6305E87626D07496C8C0CC
C:\WINDOWS\system32\ziswin.chm --a--- 51973 bytes [16:14 06/04/2004] [16:14 06/04/2004] 5D9BFF40785BABB33D1A8E184991DA1A
C:\WINDOWS\system32\ZISWIN.EXE --a--- 184320 bytes [05:14 08/06/2004] [05:14 08/06/2004] 5A56E542B4E98E6196C9DAE02376550D
C:\ziswin.hst --a--- 1280 bytes [22:07 03/06/2008] [22:22 03/06/2008] C8B1C9F3E46DC2D06BC9320CC2CB903B

-=End Of File=-

Hello.
Please visit this website: Jotti online scanner

Press the browse button and locate this file in bold: C:\WINDOWS\system32\ZISWIN.EXE
Double click it for it to be selected.
Now hit the "Submit" button on the website.

Please wait for the scanners to do their job and the file will be tested by each scanner. Copy and paste the results back here.

Hi again

Seems to think it is ok -

Scan taken on 04 May 2009 17:31:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Yep, that looks fine. How is the machine running now?

You can delete all the tools we used.

Hi Belahzur

Thanks for all your time and patience on this.

It seems to be running OK. Websites are opening with no problem again (that was the main problem originally) and I'm not having any trouble logging on. The only thing I have found is that when I run AVG it is finding loads of new cookies and tracking things each time (177 of them the last time) even though the only web pages I have been to are this one, the sites for downloads and google.

Dare I hope it is pretty much fixed and what do I need to do next?

Grom

AVG really go over the top sometimes.

Tracking cookies are harmless, everyone has them.

So is that me done then? Is there anything else I could/should be doing to avoid picking up anything similar?

Grom

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Hi Belahzur

Thank you SO much - you are an absolute STAR. I was anticipating having to save all my files onto flash drives and have the whole of Windows re-ghosted, but now I don't need to.

Still can't quite believe how good this site is, but I will definitely be recommending it to everyone from now on. The help has been clearly explained, quick and thorough. I know you must do this every day but believe me - it is such a great help and relief to non-technical types like myself to find this sort of support.

I have already downloaded Mozilla and the extra Anti-Spyware you recommend and will look into getting a firewall so hopefully I won't need to bother you again!

A huge thank you.

Grombags

javascript:emoticonp('')