Here is some additional information from Ron Kinner (previous post):
I believe the reason AntiSpy can't get rid of it is that
it is attached to Explorer.exe (your desktop) which is
usually running when you run AntiSpy. The program also
saves copies of itself in the Temporary files. So try the
following:
First get ccleaner from ccleaner.com and install it.
Don't run it yet.
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
Save it to C:\hjt (new folder) but don't run it yet either.
Finally get Pocket Killbox.
http://www.bleepingcomputer.com/files/killbox.php
Download it and extract it to C:\hjt
Boot into Safe Mode (F8) without networking.
Run ccleaner but on the first page uncheck the cookies and
the log files then press Run Cleaner. This guy hides
copies of himself in the temp files with .txt extensions
so we want to get rid of them first.
Start AntiSpy but don't tell it to do anything yet.
Start HijackThis but don't tell it to do anything yet.
Start Killbox the same way.
Right click on the clock and select Task Manager. Select
Processes tab.
Find and highlight explorer.exe and press End Process.
(ignore the warning) This will make your desktop disappear
but don't panic.
Check the other processes to see if any of the known bad
guys are running:
winstall.exe
on-line.exe
dropper.exe
In Task Manager, select Applications, highlight Killbox
and Switch To.
IF you saw any of the bad processes running: In the
killbox screen at the bottom right you will see a dropdown
list with a yellow triangle next to it. Press on the down
arrow to the left of the triangle to open the list. Find
and highlight any of the bad processes that are still
running and press the yellow triangle. It will tell you
that it is just stopped and not deleted. OK. Recheck to
make sure it is stopped.
Now copy and paste the following into the box below
Full Path of File To Delete:
c:\Windows\System32\winstall.exe
then press the red circle with the white x. It will try
to delete the file. IF it can, good, if it says it can't
then select the Delete on Reboot option and try again.
Repeat for
c:\Windows\System32\wininet32.dll
Go Back To Task Manager and Switch To HijackThis. Select
Scan Only and examine the output closely to see if any
entries mention
winstall.exe
on-line.exe
dropper.exe
wininet32.dll
Check any you find and then when all the bad guys are
checked, press Fix Checked.
Now Switch To AntiSpy:
Open Advanced Tools, System Explorers, Internet Explorer,
IE BHOs highlight and BLOCK anything you find there.
Repeat for System, Shell Extensions except leave anything
with a pretty yellow star. (Especially do not block
Shell32.dll).
Now under Scan Option make sure you have all three options
checked. Do a full Scan. If it finds anything on the
first pass, run ccleaner again with the same options as
before and then let it run a second time.
Go back to task manager and restore the desktop by File,
New Task (Run), explorer.exe, OK)
Reboot and run HijackThis, Sacn and Save log and send me
the log. Put Hijack in the subject so I will know it's
not Spam.
Ron Kinner
(e-mail address removed)
