UNBELIVEABLE PROBLEM..(with Trojan Ribdew)

numlocke · Oct 16, 2006

Unbelieveable...

Hello,
I downloaded last program and I did the last procedure several times and after that I scanned by Bitdefender. I am sending last report that got from BitDefender...

UNFORTUNATELY, I have still same problem.. Unbelieveable but it is true.

Help me!!!! HELP....HELP..:sad: :sad: :sad:

//-----------------------------------------------------------------
//
// ProductBitDefender Internet Security v10
// Product10.0
//
// Created on: 16/10/2006 18:36:55
//
//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\
Folders : 2882
Files : 475234
Memory processes scanned : 18
Archives : 2535
Runtime packers : 66798
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 0
I/O errors : 47
Scan time : 01:32:41
Scan speed (files/sec) : 85

Spyware Statistics

Registry keys scanned : 1613
Registry keys infected : 0
Cookies scanned : 84
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0

Virus definitions : 509266
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[ ] Disinfect
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1161013015.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies

Summary:

C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Infected: Trojan.Ribdew.C.DLL
C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Deleted
C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o) Update failed

teacup61 · Oct 16, 2006

Hello,

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.

Code:

@echo off
cd\
del "C:\Docume~1\VATAN\LocalS~1\Tempor~1\Content.IE5\T8QKP5DL\AVICod~1.exe"
del "C:\Docume~1\VATAN\LocalS~1\Tempor~1\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe"
dir "C:\Docume~1\VATAN\LocalS~1\Tempor~1\Content.IE5\T8QKP5DL\AVICod~1.exe" >report.txt
start notepad report.txt

Run check.bat and post back with the text that will open.

numlocke · Oct 17, 2006

Failed again..

Hello,
I made check.bat file and run. One peport page opened. There is no anything inside of this report. There was clean one page. After that I checked my computer hopefully but BitDefender found same problem.

I have never met this type problem.

Really I don't understand this problem... What am I do?

Thank you..

//-----------------------------------------------------------------
//
// ProductBitDefender Internet Security v10
// Product10.0
//
// Created on: 17/10/2006 10:44:02
//
//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\
Folders : 805
Files : 133629
Memory processes scanned : 19
Archives : 1207
Runtime packers : 13893
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 0
I/O errors : 35
Scan time : 00:34:13
Scan speed (files/sec) : 65

Spyware Statistics

Registry keys scanned : 1613
Registry keys infected : 0
Cookies scanned : 88
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0

Virus definitions : 509568
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[ ] Disinfect
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1161071042.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies

Summary:

C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Infected: Trojan.Ribdew.C.DLL
C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Deleted
C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o) Update failed

teacup61 · Oct 17, 2006

Hello,

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

numlocke · Oct 17, 2006

Still...

Hello,
I did and got below report,when I got it first time. After that I closed my firewall and also windows firewall and I tried several time but I get this report..

What do you think. Also when I uploaded file I saw this file and I tried to deleted, but I did not deleted it.

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file."

numlocke · Oct 19, 2006

Help..

Hi,
I have still same problem.. Is there any new idea to delete this trojan from my computer..
Please Help..

Metallica · Oct 19, 2006

Hi Numlocke,

teacup61 asked me to look at your problem.

I wanted to know if there is another useraccount active on that computer and if the one you are using has administrator rights?

Let me know,

numlocke · Oct 20, 2006

Hope...

Metallica said:
Hi Numlocke,

teacup61 asked me to look at your problem.

I wanted to know if there is another useraccount active on that computer and if the one you are using has administrator rights?

Let me know,

Hi,
I am using only one useraccount, but I am using this computer in University. Our university has T-Lan System. They gave one IP and DNS number. I am connecting from this number.
"if the one you are using has administrator rights?" Actually I don't understand this sentence. I can say only one useraccount active and belong to me in my computer.
I hope we can remove this problem from my computer.
Thank you..
Numlocke..

Metallica · Oct 20, 2006

I will attach a file to this post. Rightclick that file and save it into the same folder as the file BFU.exe that teacup61 told you to get.

Then doubleclick BFU.exe and on the BFU program screen use the explorer button to find the emptycache.txt

Then click the Execute button.
Your desktop and taskbar will disappear for a brief period.
When all is back click the Exit button.

That should take care of it.
Let us know.

numlocke · Oct 20, 2006

Metallica said:
I will attach a file to this post. Rightclick that file and save it into the same folder as the file BFU.exe that teacup61 told you to get.

Then doubleclick BFU.exe and on the BFU program screen use the explorer button to find the emptycache.txt

Then click the Execute button.
Your desktop and taskbar will disappear for a brief period.
When all is back click the Exit button.

That should take care of it.
Let us know.

Hello,

I did. But failed again. I am sending log file...What is the problem, I don't understand it..

Thanks,
Numlocke

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 18:44:02, on 20.10.2006

Option Unload Explorer: Yes
Failed: FolderDelete C:\DOCUME~1\VATAN~1\LOCALS~1\Temp\a2archive (operation failed)
Failed: FolderDelete C:\DOCUME~1\VATAN~1\LOCALS~1\Temp\AAWTMP (operation failed)
Failed: FileDelete C:\DOCUME~1\VATAN~1\LOCALS~1\Temp\~DF71EA.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\VATAN~1\LOCALS~1\Temp\~DF828.tmp (operation failed)
Failed: FolderDelete C:\WINDOWS\Temp\tmp000013c2 (operation failed)
Failed: FolderDelete C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL (operation failed)
Script completed.

