PDA

View Full Version : it became a big problem.... help!!!!



Ransimch
2008-02-28, 16:37
hello,

i got a malware, at first it didnt do much harm. the only thing that was wrong is that the explorer windows were shutting down by themselves. and there was a message (on a balloon at the corner of the screen) that says that i was infected by spyware.

my norton didnt find anything

than i read and did what is written at "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

i reboot my computer to safe mode fixed some things with spybot and when i rebooted it again to windows i found out that i can not connect to the net.
(im writing from another computer)

please consider that when you're helping me.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:33, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6962 bytes

KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 2:07:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/02/2008
Kaspersky Anti-Virus database records: 585247


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 58529
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 00:26:14

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\uninst.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\WN7R6W5D\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\55BB33B1.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cg skipped

C:\Program Files\Norton AntiVirus\Quarantine\571F1429.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5BCB69DE.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5F603114.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP104\A0010365.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010429.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\launcher.ocx Infected: not-a-virus:AdWare.Win32.I2ISolutions.b skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\change.log Object is locked skipped

Scan process completed.


i hope to hear from u fast....

thanks a lot

ransimch.

pskelley
2008-03-01, 13:33
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Not quite sure about this one, but I will do my best to help. Have you been able to get online yet? You may wish to ask your Internet Service Provider for help, this junk may have changed setting, here is information about at least one of the trojans I see:
http://www.bleepingcomputer.com/startups/braviax-21759.html
http://www.prevx.com/filenames/954251374095121964-0/BRAVIAX.EXE.html
among other problems it causes are this:

Can communicate with other computer systems using HTTP protocols

C:\Program Files\Norton AntiVirus\Quarantine\ <<< delete the contents of the NAV Quarantine folder
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506

I need to collect some information first, You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. If you can not get online, bring the tool to this computer from another computer.


1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

(if that link is still down, use this one)
http://www.scanwith.com/download/ATF_Cleaner.htm

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(delete files in red)

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\Downloaded Program Files\launcher.ocx

C:\WINDOWS\system32\winivstr.exe

C:\WINDOWS\Temp\iottem.dll

C:\WINDOWS\trashicon.exe

C:\WINDOWS\wndsk.dll

C:\Documents and Settings\ran simchas\Local Settings\Temp\ <<< contents

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\ <<< contents

(ATF-Cleaner will clean those also, that is a double check for junk)

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the C:\rapport.txt and a new HJT log. Add any comments you think will help.

Thanks

Ransimch
2008-03-01, 15:37
Hello,

Thanks lot for the reply, it seems u all very busy.
While I waited I did some things that improved the situation.
I used Microsoft windows malicious software removal tool feb.2008 and it removed something called braviax as u mentioned.
I also used ad-aware removed things but I dont remember the names.

Anyhow I think im not cleaned yet,
Im still facing the problem of my explorer windows closing down by themselves.
Non of the following programs find anything: Norton, spybot s&d, ad-aware all updated.

(the net connection had nothing to do with the malware:)).

Im adding new reports of kaspersky and HJT

Again, thanks for the reply!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7153 bytes



KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 2:58:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 591825


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 66592
Number of viruses found 6
Number of infected objects 21
Number of suspicious objects 0
Duration of the scan process 00:27:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\MSHist012008030120080302\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\uninst.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\WN7R6W5D\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\041D7EA4.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\09680ED1.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\31BA7C71.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\36A4210A.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\55BB33B1.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cg skipped

C:\Program Files\Norton AntiVirus\Quarantine\571F1429.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5BCB69DE.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5F603114.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\6FBD130F.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP104\A0010365.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010429.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010752.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0011750.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP108\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\launcher.ocx Infected: not-a-virus:AdWare.Win32.I2ISolutions.b skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\Temp\Perflib_Perfdata_640.dat Object is locked skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley
2008-03-01, 15:47
Please follow the directions that I posted, if something is not there when you looks for it because you removed it with another tool, pass over that instruction. Let me also suggest that all forums are swamped and we manage to keep it at around four days here, if you do not have the time to wait for assistance, my suggestion would be not to post.

