PDA

View Full Version : Win32.Agent.icb user.dll help



burgeymon
2009-05-09, 16:15
ok, hp computer, amd phenom 1.8 quad, 8 gb ram, vista home premium. was having trouble with my ram maxing out so i downloaded spybot. dont know if this is the cause or not, but i want rid of it anyways :) says i have 2 entries of this trojan. here is what it said about it.

Company:
Product: Win32.Agent.icb
Threat: Trojan


Description
The trojan installs itself as a library file into the system directory and creates some encrypted files in the help directory. It adds some registry entries and changes the user32.dll. This file has to be restored manually (a copy of it exists under random name in the system directory). It connects to the internet and loads the installed library file in the system directory via the changed user32.dll and winlogon.exe. It is able to send e-mails and terminate processes.


ok, i can rename a file, if i knew the random name for the dll, but i dont. i could save a copy to my desktop and cut and paste into the system 32 folder no prob, if i had a clean copy to save. is there one floating around here somewhere? new computer, had vista on it when i bought it, no disk. no recovery disk, nothing. great job hp! it has a hard drive labled recovery but wont show any files for me to copy it.

so, what to do? if the file has to be replaced manually that means spybot doesn't do it for you right? want to fix it but it sounds like i need that file to do it. any suggestions??

sorry, had problems with hijack this, here is the report, registry is backed up and ready.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:37 AM, on 5/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Users\Roy Amburgey\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Roy Amburgey\Desktop\New Folder\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sublimedirectory.com/pod
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files (x86)\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Roy Amburgey\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MzRamBooster] C:\Program Files (x86)\MzRam\MzRamBooster.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: E-MU Audio Service (emaudsv) - Unknown owner - C:\Windows\system32\emaudsv.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10601 bytes

shelf life
2009-05-10, 15:59
hi,


trouble with my ram maxing out
in order to take advantage of 8GB of RAM, several things must happen.
There is a good article here;

http://www.tomshardware.com/reviews/vista-workshop,1775.html

for the trojan i would install MBAM. Link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

burgeymon
2009-05-10, 18:34
and the file spybot says need to be replaced manually? user.dll? do i still need to do something about that or does it find the proper file on the net? hard drive? or is it a not important?

burgeymon
2009-05-10, 18:52
oh, and i forgot, i already have 64 bit vista and my bios does recognize it. read the article and other than a couple of downloads for drivers and more virtual memory i didnt see anything. did i miss something??

anyway, the program i use to monitor my system says cpu and virtual memory are WAY fine. just my ram maxing from 85-91% id dunno. hopefully after the trojan fix everything will go back to normal.

burgeymon
2009-05-11, 00:24
ok, did the malware bytes thing, found 7 infections, did the log, fixed it, did another log, restarted. ran spybot, trojan is still there. exact same thing. here is the before log then after log from malware bytes.


Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 6.0.6001 Service Pack 1

5/10/2009 2:54:41 PM
mbam-log-2009-05-10 (14-53-38).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 258287
Time elapsed: 55 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ferryl.cbv (Malware.Trace) -> No action taken.
C:\Windows\System32\inqby.sr (Malware.Trace) -> No action taken.
C:\Windows\System32\fairy.an (Malware.Trace) -> No action taken.
C:\Windows\System32\dolman.zt (Malware.Trace) -> No action taken.
C:\Windows\System32\ashl.nq (Malware.Trace) -> No action taken.
C:\Windows\mqcd.dbt (Malware.Trace) -> No action taken.




Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 6.0.6001 Service Pack 1

5/10/2009 2:58:47 PM
mbam-log-2009-05-10 (14-58-47).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 258287
Time elapsed: 55 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ferryl.cbv (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\inqby.sr (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\fairy.an (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\dolman.zt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\ashl.nq (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\mqcd.dbt (Malware.Trace) -> Quarantined and deleted successfully.




so now what? any ideas? still havent tried fixing the problem with spybot, it makes it sound like i need the user.dll file to replace the one its going to delete. and, why didnt malware bytes find that trojan?

shelf life
2009-05-11, 01:40
hi,


i didnt see anything. did i miss something??
i was just pointing the article out as a possible solution to your RAM woes.Actually i missed Mzrambooster the first time. Windows can manage memory on its own. see below.

for the trojan
Navigate to the system32 dir and look for user32.dll

you can go to the website below, browse for the file again and upload it using the SEND button. When the scan is complete you can copy/paste the URL in your reply.
http://www.virustotal.com/


RE:MzRamBooster.exe

http://www.bitsum.com/winmemboost.asp

http://windowsitpro.com/article/articleid/41095/the-memory-optimization-hoax.html

burgeymon
2009-05-11, 03:49
here is the url http://www.virustotal.com/analisis/39baa2e8c9e3aa46acb9da2d5053fb46

lol @ the one article. the bitsum article was informative and made sense. the windowsitpro was downing ram boosters, and advertising them on the same page woo ha ha!!

so anyway, it came back as 0 of 40 result, so not infected. think spybot is getting a false positive?? i have avg, it didnt find anything, well, it found something a week or so ago but didnt tell me. first thing i did when i started seeing my ram red line was check the avg event logs and it found 8 removed 4. so i removed the other 4. none of it was the trojan spybot is finding though.

as far as the article mentioned in your first reply, i did check to see if there was a memory remapping option in my bios and there wasnt. one downfall to this new pc over my old is i can hardly do anything at all in bios. my last was a frankenstien's monster so to speak, a part off this pc a piece off that one. no name brand really. had an asus board with an amd athlon 1 gb cpu, but would let me overclock it and everything else in it. had that thing flyin. only reason i bought this one was some of the things i wanted to do needed more headroom, more ram, wouldnt install without a so and so cpu, etc... so i bought this one. but, wont let me do much of anything in bios. but, it does recognize 8 gb ram so i guess thats ok.

just cant understand what in the world is taking up so much of it. didnt install mz ram booster until all this started.

here is the search results from spybot.


