1)Save it to the desktop 2) Rt Click->>Extract all->.Extract it to your Desktop 3) Double Click Killbox.exe to run it 4)Select " Delete on Reboot", and then select "All files". 5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Program Files\antiviirus.exe C:\Documents and settings\BRYON\Local Settings\Temp\tgoxO6Xq.exe
6) Return to Killbox, go to the File menu, and choose " Paste from Clipboard". 7) Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt.
1. Rerun Hijackthis (scan only) and place checks beside the following entries
Thanks for the reply. I did what you said. Here is the HJT file. Also, now I can't open FF. IE works ok.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:28:12 PM, on 3/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal
At the main window Select Tools ->> Delete Temp Files At the next window uncheck XP Prefetch Leave the other boxes checked Select " Delete Selected Temp Files" Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes) Select " Exit" Then Select " Exit" again to close Killbox
2. Run an online virus scan called Kaspersky from HERE.
1. Click on " Kaspersky Online Scanner" 2. A new smaller window will pop up. Press on " Accept". After reading the contents. 3. Now Kaspersky will update the anti-virus database. Let it run. 4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK. 5. Then click on " My Computer". And the scan will start. 6. When the scan is complete Select "Save error report as" Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Thank you again for your help. I've run the Kaspersky scan 3 times now(1.5hrs per scan) and have not been presented with the option to save an error report. It is picking up 2 viruses and 6 infected items. I'm running a panda scan right now and will post the report(if I can).
Hi, I have a similar problem to this guy but I only have the Antivirus.exe file.
I tried following the instructions by loading killbox, take it to the desktop, but when I copy and paste the file name, and do everything else and hit the delete button, I get a pop up window that says
Pendingfilerename operations
Pendingfilerename operations registry data has been removed by external process.
Am I doing something wrong?
I tried deleting it in hijack this earlier before I found this site but when I rand it again after a reboot, It was there again.
I figurd this would work and I can't since killbox won't reboot :(
Nope, still having problems. Firefox won't open. I've re-installed and rebooted with no luck. I have to launch IE through the start menu. When I click the desktop shortcut it only makes more copies of the shortcut. Overall speed is slow. AVG still finds/blocks the occasional virus.
Please download Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
@markrski
Follwo the instructions at this LINK and we will help you as well.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7377fce-5f50-11dc-90dc-0013202cff68}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 16:05:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 07:37:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-06 7:39:06
ComboFix-quarantined-files.txt 2008-03-06 14:39:01
.
2008-03-03 10:02:43 --- E O F ---
The forum won't allow me to post more than 20000 characters. So I'll try 2 posts. First half:
ComboFix 08-03-05.3 - BRYON 2008-03-06 7:31:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -7:00]
Running from: C:\Documents and Settings\BRYON\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bszip.dll
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.
Hi, actaully this is odd. Last night before going to bed I went back to this kill box thing and it still kept doing that but than I noticed an option to force a reboot which I did choose. I than went back to hijack this, clicked on fixing that problem, rebooted and this time it was not there.
I ran AVG last night and it showed 0 problems whatsoever. However, this morning it is currently running saying I have a
Ao136654.dll that is a TrojanHorse downloadersmall.BVA
It isn't done scanning yet so I don't know as of this point if it is going to heal or not, but I will let you know today if it does. I assume I should still download the combo fix.
Oh, one other thing. For some reason for the last few days whenever I use outlook express and i open up my email, I get a little grey box that says AVG is scanning it (which it alwasys did before) but now t says it over and over again, the computer is slower and than then I alays get popserver not responding, do you want to wait or stop. Yet, I am able to still read, and reply to emails successfully.
I think it is probbaly also good to give you a little recent background history. On Feb 27th late at night I recieved a horrible virus/malware/spyware program that opened up my cmd window and it kept saying access denied to whatever was trying to get in there (my assumptionat least).
I than got trusted antivirus which I never allowed to open since I didn't trust it as it was foreign.
I also had gotten a cookingluck.com window opening on IE many times.