To recap, once the instructions I posted are completed, post only this:

Restart and post the C:\rapport.txt and a new HJT log. Add any comments you think will help.

and I will work from that point. Once I see you intend to continue with this post, I will remove the last posts you made to lessen the confusion.

Thanks...Phil

Ransimch
2008-03-02, 19:20
hello,

i tried to do everythimg you asked, but i had problems....
i couldn't delete the file: wndsk.dll. it says that it may be protected or in use...

another thing that happened is that after i deleted the other 'red' files i couldn't open any program including atf-cleaner, HJT or explorer, when i try to open a program i get window who asks me: "choose the program you want to use to open this file with" the name of the file (IEXPLORER.EXE, for exmple) and a list of the programs on my pc. but i cant open them.

other than that i have new file on my desktop called delself.bat the type file is MS-DOS Batch File, i dont know what it is....

here is the report file i did before i deleted the files:

SmitFraudFix v2.299

Scan done at 17:58:01.48, Sun 03/02/2008
Run from D:\\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process


hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\ran simchas


C:\Documents and Settings\ran simchas\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS



Scanning for wininet.dll infection


End

i hope i didnt deleted something too important....

thanks a lot

ransimch.

pskelley
2008-03-02, 19:29
I really don't know, it is not usual for folks who ask for help, to be running other tools in the middle of the fix as you were. I need to see a HJT log, please post one.

Thanks

pskelley
2008-03-02, 19:41
Here are the items I posted in RED for deletion:
winivstr.exe
http://fileinfo.prevx.com/adware/qq0e68105981239-WINI44344963/WINIVSTR.EXE.html

braviax.exe <<< appears you removed this one on your own
http://www.bleepingcomputer.com/startups/braviax-21759.html

launcher.ocx
C:\WINDOWS\Downloaded Program Files\launcher.ocx ------> AdWare.Win32.I2ISolutions.b skipped

winivstr.exe
http://fileinfo.prevx.com/adware/qq0e68105981239-WINI44344963/WINIVSTR.EXE.html

iottem.dll
http://www.fileresearchcenter.com/I/IOTTEM.DLL-12115.html

trashicon.exe
http://www.fileresearchcenter.com/T/TRASHICON.EXE-12118.html

wndsk.dll
http://fileinfo.prevx.com/adware/qq8bb8105764013-WNDS44308174/WNDSK.DLL.html

As you can see they are all malware. Now if you deleted something else I have no way of knowing. Look in the Recycle Bin on the Desktop, it may be there?

Thanks

Ransimch
2008-03-02, 23:50
hi,

first i must say that since you answered me i'm doing only what you'r asking me to, i know it is important to fallow the exact orders.
what i did during waiting for an answer was only because my computer was almost dead - i thought im going to format it. and i'm a student - i need my computer.
i hope we can start all over again.

so, i deleted only what you told me to and still couldnt open any program. i restored all the files at the recycle bin and and as i did it i managed to use programs.

so now all the bad files are back on my computer but i can add HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6370 bytes

waiting for further instructions...

thanks,

ransimch.

pskelley
2008-03-03, 00:09
OK, thanks for this HJT log, let me show you something. This log looks clean of malware and it was run at this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008
Could you tell me where you are located that the computer clock would show: 23:45:14? Is there an issue with your computer clock? I am at 04:56 EST in West Florida.

The HJT log you posted first showed this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:33, on 28/02/2008

The Kaspersky scan:
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 2:07:54 PM

The information you posted Yesterday, 08:37 in post #3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
is from more than a month ago?

Kaspersky:
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 2:58:39 PM

this HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008

Shows this item: O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
which is optional removal, see this: http://www.castlecops.com/startuplist-5306.html

and no other malware. Please post a new Kaspersky scan using these setting:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. I need to know exactly what your malware issues are.