After That I scanned again;

//-----------------------------------------------------------------
//
// ProductBitDefender Internet Security v10
// Product10.0
//
// Created on: 20/10/2006 18:48:18
////-----------------------------------------------------------------

Virus Statistics

Scan path : C:\
Folders : 759
Files : 99021
Memory processes scanned : 18
Archives : 709
Runtime packers : 11931
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 0
I/O errors : 34
Scan time : 00:17:25
Scan speed (files/sec) : 94

Spyware Statistics

Registry keys scanned : 1615
Registry keys infected : 0
Cookies scanned : 150
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0

Virus definitions : 510613
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[ ] Disinfect
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[X] Delete
[ ] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1161359298.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies

Summary:

C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Infected: Trojan.Ribdew.C.DLL
C:\Documents and Settings\VATAND\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o)=>lzma_solid_nsis0005 Deleted
C:\Documents and Settings\VATAN\Local Settings\Temporary Internet Files\Content.IE5\T8QKP5DL\AVICodecPackLite3[1].exe=>(NSIS o) Update failed

Metallica · Oct 20, 2006

Too bad the BFU log doesn't show why it failed. :sad:

Let's see if Unlocker can get rid of it.
Download the program here:
http://ccollomb.free.fr/unlocker/
and install it.

Check if your hidden files and folders are set to "show themselves"
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now to find the undeletable file doubleclick "My Computer"
doubleclick C: drive icon
doubleclick Documents and settings
doubleclick the folder with username (VATAN)
doubleclick the Local Settings folder
doubleclick the Temporary Internet Files Folder
doubleclick the Content.IE5 folder
doubleclick the T8QKP5DL folder
now find the file called AVICodecPackLite3[1].exe and rightclick it.
Unlocker should be in the rightclick menu. Use it.
Delete the file and go back one step and rightclick the T8QKP5DL folder
Use Unlocker again and delete the entire folder.

Let me know if this works or where it goes wrong.

numlocke · Oct 21, 2006

Failed...

Hello,
I did but unfolder did not show this file and folders. Before use it, I selected show hidden files and folders. I think this folder was hidden by trojan. I saw all hidden folders and files except Content.IE5 folder and T8QKP5DL. Also I used find section to find this folder. Also It did not find this folder. Really interesting..

What will we do?. I am waiting your recommendation.
Thanks.
Numlocke

Metallica · Oct 21, 2006

So you could follow the path untill the Temporary Internet Files Folder ?

Can you find the file in there ?
If you toggle the A you should get to see all the files whose names start with an A
The [1] part may not show up in the filename.

numlocke · Oct 23, 2006

Unfolder failed

Metallica said:
So you could follow the path untill the Temporary Internet Files Folder ?

Can you find the file in there ?
If you toggle the A you should get to see all the files whose names start with an A
The [1] part may not show up in the filename.

First I uninstalled Internet Explorer 7 and after that I found this file. I have no any idea about this. I used unlocker. It did not delete and asked me do you want to delete next reboot, I checked OK. I restarted my computer but unfortunately It did not deleted it.. I tried it several times but results were same..

Thanks..
Numlocke

Metallica · Oct 23, 2006

Hi Numlocke,

We will probably have to delete the entire Temp Internet Folder for that useraccount. To do so we will need one of the following:
- Another useraccount with Administrator rights
- A set of startup floppies
- A windows XP CD

Let me know what you have and we will take it from there.

numlocke · Oct 24, 2006

Problem Finished

Metallica said:
Hi Numlocke,

We will probably have to delete the entire Temp Internet Folder for that useraccount. To do so we will need one of the following:
- Another useraccount with Administrator rights
- A set of startup floppies
- A windows XP CD

Let me know what you have and we will take it from there.

I opened my computer as safety mode and I entered as administrator. I found this folder and files. I deleted it by unlocker. After that I checked my computer by BitDefender. There was no problem.
So I am happy. Thank you very much you and teacup for very kindly and useful information and help.
Thank you...

Metallica · Oct 24, 2006

And a thank you to Mosaic1, who gave me the solution on a silver platter. :heart:

Glad we could help.

tashi · Oct 29, 2006

As the problem appears to be resolved this topic has been archived. :bigthumb:

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter. Cheers.

UNBELIVEABLE PROBLEM..(with Trojan Ribdew)

numlocke

New member

teacup61

Guest

numlocke

New member

teacup61

Guest

numlocke

New member

numlocke

New member

Metallica

Expert-Visiting Fellow

numlocke

New member

Metallica

Expert-Visiting Fellow

numlocke

New member

Metallica

Expert-Visiting Fellow

numlocke

New member

Metallica

Expert-Visiting Fellow

numlocke

New member

Metallica

Expert-Visiting Fellow

numlocke

New member

Metallica

Expert-Visiting Fellow

tashi

Member of Team Spybot