9 replies to this topic

[bstevenson]

TrendMicro says one infection that it can not remove. Does not give name. Defrag says there is a file, kbdhf.dll in system32 that it can not move but I can't find it. Hijack log shows entries for programs that have been removed. Can not uninstall SeaWorld Tycoon (irritating). Norton scan is clean. CWShredder is clean. Originally computer had 2 virus, 2 worms, 6 trojans, 286 spyware/adware. Now have installed Norton antivirus 2005, SpyBot, AdAware SE and all WinXP updates. Here is Hijack this log. Please tell me what to do. Thankyou in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:02 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DF3FCC7F-7EB4-483F-B0BD-45FD7EF89554} - C:\WINDOWS\System32\gmmbfaa.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros....?1144097343877
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A3C8CBC-34C6-49D0-99CA-52D4D6B4F24F}: NameServer = 63.238.52.1,63.238.52.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A3C8CBC-34C6-49D0-99CA-52D4D6B4F24F}: NameServer = 63.238.52.1,63.238.52.2
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Piatan]

Hi bstevenson:

Please print, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Before you look for files to delete be sure you are seeing hidden files and are in Safe Mode. This will usually reveal them.

Be sure to first close all open Windows and browsers.
Next, make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode and delete them.

Failing that, use Killbox.(Directions below. See Example given)

Next:
(Try Safe Mode, if Normal Mode does not do the job for you.)
If you are having difficulty Uninstalling a Program, first look for it in Task Manager (use ctl/alt/del), hilight the Program then click on "END PROCESS".

Then, go to Control Panel-->Add/Remove Programs and Uninstall/Remove it.

Remember to reboot into Normal Mode and enable hidden files, afterward.

Hope that helps and if not, let me know.

Next:
If you already have CWShredder, be sure to update, every time before using.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.

Then, please reboot.

There are signs of Trojan activity, so lets run Ewido.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be updated with the link above and be used to scan and remove undesirables.

Next, we need to Stop and Disable a Service.

First, Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

To stop a service and set to 'disabled'
WXP ONLY

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service. Security Agent (scagent)

Click once on the service to highlight it.

Click Stop

Right-Click on the service. Security Agent (scagent)

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Then, reboot into NORMAL MODE.

Next:

[*]Please set your system to show all files; please see here if you're unsure how to do this.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following, if still present.

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DF3FCC7F-7EB4-483F-B0BD-45FD7EF89554} - C:\WINDOWS\System32\gmmbfaa.dll (file missing)
O4 - Global Startup: winlogin.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them, if still present:

C:\WINDOWS\System32\gmmbfaa.dll

C:\WINDOWS\system32\scagent.exe" start

For the following, do an ALL FILES SEARCH and delete it.

winlogin.exe

Exit Explorer, enable hidden files and reboot as normal.

If you were unable to find, or delete any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Example: The entire line (file path) would be placed into Killbox.
C:\WINDOWS\System32\kbdhf.dll

Then, please run Hijack This again. Scan and copy the log and post it into this topic, along with the Ewido report.

Please advise if any problems remain.

To post, please use the Add Reply feature, so I will be notified.

Edited by Piatan, 08 April 2006 - 12:52 PM.

[bstevenson]

Piatan,

Thank you for the reply. Sorry for the lengthy reply on my part....a situation beyond my control. Here are the logs you requested. Only thing that did not work as described was the removal of winlogin.exe. Hijackthis would not delete because it said the file was in use. It did not show up on my task manager so I rebooted into Safe Mode and searched for the file and deleted it. I then rebooted into Normal Mode and ran Hijackthis again and the entry was gone. Please let me know what else I need to do to this thing. I still can not get rid of the Seaworld thing.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:57:35 AM, 4/13/2006
+ Report-Checksum: 3088F57A

+ Scan result:

HKLM\SOFTWARE\Classes\Int.MyObj -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Int.MyObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Int.MyObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Int.MyObj.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 12:33:59 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144097343877
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A3C8CBC-34C6-49D0-99CA-52D4D6B4F24F}: NameServer = 63.238.52.1,63.238.52.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A3C8CBC-34C6-49D0-99CA-52D4D6B4F24F}: NameServer = 63.238.52.1,63.238.52.2
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[bstevenson]

Piatan, Thinking that I was cleaned I installed my TrendMicro Internet Security Suite 2006 and it found TROJ_AGENT.AC in file C:\WINDOWS\System32\kbdhf.dll I shall boot into safe mode, run Killbox and attempt to delete the file unless I hear otherwise.

[bstevenson]

I went to Safe Mode and searched for kbdhf.dll and it did not exist. I used Killbox and entered in the full path and it said it did not exist. I rebooted into Normal Mode and TrendMicro keeps giving me a Reat Time alert. I searched for the file again and it is now there C:\Windows\system32. I don't understand why it is not there in Safe Mode but is there in Normal Mode. What is the correct way to get rid of this thing?

[Piatan]

Hi bstevenson:

Reference your latest post. I searched for C:\WINDOWS\System32\kbdhf.dll and did not find anything on that file, which is usually an indication that it is bad. So yes, it should be removed.

Your Hijack This log looks to be clean.

Good job, on winlogin.exe.

About "SeaWorld Tycoon ". I do not see it in your Hijack This log. Did you check in Task Manager ? Use ctl/alt/del to get into Task Manager.
If found there, hilight it then click on END PROCESS.
Then exit Task Manager.

Then go to Control Panel-->Add/Remove Programs and Uninstall/Remove......
SeaWorld Tycoon

If not found in either place, go into safe mode, show hidden files and do an ALL FILES SEARCH for it and delete all files for SeaWorld Tycoon .

Be sure to first close all open Windows and browsers.
Next, make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode

Then, reboot and enable hidden files.

Please let me know if you were successful, in finding and removing Seaworld.

[bstevenson]

Simply can not get rid of kbdhf.dll......I have found in my registry an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Windows AppInit_DLLs REG_SZ C:\WINDOWS\System32\kbdhf.dll I looked for the file and now can not find it in the system32 folder. What's your take on this?

[Piatan]

Sounds like it is moving around. Very odd. Usually bad files are more easily found while in safe mode and so the directions for this call for, but if you can only find the file while in normal mode, try this anyway. Right click on the file and select properties. Be sure it isn't a Microsoft file, or something useful. Use the security tab to take ownership. Change the 'everyone special' to 'you> with Admin rights-> FULL control Then try to delete it. If that fails, try to rename it first to different name+ext. Example: sqlneee.dll>bleh.txt bleh.txt > badfile.111 You may also want to make sure that "read only" attributes is not checked, if you haven't already. Once you have successfully deleted the file restart into Regular Windows mode. Hope that helps. It is a strange one.

[bstevenson]

OK....TrendMicro has a tool to remove this nasty thing they have dubbed TROJ_AGENT.AC. It will find it and get rid of it on a reboot. Then after the reboot TrendMicro IS 2006 will find it and quarantine it. They also have instructions for manual removing of the file. I tried on my own but was unable to get rid of it....if you delete the file it will return on reboot. If you delete the registry entry it will return on a reboot.....must reside in RAM? Anyways...GONE GONE GONE YAY. Here is the link if you ever have this problem again. Annoying....time for a black russian!

http://www.trendmicr...ENT.AC&VSect=SnTROJ_AGENT.AC Fix Tool

[Piatan]

Hi bstevenson:

That was interesting. Thanks for the link.

Now that your PC is clean, it's time for the finals, to keep the nasties from returning in the future.

One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  
  Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
  -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing.