Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help....weird windows error message....

Started by greenandgold , Mar 06 2006 06:48 AM

  • This topic is locked This topic is locked
20 replies to this topic

#1 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 06 March 2006 - 06:48 AM

ok, help!!
using my computer today and internet explorer just dies on me... then this bubble comes up: IPB Image

Has anyone had this happen before? short of reinstalling windows is there anything i can do? ive bought (yes bought! it pisses me off as much as you dont worry) a brand new spyware program and run it, and cleaned all the spyware stuff off my comp, found a couple of trojans too at the same time which i cleaned...




Ummm heres my log: Please someone help, this is driving me nuts

Logfile of HijackThis v1.99.1
Scan saved at 11:37:24 PM, on 6/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\winstall.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Evan James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toxicrabbit.com/phpBB2
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mtoakcnp] C:\Program Files\Popwih\Egxsk.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\Evan James\order_vsnl.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\EVANJA~1\LOCALS~1\Temp\21.tmp
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E965EFEE-7B24-45BA-B0B4-858BF04C8D11}: NameServer = 203.2.75.132,198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: ubtlbr - {74BE0751-36B5-4318-8BF9-6F0F5A4C9BE3} - ubtlbr.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe (file missing)
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe (file missing)
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove

#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 March 2006 - 02:15 PM

Hello and Welcome Greenandgold to Tom Coyote,

Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
Smitfraud Fix

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKLM\..\Run: [Mtoakcnp] C:\Program Files\Popwih\Egxsk.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\Evan James\order_vsnl.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\EVANJA~1\LOCALS~1\Temp\21.tmp
O21 - SSODL: ubtlbr - {74BE0751-36B5-4318-8BF9-6F0F5A4C9BE3} - ubtlbr.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\winstall.exe<==file
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe<==file
C:\Program Files\Popwih\Egxsk.exe<==file
C:\Documents and Settings\Evan James\order_vsnl.exe<==file
Exit Explorer.
Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt the Ewido Log by using Add Reply.
Let us know if any problems persist.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 06 March 2006 - 11:41 PM

Wow! thanks SO much! that weird thing has gone!!

Im thinking there might be a few problems left cause of the results from Panda but im not the most computer literate person ever.
Heres the results and thanks again!

Panda:

Incident Status Location

Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Evan James\Application Data\tvmknwrd.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Evan James\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Evan James\Desktop\smitRem.exe[Process.exe]
Adware:adware/secure32 Not disinfected C:\WINDOWS\country.exe
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:adware/sahagent Not disinfected C:\WINDOWS\system32\bqrufs5f.dat
Virus:Trj/Goldun.HF Disinfected C:\WINDOWS\system32\nclabydll.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\saie322.dll
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\scmt16.exe
Virus:Trj/Downloader.AZI Disinfected C:\WINDOWS\system32\TdABS273.dll
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta32.ini


Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:16 PM, on 7/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Evan James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toxicrabbit.com/phpBB2
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mtoakcnp] C:\Program Files\Popwih\Egxsk.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\Evan James\order_vsnl.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\EVANJA~1\LOCALS~1\Temp\21.tmp
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E965EFEE-7B24-45BA-B0B4-858BF04C8D11}: NameServer = 203.2.75.132,198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: ubtlbr - {74BE0751-36B5-4318-8BF9-6F0F5A4C9BE3} - ubtlbr.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe (file missing)
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe (file missing)
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


mitfiles.txt:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:57:01 PM, 7/03/2006
+ Report-Checksum: C5CAFB18

+ Scan result:

:mozilla.7:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Evan James\Application Data\Mozilla\Firefox\Profiles\nxlhnfo5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Evan James\Desktop\New Folder (2)\pics\funny pics\eppasses.zip/eppasses/SeaPheonix_tvmk46Om3ICM.exe -> Dropper.Agent.pd : Cleaned with backup
C:\Documents and Settings\Evan James\Desktop\New Folder (2)\shortcuts\Unused Desktop Shortcuts\WorldPokerChampionship-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Logger.Small.dg : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\Program Files\ISTbar -> Adware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\imagemap_normal.bmp -> Adware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\imagemap_over.bmp -> Adware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\version.txt -> Adware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\xml_istbar.xml -> Adware.ISTBar : Cleaned with backup
C:\unzipped\eppasses\eppasses\SeaPheonix_tvmk46Om3ICM.exe -> Dropper.Agent.pd : Cleaned with backup
C:\WINDOWS\kl1.exe -> Dropper.Small.amd : Cleaned with backup
C:\WINDOWS\system32\drivers\sysbus32.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.as : Cleaned with backup
C:\WINDOWS\system32\PreInstaller_p1.exe -> Downloader.Keenval.o : Cleaned with backup


::Report End

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2006 - 08:32 AM

Hello greenandgold,

I am sorry. You have some very nasty things on your computer. I am very interested in the results from the Blacklight beta. Please do the following:

STEP 1
======
Blacklight

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml
  • Hit I accept. It will take you to download page.
  • Download blbeta.exe and save it to the Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items...don't do anything with them yet. Just hit exit (close)
  • It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log.

STEP 2
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Documents and Settings\Evan James\Application Data\tvmknwrd.dll
C:\Documents and Settings\Evan James\Desktop\smitRem\Process.exe
C:\Documents and Settings\Evan James\Desktop\smitRem.exe
C:\WINDOWS\country.exe
C:\WINDOWS\system32\ap9h4qmo.ini
C:\WINDOWS\system32\bqrufs5f.dat
C:\WINDOWS\system32\nclabydll.dll
C:\WINDOWS\system32\saie322.dll
C:\WINDOWS\system32\scmt16.exe
C:\WINDOWS\system32\TdABS273.dll
C:\WINDOWS\uniq
C:\WINDOWS\usta32.ini
C:\winstall.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
C:\Program Files\Popwih\Egxsk.exe

In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 09 March 2006 - 02:32 AM

I am sorry. You have some very nasty things on your computer.


Hehehe always a good sign when you read this.....
ok, done and done...
Hopefully this is a good result!
Heres the results from Black light:


03/09/06 18:37:01 [Info]: BlackLight Engine 1.0.33 initialized
03/09/06 18:37:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/09/06 18:37:01 [Note]: 7019 4
03/09/06 18:37:01 [Note]: 7005 0
03/09/06 18:37:07 [Note]: 7006 0
03/09/06 18:37:10 [Note]: 7011 832
03/09/06 18:37:10 [Note]: FSRAW library version 1.7.1015
03/09/06 19:14:26 [Note]: 7007 0

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 09 March 2006 - 09:14 AM

Hello greenandgold,

Let’s continue the clean-up. I am relieved to see you have no rootkits from the Blacklight beta. Please do the following:

To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
Scan with HijackThis running. Place a check against each of the following:
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\EVANJA~1\LOCALS~1\Temp\21.tmp
O21 - SSODL: ubtlbr - {74BE0751-36B5-4318-8BF9-6F0F5A4C9BE3} - ubtlbr.dll (file missing)
Close all windows and browsers except Hijackthis. Click on Fix Checked and exit HijackThis.

Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the ]red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Documents and Settings\Evan James\Application Data\tvmknwrd.dll
C:\WINDOWS\country.exe
C:\WINDOWS\system32\ap9h4qmo.ini
C:\WINDOWS\system32\bqrufs5f.dat
C:\WINDOWS\system32\saie322.dll
C:\WINDOWS\system32\scmt16.exe
C:\WINDOWS\uniq
C:\WINDOWS\usta32.ini
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\winstall.exe


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • [/b]Scan Archives[/b]
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • [color=blue]Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Please post the results from Kapersky and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 10 March 2006 - 08:00 AM

Ok heres the new stuff...i think we're getting better..i hope!
Umm the Hijackthis files you told me to fix weren't there and neither were the files from Killbox...
But heres the stuf fyou asked for...i owe you big time for this!! Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 12:54:58 AM, on 11/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Evan James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toxicrabbit.com/phpBB2
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E965EFEE-7B24-45BA-B0B4-858BF04C8D11}: NameServer = 203.2.75.132,198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe (file missing)
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe (file missing)
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 11, 2006 12:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 10/03/2006
Kaspersky Anti-Virus database records: 170184
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 77017
Number of viruses found: 14
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 00:58:35

Infected Object Name / Virus Name / Last Action
C:\!KillBox\scmt16.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
C:\Documents and Settings\Evan James\Local Settings\Application Data\Identities\{195D870C-CF44-4FA4-A51D-BE786622577A}\Microsoft\Outlook Express\ebaypaypal.dbx/[From eBay Inc <custservice_id_2320687356@ebay.com>][Date Fri, 21 Oct 2005 16:37:23 -0700]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Evan James\Local Settings\Application Data\Identities\{195D870C-CF44-4FA4-A51D-BE786622577A}\Microsoft\Outlook Express\ebaypaypal.dbx Mail MS Outlook 5: infected - 1 skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP441\A0051304.exe Infected: Backdoor.Win32.Haxdoor.fq skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP442\A0051587.exe Infected: Trojan-Downloader.Win32.Tiny.al skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054514.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054760.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054761.EXE Infected: Trojan-Downloader.Win32.Small.wk skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054763.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054764.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054765.exe Infected: Trojan-Dropper.Win32.Mudrop.o skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054766.exe Infected: Trojan-Dropper.Win32.Small.amd skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054767.sys Infected: SpamTool.Win32.Mailbot.as skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054768.exe/data0001 Infected: Trojan-Downloader.Win32.Keenval.o skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054768.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054777.dll Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP445\A0055878.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
C:\unzipped\eppasses\eppasses\Hit rear.exe Infected: Trojan.Win32.VB.sq skipped
C:\WINDOWS\system32\ubtlbr.dll Infected: Backdoor.Win32.Small.jg skipped

Scan process completed.


Grrrr bloody viruses!! you think Zonealarm would pick them up!

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 10 March 2006 - 08:30 AM

Hello greenandgold,

You are making progress. I will study and prepare but I need to warn you.

Trj/Goldun.HF Disinfected C:\WINDOWS\system32\nclabydll.dll
http://www.xblock.co...how.php?id=1964

Trojan: aka Trojan Horse: A Trojan is a software program that enables an attacker to get nearly complete control over an infected PC. Frequently used by as a tool by malicious hackers. When this program executes, the program performs a specific set of actions, usually working toward the goal of allowing the trojan to survive on a system and open up a backdoor.


C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Logger.Small.dg
http://www.sophos.co...trojdelflj.html

Steals information
Downloads code from the internet
Records keystrokes
Installs itself in the Registry


I urge you to protect your personal information. If you use this system for any financial transactions, go to your bank or credit card company etc and alert them to your situation. Change all that information so that others do not have access to your accounts and do not use this system for any transactions until you are clean.. To change passwords, etc. you need to do it from another computer.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 10 March 2006 - 11:57 AM

Hello again,

You probably still have Killbox so skip the download part.

STEP 1.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\unzipped\eppasses\eppasses\Hit rear.exe
C:\WINDOWS\system32\ubtlbr.dll


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

==========
C:\Documents and Settings\Evan James\Local Settings\Application Data\Identities\{195D870C-CF44-4FA4-A51D-BE786622577A}\Microsoft\Outlook Express\ebaypaypal.dbx/[From eBay Inc custservice_id_2320687356@ebay.com][Date Fri, 21 Oct 2005 16:37:23 -0700]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Evan James\Local Settings\Application Data\Identities\{195D870C-CF44-4FA4-A51D-BE786622577A}\Microsoft\Outlook Express\ebaypaypal.dbx Mail MS Outlook 5: infected - 1 skipped

You need to go to your Outlook Express and delete the infected files. You may need to go the the top and use File =>Folder => Compact first in order to delete the infected files. It looks to me that the infected email is from custservice_id_2320687356@ebay.com

STEP 2.
======
A2 Free

You will have to register name and email address but this is free too.
Download A2
and run. Post the results please.

Empty your recycle bin.

Reboot and please post another hijackthis log please.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#10 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 12 March 2006 - 04:19 AM

Hey yep still got Killbox, not going to delete any prog youve asked me to download till im squeeky clean!;)

Ok, killed the files with Killbox, i think i found the message in outlook express, deleted all the ebay mail from 2005 just to make sure anyway.

