read & run me first procedure

Welcome to Majorgeeks!

Well you did forget to attach your HijackThis log, but I don't think it will show us anything.

Try the below:

Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

I doubt this is related to anything done while running the READ ME, but malware can cause any number of problems.

The sdc_os.dll file was detected as being infected by PandaActiveScan however it said that it disinfected the file. It did not say that it deleted the file. Check in your G:\Windows\System32 folder to see if the file is there.

Did you recently (on October 28th) update or change files in your Windows OS. Is see the below new versions of ftp.exe and tftp.exe in your system32 folder.

Code:

G:\WINDOWS\system32\
ftp.exe       28 Oct 2006       43520  "ftp.exe"
tftp.exe      28 Oct 2006       17920  "tftp.exe"

 

Since you did not give exactly what Spybot found, I took a guess at what it may have seen. This is a typical item it may fid for Altnet in the registry. What I gave you is a registry patch that attempts to delete the registry key if it exists.

Yes you should try that.

You can get a copy here: free dll files - download sfc_os.dll

Paste the below file list into the program given in this procedure: Using GetDetails

Then attach the log that is created back here as an attachment.

I'm not sure it is malware. Let's try another scan.

Please run the below procedure and attach the requested log:

Using Sophos Anti-Rootkit


I will be away for 9 days! Hopefully one of the other helpers here can continue to help you! Or you will have to wait until I get back!

 

This is not a problem! It is just in system restore which will be cleaned by our final steps that I will give below following some additional steps to help speed things up and to fix one more malware item.

Since I will not be around and this not really a malware problem, you would be better of working this in the Hardware Forum.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to LSA Shel
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteExport Version into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [QuickTime Task] "G:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "G:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = H:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.

Now reboot in normal mode.

Delete the below files if found:
G:\WINDOWS\lsass.exe
G:\WINDOWS\system32\ftp.exe
G:\WINDOWS\system32\tftp.exe


Attach a new HJT log so we can double check that everything was removed.

Final steps given below (since I will be gone) assuming you are not having anymore problems!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You log is clean now so you need to complete the other steps!

Yes you can uninstall CounterSpy since it is of no use after the trial period. However you do need to have a full realtime spyware blocking tool installed which will in have an impact on performance. This is a necessary price to pay for your security. It is the same thing that happens when an antivirus program or firewall is installed. They each have an impact. If you do not want to buy a realtime blocker, you can try the Teatimer function of Spybot but it has been troublesome for many people. Another alternative (but it is not as up to date or comprehensive as new programs) is to use SpyWare Guard which is mentioned in the "How to protect" link I gave you.

 

It is not the same kind of program as other antispyware programs and does not require updates as often however as I said in my previous message, it is also not as comprehensive a checker/blocker since so much has changed in the malware world.

Inadeqate!!! YOU MUST HAVE a realtime blocker. You must buy one or you must use one of the free ones. Even when you do add a realtime blocker, you should still use BOTH SpywareBlaster and Spybot with its SDHelper and Immunizer.

You could give one of the below free tools a try for realtime blocking and see how you like them:

Arovax Shield

Spyware Terminator

This is svchost.exe which is part of your Windows OS. If you block it from having access to the internet there will be a whole load of things that will not work. ZoneAlarm will block any non-required ports by default. Like TCP Port 1025 which is commonly used for Microsoft Remote Procedure Call (RPC) service.

​

If you are running in the area of only having 1000 Mb or less diskspace free then you need to cleanup and get more diskspace. Windows requires lots of free space for temporary files and caching. Many programs require temp space too. Not having enough will just slow everything you do down.