I therefore downloaded a free version 15 day trial of Symantic Norton 360 which seemed to at least stop any further damage and cleaned up a few things :) I don't know if norton 360 is causing problems with avg email scan?
anyhow, I did all the following things as well:
ran adaware several time, sypbot several time. Ran CW shredder, downloaded AVG rootkit detector although it said it didn't find anything on Feb 29th when I ran it.
I also had this audio file running in which I could not detect where it was coming from so I unplugged my computer from my internet connection and just ran these progrmas and that seemed to get rid of it.
I found a site that said to run spyhunter which I did, it found stuff, but than it said to fix it you have to pay (since I currently am broke, I don't want to pay for anything when there are so many free things you can do).
I also had attempted to downlad a free trial of Macaffee but the process for this was so ridiculous that I chose against downloading it :(
I ran Panda software free online scan it found 25 viruses, 8 hack tools and rootkits and 1 unknown. I posted the log to a computer friend of mine and he was concerened about only one or 2 items which I successfully got rid of and than he said the Antivurus that you discussed here in this thread needed to be gotten rid of as well which it seems it is now gone. Anyway, I ran it again yesterday after successfully getting rid of many problems, even doing a java cache clean out etc.. and it gave me the exact same numbers so I am not sure if they give you a small number of hack tools to make you think you need to spend $12 for it to clean up or if I really have something. Again, the computer guy saw my log it saved and only questioned 1 or 2 things which I got rid of the first time. I also ran spyware vanisher which fixed a few things but then removed the program since I probably had too many spywares running.
OH, the virus scan is done. AVG found 1 threat, and successfully deleted that file :)
I will go ahead and do combofix and paste its results for you.
ComboFix 08-03-05.3 - Mark Rutkowski 2008-03-06 9:46:24.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.339 [GMT -5:00] Running from: C:\Documents and Settings\Mark Rutkowski\Desktop\ComboFix.exe * Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))) .
and In the file to submit box, click Browse.Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the file
C:\WINDOWS\SYSTEM32\DRIVERS\xkqtffibldap.sys
In the comments tell them that I asked you to upload the file Then Select Send File.
bamajim
10.4K Posts
0
March 3rd, 2008 13:00
1. Please download the Killbox.
2) Rt Click->>Extract all->.Extract it to your Desktop
3) Double Click Killbox.exe to run it
4)Select " Delete on Reboot", and then select "All files".
5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Program Files\antiviirus.exe
C:\Documents and settings\BRYON\Local Settings\Temp\tgoxO6Xq.exe
6) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
7) Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt.
1. Rerun Hijackthis (scan only) and place checks beside the following entries
O21 - SSODL: AlrtMon - {4eb970d9-2ca8-4718-a285-d540e9b44078} - C:\WINDOWS\Installer\{4eb970d9-2ca8-4718-a285-d540e9b44078}\AlrtMon.dll (file missing)
O21 - SSODL: zip - {88a0dfb0-292c-44b8-9002-20b039a024a1} - C:\WINDOWS\Installer\{88a0dfb0-292c-44b8-9002-20b039a024a1}\zip.dll (file missing)
Close all other open windows except Hijackthis and Select " Fix checked"
Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
"The world is what you make of it"
denverdoc
9 Posts
0
March 4th, 2008 01:00
bamajim,
Thanks for the reply. I did what you said. Here is the HJT file. Also, now I can't open FF. IE works ok.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:12 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yapta\YaptaClient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139091103090
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
--
End of file - 12177 bytes
bamajim
10.4K Posts
0
March 4th, 2008 11:00
Odd, that shouldn't have affected FireFox.