Heres the A2 Free results:

a-squared Report
Scan started: 12/03/2006 8:40:52 PM
Scan finished: 12/03/2006 9:08:20 PM
Scan duration: 0h 27min 28sec
Scanned files: 106060
Infected files: 1



No Malware objects found


****The Infected File was a tracking cookie which i removed****


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:22 PM, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Evan James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toxicrabbit.com/phpBB2
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E965EFEE-7B24-45BA-B0B4-858BF04C8D11}: NameServer = 203.2.75.132,198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe (file missing)
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe (file missing)
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Hoping its getting better Doc Susan, ive stopped picking at it....;)

    Advertisements

Register to Remove

#11 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 12 March 2006 - 05:42 AM

Hello greenandgold, Things are looking up! Please run the Kapersky again and post the results. A2 free looked good. Your hijackthis log appears to be clean.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#12 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 12 March 2006 - 07:31 AM

Ok, was feeling real good till i did the Kapersky scan.... results: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, March 13, 2006 12:27:10 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 12/03/2006 Kaspersky Anti-Virus database records: 170980 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 78548 Number of viruses found: 14 Number of infected objects: 20 Number of suspicious objects: 0 Duration of the scan process: 01:13:47 Infected Object Name / Virus Name / Last Action C:\!KillBox\Hit rear.exe Infected: Trojan.Win32.VB.sq skipped C:\!KillBox\scmt16.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped C:\!KillBox\ubtlbr.dll Infected: Backdoor.Win32.Small.jg skipped C:\Documents and Settings\Evan James\Local Settings\Temporary Internet Files\Content.IE5\SH41ERK9\wbk8.tmp Infected: Trojan-Spy.HTML.Bayfraud.hn skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP441\A0051304.exe Infected: Backdoor.Win32.Haxdoor.fq skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP442\A0051587.exe Infected: Trojan-Downloader.Win32.Tiny.al skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054514.exe Infected: Trojan-Spy.Win32.Small.dg skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054760.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054761.EXE Infected: Trojan-Downloader.Win32.Small.wk skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054763.dll Infected: Trojan-Spy.Win32.Small.dg skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054764.dll Infected: Trojan-Spy.Win32.Small.dg skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054765.exe Infected: Trojan-Dropper.Win32.Mudrop.o skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054766.exe Infected: Trojan-Dropper.Win32.Small.amd skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054767.sys Infected: SpamTool.Win32.Mailbot.as skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054768.exe/data0001 Infected: Trojan-Downloader.Win32.Keenval.o skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054768.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP443\A0054777.dll Infected: Trojan-Dropper.Win32.Small.qn skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP445\A0055878.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP446\A0055913.exe Infected: Trojan.Win32.VB.sq skipped C:\System Volume Information\_restore{7F83C005-B536-43DD-B998-C8AF7726B8EA}\RP446\A0055914.dll Infected: Backdoor.Win32.Small.jg skipped Scan process completed.

#13 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 12 March 2006 - 08:14 AM

Hello greenandgold,

Don't worry! You are doing fine. Please do the following and let’s see the results.

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
STEP 2.
======
Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


Delete Files and Folders
Please delete the following files/folders:
C:\!KillBox<==folder containing infected files
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

STEP 3.
======
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
Empty your recycle bin.
Reboot and run Kapersky and post the report along with a fresh hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#14 greenandgold

greenandgold

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 13 March 2006 - 05:23 AM

Ok, done to 1 :lol: ....


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 10:17:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 171110
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 74082
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:55:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Evan James\Local Settings\Temporary Internet Files\Content.IE5\SH41ERK9\wbk8.tmp Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

Scan process completed.



Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:58 PM, on 13/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Evan James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toxicrabbit.com/phpBB2
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E965EFEE-7B24-45BA-B0B4-858BF04C8D11}: NameServer = 203.2.75.132,198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe (file missing)
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe (file missing)
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#15 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 March 2006 - 07:02 AM

Let's get that last one!

To delete the files in the Temporary Internet Files folder, follow these steps:.
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel and then double-click Internet Options
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • Click OK.
Empty your Recycle Bin, Reboot
Run Kapersky and post the results please.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·