If you must store old HJT log, I suggest you store them where they will not get posted to your topic.

Thanks

Ransimch
2008-03-03, 17:46
Hello,
About your question, we do found very far from each other, im located far at the middle east, thats why our time is so different my clock is fine.
I didnt removed O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE for now

My only problem right now is that my explorer windows shuts down by themselves from time to time. There is no regularity in it, it can happened some times in a row, or happened once in a while. Anyhow it is really annoying.

Here is the kaspersky log

KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 4:19:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 546862


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 63558
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:27:19

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP109\A0011984.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP111\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8DF8E9B5-59AD-4947-AFB4-26BABE2A0CF9}.crmlog Object is locked skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP111\change.log Object is locked skipped

Scan process completed.

waiting for further instructions...

ransimch

pskelley
2008-03-03, 18:34
Thanks for returning your Scan Results, here is what KOS shows:

C:\WINDOWS\Temp\iottem.dll ------> Trojan-Clicker.Win32.Agent.ss

C:\WINDOWS\trashicon.exe ------> Trojan-Dropper.Win32.Agent.bno

C:\WINDOWS\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

I understand you had an issue before when you removed some bad files, so here are tools that can scan these files which I will highlite in red, to assure you they are malware.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Use one or more until you are satisfied, it may be the infections have corrupted a valid Windows files, that being the case, this information will show you how to fix that:
http://dwightblackburn.com/winxp/

Once they have been deleted, empty the Recycle Bin on the Desktop and restart the computer. You have a few infected System Restore files, follow these directions to clean System Restore:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

For your issues with Internet Explorer, I suggest you update to the newest version which will also give you some additional security protection. You can download it at Windows Updates or you can find it here:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Thanks for explaining about the time difference, that covers all but this one:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
is from more than a month ago?

Let me know how it goes, I will post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Ransimch
2008-03-04, 14:11
hello,

i'm having problems.....

i deleted iottem.dll - thats the good part

but after i deleted trashicon.exe i bumped again into the nonability of opening any programs like before - so i restored it. i know its a bad file, but i cant delete it unless i know how to solve the problem of opening progrms.

when i try to delete wndsk.dll i get a message:
access is denied. make sure the disc is not full or write-protected and tht the file is not currently in use.

i also tried to do the System File Check Utility but i couldnt make it run. i did the registry changes (both of them) as mentioned at Marc Liron's article - but it keeps askin me for the winXP CD.

about this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
maybe you r just reading it the wrong way - it means march 01, 2008.

summing all up i still have two malware files that we know about them and having problems with deleiting it.

thanks a lot for your efforts :bigthumb:

waiting for your response....

ransimch.

pskelley
2008-03-04, 17:58
OK Ransimch, I think you are right, I was looking at that date wrong:sad:

System File Checker first...what do you mean you could not make it run? That is a Windows tool, it may be the Program issue and not being able to run SFC are connected and a repair of the operating system my be needed?

When you click Start > Run > and then type "sfc /scannow" without the quotes and with a space after the c and the front slash, what happens? You understand if it does run, it take a while to scan all of your protected files and if it finds a problem it will look for a file to replace the missing or corrupt one with. If no file is available you will be asked for your Windows CD. This is normal, just insert the CD, the file that is needed is on that CD.

Let's look at this file: C:\WINDOWS\trashicon.exe
Here is the Google: http://www.google.com/search?hl=en&q=trashicon.exe+&btnG=Google+Search
I have not been able to find anything good about that file, but lets have it checked.
Click this link: http://www.bleepingcomputer.com/submit-malware.php
Put this information in the top information box:
http://forums.spybot.info/showthread.php?t=24945
Then "Browse" to that file: C:\WINDOWS\trashicon.exe
Submit this one also: C:\WINDOWS\wndsk.dll
Make sure you give them a contact to send the information to and share it with me in your topic when you receive it.