1. Rerun Killbox
At the next window uncheck XP Prefetch
Leave the other boxes checked
Select " Delete Selected Temp Files"
Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes)
Select " Exit"
Then Select " Exit" again to close Killbox
2. Run an online virus scan called Kaspersky from HERE.
2. A new smaller window will pop up. Press on " Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
5. Then click on " My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
"The world is what you make of it"
denverdoc
9 Posts
0
March 5th, 2008 14:00
bamajim,
Thank you again for your help. I've run the Kaspersky scan 3 times now(1.5hrs per scan) and have not been presented with the option to save an error report. It is picking up 2 viruses and 6 infected items. I'm running a panda scan right now and will post the report(if I can).
denverdoc
9 Posts
0
March 5th, 2008 21:00
Panda didn't find anything. Any other ideas?
bamajim
10.4K Posts
0
March 6th, 2008 00:00
denverdoc
If the scans came up clean, how's your PC running now?
"The world is what you make of it"
markrski
32 Posts
0
March 6th, 2008 03:00
Hi, I have a similar problem to this guy but I only have the Antivirus.exe file.
I tried following the instructions by loading killbox, take it to the desktop, but when I copy and paste the file name, and do everything else and hit the delete button, I get a pop up window that says
Pendingfilerename operations
Pendingfilerename operations registry data has been removed by external process.
Am I doing something wrong?
I tried deleting it in hijack this earlier before I found this site but when I rand it again after a reboot, It was there again.
I figurd this would work and I can't since killbox won't reboot :(
Help.
denverdoc
9 Posts
0
March 6th, 2008 03:00
I'm running a Trend micro online scan right now.
Have any other ideas or reccommendations?
bamajim
10.4K Posts
0
March 6th, 2008 11:00
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
@markrski
Follwo the instructions at this LINK and we will help you as well.
"The world is what you make of it"
denverdoc
9 Posts
0
March 6th, 2008 12:00
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-03-03 20:58 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724D43A0-0D85-11D4-9908-00400523E39A}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-03-03 20:58 262144]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-12 03:10 1266936]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 10:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 07:18 294912]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 03:48 579072]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"Yapta Tracker"="C:\Program Files\Yapta\YaptaClient.exe" [2007-11-13 15:11 316720]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 02:48 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 22:06 5181440]
C:\Documents and Settings\BRYON\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-07-11 23:22:04 256000]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\BRYON\\Desktop\\utorrent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
S3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7377fce-5f50-11dc-90dc-0013202cff68}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 16:05:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 07:37:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-06 7:39:06
ComboFix-quarantined-files.txt 2008-03-06 14:39:01
.
2008-03-03 10:02:43 --- E O F ---
denverdoc
9 Posts
0
March 6th, 2008 12:00
ComboFix 08-03-05.3 - BRYON 2008-03-06 7:31:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -7:00]
Running from: C:\Documents and Settings\BRYON\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bszip.dll
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.
2008-03-06 00:16 . 2008-03-06 00:16
2008-03-05 23:55 . 2008-03-05 23:55
2008-03-04 06:59 . 2008-03-04 06:59
2008-03-04 06:59 . 2008-03-04 06:59
2008-03-03 21:00 . 2008-03-06 07:36 11,391,008 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-03-03 21:00 . 2008-03-05 10:55 97,988 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-03-03 20:58 . 2008-03-03 20:58
2008-03-03 20:57 . 2008-03-03 20:57
2008-03-03 20:57 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-03 20:57 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-03-03 20:57 . 2008-03-03 20:58 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-03-03 20:56 . 2008-03-03 20:56
2008-03-03 20:42 . 2008-03-03 20:51
2008-03-02 21:26 . 2007-12-06 19:21 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-03-02 21:26 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-03-02 21:26 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-03-02 21:26 . 2007-12-06 19:21 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-03-02 21:26 . 2007-12-06 19:21 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-03-02 21:26 . 2007-12-06 19:21 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-03-02 21:26 . 2007-12-06 19:21 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-03-02 21:26 . 2007-12-06 19:21 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-03-02 21:26 . 2007-12-06 04:00 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-03-02 21:21 . 2007-01-18 05:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-03-02 21:17 . 2008-03-02 21:17
2008-03-02 21:17 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-02 20:52 . 2008-03-02 20:52
2008-03-02 20:51 . 2008-03-02 20:55
2008-03-02 20:51 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-03-02 20:18 . 2008-03-05 23:44
2008-03-02 19:58 . 2008-03-04 06:54
2008-03-02 17:30 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-02 17:28 . 2008-03-02 17:28
2008-03-02 17:28 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\xkqtffibldap.sys
2008-03-02 17:13 . 2008-03-05 23:35
2008-03-02 17:13 . 2008-03-05 23:31 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-02 17:13 . 2008-03-05 23:31 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-02 17:13 . 2008-03-05 23:31 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-02 16:03 . 2008-03-02 16:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 16:03 . 2008-03-02 16:03 2,544 --a------ C:\WINDOWS\unins000.dat
2008-02-27 12:50 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-16 22:01 . 2008-02-16 22:01
2008-02-16 09:58 . 2008-02-16 09:58
2008-02-16 09:58 . 2008-02-16 09:58
2008-02-16 09:57 . 2008-02-16 09:58
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-06 06:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-06 06:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-06 06:35 --------- d-----w C:\Program Files\Yapta
2008-03-06 06:35 --------- d-----w C:\Program Files\QuickTime
2008-03-06 06:35 --------- d-----w C:\Program Files\iTunes
2008-03-06 06:35 --------- d-----w C:\Program Files\Google
2008-03-06 06:35 --------- d-----w C:\Program Files\DellSupport
2008-03-06 06:35 --------- d-----w C:\Program Files\Dell Photo AIO Printer 942
2008-03-06 06:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-05 17:57 --------- d-----w C:\Program Files\Steam
2008-03-04 13:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-02 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-29 02:04 --------- d-----w C:\Program Files\PokerStars
2008-02-27 19:50 --------- d-----w C:\Program Files\Java
2008-02-16 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-31 12:50 --------- d-----w C:\Documents and Settings\BRYON\Application Data\AVG7
2008-01-19 17:27 --------- d-----w C:\Program Files\iPod
2008-01-11 05:53 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2008-01-09 22:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-19 23:01 347,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-08 17:51 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-07 01:07 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-12-07 01:07 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-12-07 01:07 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-12-07 01:07 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-12-07 01:07 1,023,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.
markrski
32 Posts
0
March 6th, 2008 12:00
Hi, actaully this is odd. Last night before going to bed I went back to this kill box thing and it still kept doing that but than I noticed an option to force a reboot which I did choose. I than went back to hijack this, clicked on fixing that problem, rebooted and this time it was not there.
I ran AVG last night and it showed 0 problems whatsoever. However, this morning it is currently running saying I have a
Ao136654.dll that is a TrojanHorse downloadersmall.BVA
It isn't done scanning yet so I don't know as of this point if it is going to heal or not, but I will let you know today if it does.
I assume I should still download the combo fix.
Oh, one other thing. For some reason for the last few days whenever I use outlook express and i open up my email, I get a little grey box that says AVG is scanning it (which it alwasys did before) but now t says it over and over again, the computer is slower and than then I alays get popserver not responding, do you want to wait or stop. Yet, I am able to still read, and reply to emails successfully.
I think it is probbaly also good to give you a little recent background history. On Feb 27th late at night I recieved a horrible virus/malware/spyware program that opened up my cmd window and it kept saying access denied to whatever was trying to get in there (my assumptionat least).
I than got trusted antivirus which I never allowed to open since I didn't trust it as it was foreign.
I also had gotten a cookingluck.com window opening on IE many times.
I therefore downloaded a free version 15 day trial of Symantic Norton 360 which seemed to at least stop any further damage and cleaned up a few things :) I don't know if norton 360 is causing problems with avg email scan?
anyhow, I did all the following things as well:
ran adaware several time, sypbot several time. Ran CW shredder, downloaded AVG rootkit detector although it said it didn't find anything on Feb 29th when I ran it.
I also had this audio file running in which I could not detect where it was coming from so I unplugged my computer from my internet connection and just ran these progrmas and that seemed to get rid of it.
I found a site that said to run spyhunter which I did, it found stuff, but than it said to fix it you have to pay (since I currently am broke, I don't want to pay for anything when there are so many free things you can do).
I also had attempted to downlad a free trial of Macaffee but the process for this was so ridiculous that I chose against downloading it :(
I ran Panda software free online scan it found 25 viruses, 8 hack tools and rootkits and 1 unknown. I posted the log to a computer friend of mine and he was concerened about only one or 2 items which I successfully got rid of and than he said the Antivurus that you discussed here in this thread needed to be gotten rid of as well which it seems it is now gone. Anyway, I ran it again yesterday after successfully getting rid of many problems, even doing a java cache clean out etc.. and it gave me the exact same numbers so I am not sure if they give you a small number of hack tools to make you think you need to spend $12 for it to clean up or if I really have something. Again, the computer guy saw my log it saved and only questioned 1 or 2 things which I got rid of the first time. I also ran spyware vanisher which fixed a few things but then removed the program since I probably had too many spywares running.
OH, the virus scan is done. AVG found 1 threat, and successfully deleted that file :)
I will go ahead and do combofix and paste its results for you.
Mark :)
markrski
32 Posts
0
March 6th, 2008 13:00
Ok, here is my combofix log:
ComboFix 08-03-05.3 - Mark Rutkowski 2008-03-06 9:46:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.339 [GMT -5:00]
Running from: C:\Documents and Settings\Mark Rutkowski\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.
2008-03-06 00:53 . 2008-03-06 00:53 13,001 --a------ C:\hijackthis3og
2008-03-05 13:46 . 2008-03-05 13:46
2008-03-05 13:40 . 2008-03-05 13:59
2008-03-05 12:09 . 2008-03-05 12:10
2008-03-05 00:50 . 2008-03-05 21:42
2008-03-05 00:50 . 2008-03-05 00:49 724,992 --a------ C:\WINDOWS\iun6002.exe
2008-03-05 00:30 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-04 11:32 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ifvuailfreun.sys
2008-03-04 11:18 . 2008-03-05 11:43
2008-03-04 11:18 . 2008-03-05 08:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-04 11:18 . 2008-03-05 08:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-04 11:18 . 2008-03-05 08:51 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-03 11:52 . 2008-03-03 11:58
2008-03-02 13:48 . 2008-03-02 13:48
2008-03-02 10:46 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-02 10:46 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-02 10:46 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-01 14:03 . 2008-03-05 10:25
2008-03-01 14:01 . 2008-03-02 01:23 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-01 14:01 . 2008-03-02 01:23 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-01 14:01 . 2008-03-02 01:23 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-01 14:01 . 2008-03-02 01:23 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-01 13:59 . 2008-03-02 01:23
2008-03-01 13:59 . 2008-03-06 09:12
2008-03-01 13:58 . 2008-03-05 09:50
2008-03-01 13:37 . 2008-03-01 13:37
2008-02-29 18:51 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-29 01:09 . 2008-02-29 01:09 77,824 --a------ C:\TaskManagerFix.exe
2008-02-27 11:41 . 2008-02-27 11:41 31,744 --a------ C:\Musts for 2-27-2008.doc
2008-02-26 11:35 . 2008-02-26 11:35 151,943 --a------ C:\Robbins profile 1.pdf
2008-02-25 13:57 . 2008-02-25 13:59 79,975 --a------ C:\hairloss.lit
2008-02-17 12:39 . 2008-02-17 12:39 33,792 --a------ C:\The Secret, I am grateful for.doc
2008-02-17 12:00 . 2008-02-17 12:00 32,768 --a------ C:\Certified Reports agreement.doc
2008-02-13 12:33 . 2008-02-13 12:33 162 --ah----- C:\~$sume 01-09-2008.doc
2008-02-12 14:21 . 2008-02-12 14:21 71,680 --a------ C:\Application for Progressive.doc
2008-02-10 11:59 . 2008-02-10 11:59 72,717 --a------ C:\deathstar.JPG
2008-02-08 20:30 . 2008-03-03 22:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 20:30 . 2008-02-08 20:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-08 19:29 . 2008-02-08 19:30
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 14:37 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 03:20 --------- d-----w C:\Documents and Settings\Mark Rutkowski\Application Data\AVG7
2008-03-05 20:12 --------- d-----w C:\Program Files\Active Data Recovery Software
