How to get rid of Trojans and Malware that just won’t go away

Situation:
I have been using Avast to cross-check on 2 partitions run on Windows XP for the past few months. The pagefile.sys and hiberfile.sys in both partitions have been clean until recently. Even after numerous deletions of these files, the Trojans and Malware just won’t go away. I have also googled for other means of deletions without much luck, so I am hoping to get some good advices here and to get rid of these problem-makers once for all.

Some people on the forums suggested to ignore pagefile. However, when I was notified that I had win32.Horst-EY in my pagefile, it turned out to be true. Therefore, I’d prefer to be careful than sorry.

What I have been having on my pagefile are Win32.VB-BMA, Win32.Dialer-1382, Win32.Dialer-DW, and Win32.Exchanger-M. I don’t know if all of them reside in the pagefile at the same time or one at the time. They seem to take turns and reappear in the Avast! Warning windows after regenerate from the previous deleted pagefile. FYI, the Trojans that I had in the pagefile shortly before the saga were Win32.SdBit-gen28, Win32.RPCexploit, and Win32.Horst-EY.

As for hiberfile.sys, Zipper-2778 is what I have in hand. I read the instruction posted in this forum but couldn’t quite understand how to remove the worm.

What have been done:

  • all the software and anti-virus software are up-to-date
  • used Spyware Terminator and SuperAntiSpyware scan both partitions without finding anything
  • used SDFix to remove Trojans, but it didn’t catch any
  • did Disk Cleanup
  • disabled hibernation on the Display and turned it back on after reboot to reset the hiberfile.sys
  • turned off system restore and unplug internet connection before deleting the infected files (many times)
  • create Hijackthis log as attached here

Any suggestions?

Er, yeah: ignore pagefile.sys and hyberfile.sys.

If you have an active infection, the file will be detected elsewhere.

Firstly, I am not formally trained in these logs.
However, the entry

O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://F:\components\hidinputmonitorx.ocx
is suspicious, and I have seen at least 3 posts by helpers on other forums to get rid of it.
(It’s an activeX control, in the downloaded programs file folder of your browser.)

To get rid of it, either delete it from its folder, or scan again with HijackThis - without the log this time - and on completion place a tick in the checkbox beside it (and only that one) and select “fix selected”.

Superantispyware has an excellent reputation. Another with a similar reputation is MalwareBytesAntiMalware (MBAM). http://www.malwarebytes.org/mbam.php. Recommend.

There is a simple registry modification that will cause Windows to delete the page file at every shutdown, if you want that. Makes shutdown take a minute or two longer. But as said above, it probably isn’t necessary; it is the file on your computer that is infecting the swap (page) file, unlikely to be the other way around.

As an observation, you have a lot of processes starting with Windows that probably don’t need to. It’s your choice, but having that number will be making startup and general program opening speed a little slower.

I’m not a big fan of toolbars, but if you are happy with Crawlers’ offering, might as well hang on to it. It indicates you have Web Security Guard - a component of SpywareTerminator (once again, not a fan) active. You also have SiteAdvisor active. Personally I think that’s heading into overkill territory.

Hope that helps a bit. Or even a lot.

Thanks for the reply.

I just find it is odd that if my pagefile.sys and hiberfile.sys were clean before, what may have triggered them be detected with trogans and malware and how can these files be back to the bug-free state?

Also, anti-virus and anti-spyware may not screen some parts of the computer where the Trojans and maleware reside because the anti- software do not covered these areas, the preference settings on the anti- software, or files/programs are in use/being protected.

it is the file on your computer that is infecting the swap (page) file
I agree with what Tarq 57. Therefore, I am still interested in getting more feedbacks from the experts here in this forum.

BTW, I used CleanST for zipper-2778 but it couldn’t detect any. I have also cleaned my Java Catch just in case.

O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://F:\components\hidinputmonitorx.ocx
F:\is a DVD drive, so should I still need to delete it?