See this: http://www.google.com/search?hl=en&q=wndsk.dll+&btnG=Google+Search
Not much doubt the file is bad: C:\WINDOWS\wndsk.dll
Windows does not know a bad file from a good file (it probably should) it only knows if the file is in use or not. If it is in use, try looking in Task Manager and if it is there under "Processes", end process on it. You can also use this tool in HJT:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTProcessManager

Another possiblity is to use this tool:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
and see if the file can be deleted on reboot.

You can start looking here for answers to the problem:
http://www.google.com/search?hl=en&q=can%27t+open+Programs&btnG=Google+Search
or here: http://www.kellys-korner-xp.com/xp_tweaks.htm

Keep me posted on your progress.

Thanks...Phil

pskelley
2008-03-04, 18:38
Have a look at this website:
http://www.webtree.ca/windowsxp/repair_xp.htm
Here >>> SFC (System File Checker) has a problem running - SFC /SCANNOW keeps asking for the XP CD

Make sure you post any error message you receive from Windows "Word for Word"

Thanks

Ransimch
2008-03-05, 19:50
hello phil,
how do you do?

System File Checker first:
i dont have an original cd, and it looks like the cd I have (the cd wich i installed my win from) is not enough.
As I said I did what the article said including:
Copying the folder i386
And changing the registry (both of them)
l followed the exact orders.
and I still get the message to insert the cd as the pictures at the article shows.

I didnt get an answer about the trashicone.exe yet, Ill inform you when I will.

Wndsk.dll - I cant find it under Processes in task manager.
I failed deleting it with both HJT tools - it seems very stubborn.
The message I get (when I try to delete it just by clicking delete):
Cannot delete wndsk: access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.

thanks a LOT.

ransimch.

pskelley
2008-03-05, 20:51
Hard to do this without the tools that should be available in Windows?

C:\WINDOWS\wndsk.dll <<< try booting into safe mode and deleting that file there when it will not be running:
http://spyware-free.us/tutorials/safemode/

Ransimch
2008-03-06, 18:42
hello,

i went into safe mode and succeeded to delete wndsk.dll, i even deleted it from recycle bin. i rebooted it again to a regular mode and guess what ????
it came back, its still here.....

im getting desperate.....

add there is still, of course, the trshicon.exe problem.

in the mean time i must inform you that i am getting from time to time a messge from norton about viruses that r automatically deleted: kumm.exe, qkksf.exe, trayex.exe, ens.exe.

i still didnt get nswer about trasicon.exe, though i wrote my email

thanks

Ransimch
2008-03-06, 18:48
something really strange happened right now:
a notepaat opend up - file name: untitled.
and it starts writing to me:
helo' i'm keeping my eye on you:)



what the hell is it?????

pskelley
2008-03-06, 19:03
This is always an option for you:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm


what the hell is it????? <<< it does not take even a smart hacker to add a script like this to the infection.

If you wish to continue trying to clean the junk, let's start by checking for a rootkit infecxtion:

Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!

Let's have combofix take a look also, delete any old copies of combofix you may have onboard.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and the log from the BlackLight scan.

Thanks

Thanks

Ransimch
2008-03-06, 20:08
hello phil....

if you think there are still things to do, as you wrote, i'll try to do it and get cleaned.

so here is what you asked for:
(i'll just note that norton made it hard on me completing combofix check, but i managed )

03/06/08 19:21:52 [Info]: BlackLight Engine 1.0.67 initialized
03/06/08 19:21:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/06/08 19:21:52 [Note]: 7019 4
03/06/08 19:21:52 [Note]: 7005 0
03/06/08 19:22:08 [Note]: 7006 0
03/06/08 19:22:08 [Note]: 7022 0
03/06/08 19:22:08 [Note]: 7011 888
03/06/08 19:22:08 [Note]: 7026 0
03/06/08 19:22:08 [Note]: 7026 0
03/06/08 19:22:09 [Note]: FSRAW library version 1.7.1024
03/06/08 19:24:12 [Note]: 7007 0
___________________________________________________