--- Search result list ---
Win32.Agent.icb: [SBI $A0EF69BD] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mid

Win32.Agent.icb: [SBI $9C8AB327] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\st


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 Includes\Adware.sbi (*)
2009-05-05 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-05-05 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-04-21 Includes\Hijackers.sbi (*)
2009-05-05 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-05 Includes\Malware.sbi (*)
2009-05-05 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-05 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-05 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-05 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-04-29 Includes\Trojans.sbi (*)
2009-05-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


i dunno. false positives? and, by the way, just curious, this is a spybot forum, so, why arent we using spybot to fix the problem? the read this before posting said to not fix the problem untill a helper looks at the hijack this report and replies, so you havent said to try spybot, so i havent. just the programs you have told me about. just wondering.

shelf life
2009-05-11, 05:07
wont let me do much of anything in bios.
Commercially purchased computers are really lacking in functionality. simply tinkering in the BIOS can be very limited as you know, not to mention plenty of other things.

You might be interested in this;
http://www.pcdecrapifier.com/home

the trojan. Could be a false positive.

why arent we using spybot to fix the problem?
You have tried 'fixing' it with spybot?
Not all malware scanners are the same. In order to cover all bases i would have at least two on a machine, for most people anyway. If you really practice "safe hex" then one would be ok.

You could get another opinion about the trojan in a online scan;

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Had MBAM flagged it we wouldnt be going through all this. Want to be sure it is a false positive and not really malware patched.

burgeymon
2009-05-11, 22:33
it said alls well. found nothing. here is the log.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4063 (20090508)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d7344cb6fa3745418c4649af2803a1f3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-11 05:01:08
# local_time=2009-05-11 01:01:08 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=730933
# found=0
# scan_time=8105




that one must have been a VERY detailed search. i have 1.5 TB so im used to em taking a while, but wow. i gave up and went to bed it took so long. is nod32 that way too? in depth i mean? been looking for a "good" virus and firewall software. preferably free, but if its good enough....maybe.

so it looks like a false positive, nothing but spybot is finding it, and no, i never tried to fix it with spybot because of the file it said i would have to replace manually. hp didnt send a windows disc and i dont know anyone who has a vista disc for me to grab a clean copy from. so i came here.

so, do i ignore it and set spybot to ignore it as well, or do a backup and try to fix it and see what happens?

shelf life
2009-05-12, 01:26
You had the file checked out at virustotal, MBAM looks ok, the online scan was good. AVG dosnt find anything. I would say its a false positive and have spybot ignore it.
You could run sfc /scannow from the run menu. its system file checker and will scan for windows files that have been over written or corrupt.
I have only done it in XP, you may also be asked to install the windows install CD/DVD which you dont have. there is a way to get around it if you feel like researching it. May not be worth the troubles.

Some free AV:
AVG, AVAST ANTIVIR, CLAMWIN

free Firewalls:

Zone alarm
Outpost free
Online Armor
Jetico
PCtools

burgeymon
2009-05-12, 15:27
ok thanks for the help. about the firewalls. webroot haas a free one as well but it will get on your last nerve askin for permission for everything, giving the file name only and not telling you what program its connected to so you have no idea if you should let it through:)

i found a copy of outpost on cnet but its not 64 bit, and doesnt the free version of zone alarm kinda suck? had zone alarm pro back in the day and it was awesome, i remember there was a link on the msnbc website to a site that would test your firewall. i tried a bunch and with za pro they could tell "someone" was there but couldnt tell who or where or anything. it kept you locked up tight. but thats some bucks nowadayz.

will check into the others though and try em out. wish i could remember that site that tested em.

thanks again for the help.

c-ya!

shelf life
2009-05-12, 23:41
ok your welcome. Outpost Pro 2009 is 64 bit, not free though. they have a new free version out, make sure its not version 1.0 that you got (its real old) It will work on your machine unless your just trying to keep everything 64bit.
I havent used ZA in years. It was one of the first software FW solutions.

There are many sites that will ping your FW. If you have a router in your set up, its the router thats getting scanned not your machine.

A few port scanners:

http://www.securitymetrics.com/portscan.adp
http://www.canyouseeme.org/
https://www.grc.com/ Shields Up
http://www.derkeiler.com/Service/PortScan
http://www.pcflank.com/
http://linux-sec.net/Audit/nmap.test.gwif.html
http://www.hackerwatch.org/probe/

heres some tips to help reduce your risk:

Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is now also true for web based application like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software or codecs to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

burgeymon
2009-05-13, 00:33
cool, thanks for the links. some 32 bit stuff vista wont even install, even as admin. and the outpost i tried was such a program. vista has its good parts i guess, looks nice lol. but i SOOOOOOOOO miss xp. been thinking about giving vista the ol boot. with the harware on here xp would be a speed demon. and id have a lot less problems finding the right program. i dunno.

maybe windows 7 will be better than both. waiting on someone i know to have it so i can see with my own eyes, just not willing to put the free demo copy on here at the moment. sit back and wait, see what others say i guess.

thanks again for the links, will check into it all on my next days off.
c-ya.