2008-03-05 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-05 15:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 14:54 --------- d-----w C:\Program Files\iTunes
2008-03-05 14:32 --------- d-----w C:\Program Files\2Wire
2008-03-05 03:59 --------- d-----w C:\Program Files\Java
2008-03-04 19:45 --------- d-----w C:\Program Files\ICQLite
2008-03-04 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 00:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-27 14:42 --------- d-----w C:\Program Files\Street Atlas USA 9.0
2008-01-25 15:25 --------- d-----w C:\Program Files\Kinnexus
2007-06-04 13:56 46,352 ----a-w C:\Documents and Settings\Mark Rutkowski\Application Data\GDIPFONTCACHEV1.DAT
2006-02-13 18:27 13,824 ----a-w C:\Documents and Settings\Mark Rutkowski\atwbxdet.dll
2001-07-17 11:08 65,536 ------w C:\WINDOWS\inf\copyinf.exe
2004-12-22 00:21 3,547 --sha-w C:\WINDOWS\poheg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-03 19:22 579072]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 13:51 57344]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 03:52 393216]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-21 07:06 180269]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 13:08 36864]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-05-31 14:32 22528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:28 219136]
C:\Documents and Settings\Mark Rutkowski\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2006-03-03 09:56:34 43520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckVolume"= {9c410ca7-7a74-4a24-b4b4-6ddde9da9334} - C:\WINDOWS\Installer\{9c410ca7-7a74-4a24-b4b4-6ddde9da9334}\CheckVolume.dll [ ]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pagis Schedule Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pagis Schedule Monitor.lnk
backup=C:\WINDOWS\pss\Pagis Schedule Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark Rutkowski^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=C:\Documents and Settings\Mark Rutkowski\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=C:\WINDOWS\pss\BOINC Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
--a------ 2002-12-06 16:07 617984 C:\Program Files\ASUS\Probe\AsusProb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BookmarkCentral]
--a------ 2000-05-25 16:04 40960 C:\PROGRA~1\BMCENT~1\BMLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-08-02 14:33 159832 C:\Program Files\Common Files\AOL\1124230064\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2002-11-05 05:11 1473111 C:\Program Files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
--a------ 2000-05-31 14:27 31744 C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 14:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
--a------ 2000-05-31 14:32 22528 C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-03-21 07:06 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
--a------ 2003-10-20 11:27 172032 C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Boinc-IRC\\mirc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kinnexus\\Kinnexus.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [2000-07-11 10:48]
S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINDOWS\system32\DRIVERS\ntspppoe.sys [2001-08-03 11:32]
S3 pmxscan;PrimaScan USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [2001-08-06 10:43]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [2001-08-07 12:07]
*Newly Created Service* - COMHOST
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 09:54:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-06 10:01:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 15:01:08
.
2008-02-13 05:24:16 --- E O F ---
bamajim
10.4K Posts
0
March 6th, 2008 18:00
@markrski
Posting your logs in someone elses thread makes it confusing for everyone involved as removing some of these infections can be difficult.
We will be glad to help you with your log, but you need to start your own thread.
Go to the front page on the Hijackthis board and select "New Message" post your logs there.
Thanks
"The world is what you make of it"
bamajim
10.4K Posts
0
March 6th, 2008 18:00
You have a suspicious file I would like to have a look at.
Please go HERE
Put Your Name, and Dell HJT forum
and In the file to submit box, click Browse.Using Windows Explorer
- (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the fileIn the comments tell them that I asked you to upload the file
Then Select Send File.
"The world is what you make of it"