ComboFix 08-03-05.3 - ran simchas 03/06/2008 19:47:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.646 [GMT 2:00]
Running from: C:\Documents and Settings\ran simchas\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\#SharedObjects\39VSC5N8\iforex.com
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\#SharedObjects\39VSC5N8\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\system32\~.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm




((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 17:18 916,072 ----a-w C:\fsbl.exe
2008-03-06 16:18 32,256 ----a-w C:\WINDOWS\wndsk.dll
2008-03-06 09:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 21:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-29 21:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-28 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 21:07 --------- d-----w C:\Program Files\Lavasoft
2008-02-28 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 12:39 --------- d-----w C:\Program Files\Trend Micro
2008-02-28 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-28 10:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 10:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 09:32 --------- d-----w C:\Program Files\SnapStream Media
2008-02-28 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SnapStream
2008-02-27 00:33 --------- d-----w C:\Program Files\ATI Multimedia
2008-02-26 22:20 19,789 ----a-w C:\WINDOWS\tumopyhyg.bat
2008-02-26 22:20 18,255 ----a-w C:\WINDOWS\zekogu.com
2008-02-26 22:20 17,660 ----a-w C:\WINDOWS\system32\azoxyvozam.scr
2008-02-26 22:20 15,963 ----a-w C:\WINDOWS\ronifuq.bat
2008-02-26 22:20 14,509 ----a-w C:\Program Files\Common Files\wekadakiba.inf
2008-02-26 22:20 13,612 ----a-w C:\Documents and Settings\All Users\Application Data\cibiky.dll
2008-02-26 22:20 11,982 ----a-w C:\Program Files\Common Files\esicurox.db
2008-02-26 22:20 11,788 ----a-w C:\WINDOWS\tyqyxix.sys
2008-02-26 22:20 10,545 ----a-w C:\Program Files\Common Files\ezoroqowut.inf
2008-02-26 20:55 68,096 ----a-w C:\WINDOWS\trashicon.exe
2008-02-26 09:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-26 08:33 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-26 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-02-23 14:22 --------- d-----w C:\Program Files\NewSoft
2008-02-23 14:22 --------- d-----w C:\Program Files\EMUSB2.0
2008-02-23 14:22 --------- d-----w C:\Program Files\eMPIA
2008-02-23 14:22 --------- d-----w C:\Program Files\Common Files\newsoft
2008-02-23 14:14 --------- d-----w C:\Program Files\Mainconcept
2008-02-23 14:12 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-23 14:12 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\AVSMedia
2008-02-23 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-23 14:11 --------- d-----w C:\Program Files\AVSMedia
2008-02-17 17:10 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Audacity
2008-02-17 17:00 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-13 14:55 --------- d-----w C:\Program Files\Mv2Player
2008-01-28 10:03 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\SecondLife
2008-01-26 22:04 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Babylon
2008-01-25 21:45 46,288 ----a-w C:\Documents and Settings\ran simchas\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-16 22:18 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Apple Computer
2008-01-16 22:14 --------- d-----w C:\Program Files\QuickTime
2008-01-16 21:48 --------- d-----w C:\Program Files\iTunes
2008-01-16 20:40 --------- d-----w C:\Program Files\iPod
2008-01-16 20:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-16 20:39 --------- d-----w C:\Program Files\Apple Software Update
2008-01-16 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 17:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-15 20:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-13 22:45 --------- d-----w C:\Program Files\i2i Internet Solutions
2007-12-14 09:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 19:24 558,142 ----a-w C:\WINDOWS\java\Packages\A1JPBBBX.ZIP
2007-12-11 19:24 155,995 ----a-w C:\WINDOWS\java\Packages\YX39FR17.ZIP
2007-12-11 16:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:07 AM 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [12/11/2007 05:25 PM 100056]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [10/02/2007 12:18 PM 2165256]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/05/2007 07:59 AM 8491008]
"nwiz"="nwiz.exe" [10/05/2007 07:59 AM 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/05/2007 07:59 AM 81920]
"RTHDCPL"="RTHDCPL.EXE" [06/13/2007 08:49 AM 16377344 C:\WINDOWS\RTHDCPL.exe]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [03/31/2004 03:23 PM 823296]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 10:56 AM 286720]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [05/24/2006 05:39 PM 2655272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:07 AM 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
11g Wireless LAN Utility.lnk - C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe [2007-12-11 23:10:35 712704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
PVR Launcher.lnk - C:\Program Files\Mainconcept\PVR\PvrLauncher.exe [2008-02-23 16:14:02 69632]
UPnP AV Server.lnk - C:\Program Files\Mainconcept\PVR\mcavserv.exe [2008-02-23 16:14:01 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [05/13/2005 03:07 PM]
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [02/01/2005 05:30 PM]
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [02/01/2005 05:30 PM]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [05/13/2005 03:07 PM]
R3 RTLWUSB;11g Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [07/04/2006 02:10 AM]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 20:30:34 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - ran simchas.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 19:48:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Completion time: 03/06/2008 19:48:37
ComboFix-quarantined-files.txt 2008-03-06 17:48:35

___________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:43, on 06/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7286 bytes
___________________________________________________


thank you

ransimch.

pskelley
2008-03-06, 21:03
BlackLight is clean, remove it from yoru computer. Remove combofix from the computer also.

if you think there are still things to do, as you wrote, i'll try to do it and get cleaned.The one item that most confuses me is C:\WINDOWS\trashicon.exe
I can not understand why removing that file causes you not to be able to open programs?

Would you use one or more of these scans to find out what that is and post the information:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINDOWS\wndsk.dll <<< scan this one also and post the results.

Along with the results from those two files scan, please post the results of a Kaspersaky Online Scan using these settings.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Ransimch
2008-03-06, 22:36
i dont now if everything is relevant, i copied what i found....


Service load: 0% 100%

File: trashicon.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 7c5f5260f51db2d2a17ce93d6165ade8
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 06 Mar 2008 20:19:08 (GMT)
A-Squared Found Trojan-PSW.Win32.LdPinch.fxi
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Heur.W32
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Dropper.W32.Agent.bno
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan:W32/Renos.BA, Trojan-Dropper.Win32.Agent.bno
Fortinet Found nothing
Ikarus Found Trojan.Crypt.XPACK
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.bno
NOD32 Found nothing
Norman Virus Control Found W32/Smalltroj.CWBU
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-Dropper.Win32.Agent.bno

______________________________________________________________________________________________________
kaspersky:
Scanned file: trashicon.exe - Infected

trashicon.exe - infected by Trojan-Dropper.Win32.Agent.bno


Statistics:
Known viruses: 605235 Updated: 06-03-2008
File size (Kb): 67 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Trojan-Dropper.Win32.Agent.bno
Detection added Aug 02 2007 16:16 GMT
Update released Aug 03 2007 18:55 GMT
Behavior TrojanDropper


Currently there is no description available for this program.

As many viruses and worms are modifications of earlier versions, it may help you to check the descriptions of similar programs. If such descriptions are available, they will be listed at the top of the page.

Our virus analysts work hard to ensure that descriptions of the commonest and most potentially dangerous software are available to users. The Virus Encyclopedia is updated on a regular basis.

If you cannot find the description you need, please check back later, or contact us on webmaster@viruslist.com.



Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs
Trojan Programs
Trojans can be classified according to the actions which they carry out on victim machines.

Backdoors
General Trojans
PSW Trojans
Trojan Clickers
Trojan Downloaders
Trojan Droppers
Trojan Proxies
Trojan Spies
Trojan Notifiers
ArcBombs
Rootkits
Backdoors
Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.

The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.

Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:

Sending/ receiving files
Launching/ deleting files
Executing files
Displaying notification
Deleting data
Rebooting the machine
In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.

Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans
This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.

Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans
This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.

Some PSW Trojans steal other types of information such as:

System details (memory, disk space, operating system details)
Local email client
IP-address
Registration details
Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.

Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

Clickers are used:

To raise the hit-count of a specific site for advertising purposes
To organize a DoS attack on a specified server or site
To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)
Trojan Downloaders
This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.

The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.

Trojan Droppers
These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.

Droppers are normally structured in the following way:

Main file
contains the dropper payload
File 1
first payload
File 2
second payload
...
as many files as the coder chooses to include

The dropper functionality contains code to install and execute all of the payload files.

In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.

Hackers using such programs achieve two objectives:

Hidden or masked installation of other Trojans or viruses
Tricking antivirus solutions which are unable to analyse all components

_______________________________________________________________________________________________________

File trashicon.exe received on 03.06.2008 21:15:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/32 (37.5%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 TrojanDropper.Agent.bno
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.03.06 Suspicious File
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 W32/Smalltroj.CWBU
Ikarus T3.1.1.20 2008.03.06 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.06 Trojan-Dropper.Win32.Agent.bno
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 W32/Smalltroj.CWBU
Panda 9.0.0.4 2008.03.06 Suspicious file
Prevx1 V2 2008.03.06 Trojan.Dropper
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 Mal/Generic-A
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 Trojan-Dropper.Win32.Agent.bno
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Trojan.Crypt.XPACK.Gen
Additional information
File size: 68096 bytes
MD5: 7c5f5260f51db2d2a17ce93d6165ade8
SHA1: c1b576baf656cf57c86d9740ae1806548d244874
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FD7D30E00044BE3A0A3B013B3C2E070059D0DF23







the rest of the things you asked will be posted soon.....

Ransimch
2008-03-06, 22:45
Service load: 0% 100%

File: wndsk.dll
Status: INFECTED/MALWARE
MD5: da7e8336e1073304c60ed0a4344263a9
Packers detected: PE_PATCH.UPX, UPX
Bit9 reports: File not found

Scanner results
Scan taken on 06 Mar 2008 20:35:36 (GMT)
A-Squared Found nothing
AntiVir Found TR/Spy.Gen
ArcaVir Found Trojan.Clicker.Agent.Ss
Avast Found nothing
AVG Antivirus Found Downloader.Small.60.BJ
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Click.17304
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan:W32/Renos.BA, Trojan-Clicker.Win32.Agent.ss
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Agent.ss
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.SRZ
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-119
VirusBuster Found nothing
VBA32 Found Trojan-Clicker.Win32.Agent.ss

______________________________________________________________________________________________________

File wndsk.dll received on 03.06.2008 21:36:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 13/32 (40.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 TR/Spy.Gen
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 Downloader.Small.60.BJ
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 TrojanClicker.Agent.ss
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 Trojan.Click.17304
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 W32/Injector.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.03.06 Trojan-Clicker.Win32.Agent.ss
Ikarus T3.1.1.20 2008.03.06 Trojan-Clicker.Win32.Agent.ss
Kaspersky 7.0.0.125 2008.03.06 Trojan-Clicker.Win32.Agent.ss
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 Trj/Downloader.SRZ
Prevx1 V2 2008.03.06 Trojan.Gorhax
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 Mal/Emogen-G
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 Trojan-Clicker.Win32.Agent.ss
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Trojan.Spy.Gen
Additional information
File size: 32256 bytes
MD5: da7e8336e1073304c60ed0a4344263a9
SHA1: f207006a4734183893e5ff87d79afe3aca67ce8b
PEiD: -
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=919CF7EC00A790BC7E7600EABCCD9A009E6BCF30
______________________________________________________________________________________________________

Scanned file: wndsk.dll - Infected

wndsk.dll - infected by Trojan-Clicker.Win32.Agent.ss


Statistics:
Known viruses: 605235 Updated: 06-03-2008
File size (Kb): 32 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Ransimch
2008-03-06, 23:38
here is the kasparsky report:

KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 11:31:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 554803


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 64130
Number of viruses found 2
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 00:29:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Desktop\New Folder (2)\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\~DF1DCE.tmp Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\RECYCLER\S-1-5-21-789336058-1935655697-725345543-500\Dc1.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP109\A0011984.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP112\A0013026.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP113\A0013100.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP113\A0013101.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\A0014194.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\change.log Object is locked skipped

Scan process completed.


thanks

ransimch.

pskelley
2008-03-07, 00:38
Hello Ransimch, here is the results of the Kaspersky Online Scan done at: Thursday, March 06, 2008 11:31:50 PM

Number of infected objects 10 <<< 6 of these items are infected System Restore files that I would like to clean last so we only have to do it once. The items in System Restore can not get back on your system unless you do a restore with the infected restore point. I will post the information so you can see it:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Understand that it can be done now but might have to be done again and the files can not harm us where they are.

These are the other four items:

(I do not know why wndsk.dll is in a folder on your Desktop? Delete it)
C:\Documents and Settings\ran simchas\Desktop\New Folder (2)\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

(This item is in the Recycle Bin on your Desktop, delete it)
C:\RECYCLER\S-1-5-21-789336058-1935655697-725345543-500\Dc1.dll ------> Trojan-Clicker.Win32.Agent.ss


I believe you have looked at enough information about these two files to understand that they have to go no matter what.
C:\WINDOWS\trashicon.exe ------> Trojan-Dropper.Win32.Agent.bno
C:\WINDOWS\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

Before we delete them, could you describe in detail exactly what happens when you remove trashicon.exe. I need all of the information you can provide, if there are error message or any messages at all, please post them word for word. I am trying to find some why to fix the problem without repairing or reinstalling Windows.

Thanks

Ransimch
2008-03-07, 13:09
hello,

while i was writing reply to you i deleted trashicone.exe so i could tell you exactly whats goin on, i tried to open something and i was surprised to see that it did open. all programs runing ok...
i tried deleting wndsk.dll and succeeded it too :D:
both of them in my recycle bin now....
when i ran combofix it rebooted my computer once, maybe thats what caused the positive change.

till now my explorer didnt closed down but i hope it wont happened in the future. i hope the problem solved (though it didnt happened often so i'll guess i only need to wait and see).

now we can finish cleaning up...
i'll just inform you that i wasn't able to find dc1 in the recycle bin.

waiting for further instractions...

thanks a lot

ransimch.

pskelley
2008-03-07, 13:34
Good morning Ransimch, (6:23 AM EST on the West Coast of Florida) that is good news to hear. I was surely uncertain as to why that malware file was causing that issue with your programs.
I just looked back over your post and I see I did not offer you the opportunity to install Recovery Console which may come in handy during a major emergency one day. Read about it here:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
I remember issues with the Windows CD so if you do not have the CD needed to install RC, combofix will do it for you as you have read. If you removed combofix, you may download it again to do the installation.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

If you do not wish to install RC, then I suggest you empty your Recycle Bin to clean that junk from it.

Thanks...Phil

Ransimch
2008-03-07, 14:24
hi phil and good morning,
(you r getting up real early....)

about the recovery console i think i'll take your advice, do you think i should install it?

i deleted my recycle bin.

and what about the other things, you mentioned something about restore files, should i do something with it?

do you want to take a final check to see that everything is ok?

thank you

ransimch.

pskelley
2008-03-07, 14:39
I can say I have two Dells and I installed Recovery Console on both. I am surprised this program, which is on the Windows CD, is not installed by default by Microsoft. May be they don't think the average user could use the tool?

If you start reading here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below. Read and follow the directions carefully, once you have RC install, post the .txt file you are presented with.

http://img.photobucket.com/albums/v666/sUBs/rc1.gif


Here are the instructions again for cleaning infected System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Thanks