Win32.Agent.icb user.dll help

**burgeymon** · 2009-05-09, 15:15

ok, hp computer, amd phenom 1.8 quad, 8 gb ram, vista home premium. was having trouble with my ram maxing out so i downloaded spybot. dont know if this is the cause or not, but i want rid of it anyways

says i have 2 entries of this trojan. here is what it said about it.

Company:
Product: Win32.Agent.icb
Threat: Trojan

Description
The trojan installs itself as a library file into the system directory and creates some encrypted files in the help directory. It adds some registry entries and changes the user32.dll. This file has to be restored manually (a copy of it exists under random name in the system directory). It connects to the internet and loads the installed library file in the system directory via the changed user32.dll and winlogon.exe. It is able to send e-mails and terminate processes.

ok, i can rename a file, if i knew the random name for the dll, but i dont. i could save a copy to my desktop and cut and paste into the system 32 folder no prob, if i had a clean copy to save. is there one floating around here somewhere? new computer, had vista on it when i bought it, no disk. no recovery disk, nothing. great job hp! it has a hard drive labled recovery but wont show any files for me to copy it.

so, what to do? if the file has to be replaced manually that means spybot doesn't do it for you right? want to fix it but it sounds like i need that file to do it. any suggestions??

sorry, had problems with hijack this, here is the report, registry is backed up and ready.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:37 AM, on 5/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Users\Roy Amburgey\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Roy Amburgey\Desktop\New Folder\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sublimedirectory.com/pod
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files (x86)\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Roy Amburgey\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MzRamBooster] C:\Program Files (x86)\MzRam\MzRamBooster.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: E-MU Audio Service (emaudsv) - Unknown owner - C:\Windows\system32\emaudsv.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10601 bytes

**shelf life** · 2009-05-10, 14:59

hi,

trouble with my ram maxing out

in order to take advantage of 8GB of RAM, several things must happen.
There is a good article here;

http://www.tomshardware.com/reviews/...shop,1775.html

for the trojan i would install MBAM. Link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

**burgeymon** · 2009-05-10, 17:34

and the file spybot says need to be replaced manually? user.dll? do i still need to do something about that or does it find the proper file on the net? hard drive? or is it a not important?

**burgeymon** · 2009-05-10, 17:52

oh, and i forgot, i already have 64 bit vista and my bios does recognize it. read the article and other than a couple of downloads for drivers and more virtual memory i didnt see anything. did i miss something??

anyway, the program i use to monitor my system says cpu and virtual memory are WAY fine. just my ram maxing from 85-91% id dunno. hopefully after the trojan fix everything will go back to normal.

**burgeymon** · 2009-05-10, 23:24

ok, did the malware bytes thing, found 7 infections, did the log, fixed it, did another log, restarted. ran spybot, trojan is still there. exact same thing. here is the before log then after log from malware bytes.

Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 6.0.6001 Service Pack 1

5/10/2009 2:54:41 PM
mbam-log-2009-05-10 (14-53-38).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 258287
Time elapsed: 55 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ferryl.cbv (Malware.Trace) -> No action taken.
C:\Windows\System32\inqby.sr (Malware.Trace) -> No action taken.
C:\Windows\System32\fairy.an (Malware.Trace) -> No action taken.
C:\Windows\System32\dolman.zt (Malware.Trace) -> No action taken.
C:\Windows\System32\ashl.nq (Malware.Trace) -> No action taken.
C:\Windows\mqcd.dbt (Malware.Trace) -> No action taken.

Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 6.0.6001 Service Pack 1

5/10/2009 2:58:47 PM
mbam-log-2009-05-10 (14-58-47).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 258287
Time elapsed: 55 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ferryl.cbv (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\inqby.sr (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\fairy.an (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\dolman.zt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\ashl.nq (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\mqcd.dbt (Malware.Trace) -> Quarantined and deleted successfully.

so now what? any ideas? still havent tried fixing the problem with spybot, it makes it sound like i need the user.dll file to replace the one its going to delete. and, why didnt malware bytes find that trojan?

**shelf life** · 2009-05-11, 00:40

hi,

i didnt see anything. did i miss something??

i was just pointing the article out as a possible solution to your RAM woes.Actually i missed Mzrambooster the first time. Windows can manage memory on its own. see below.

for the trojan
Navigate to the system32 dir and look for user32.dll

you can go to the website below, browse for the file again and upload it using the SEND button. When the scan is complete you can copy/paste the URL in your reply.
http://www.virustotal.com/

RE:MzRamBooster.exe

http://www.bitsum.com/winmemboost.asp

http://windowsitpro.com/article/arti...tion-hoax.html

**burgeymon** · 2009-05-11, 02:49

here is the url http://www.virustotal.com/analisis/3...b9da2d5053fb46

lol @ the one article. the bitsum article was informative and made sense. the windowsitpro was downing ram boosters, and advertising them on the same page woo ha ha!!

so anyway, it came back as 0 of 40 result, so not infected. think spybot is getting a false positive?? i have avg, it didnt find anything, well, it found something a week or so ago but didnt tell me. first thing i did when i started seeing my ram red line was check the avg event logs and it found 8 removed 4. so i removed the other 4. none of it was the trojan spybot is finding though.

as far as the article mentioned in your first reply, i did check to see if there was a memory remapping option in my bios and there wasnt. one downfall to this new pc over my old is i can hardly do anything at all in bios. my last was a frankenstien's monster so to speak, a part off this pc a piece off that one. no name brand really. had an asus board with an amd athlon 1 gb cpu, but would let me overclock it and everything else in it. had that thing flyin. only reason i bought this one was some of the things i wanted to do needed more headroom, more ram, wouldnt install without a so and so cpu, etc... so i bought this one. but, wont let me do much of anything in bios. but, it does recognize 8 gb ram so i guess thats ok.

just cant understand what in the world is taking up so much of it. didnt install mz ram booster until all this started.

here is the search results from spybot.

--- Search result list ---
Win32.Agent.icb: [SBI $A0EF69BD] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mid

Win32.Agent.icb: [SBI $9C8AB327] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\st

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 Includes\Adware.sbi (*)
2009-05-05 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-05-05 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-04-21 Includes\Hijackers.sbi (*)
2009-05-05 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-05 Includes\Malware.sbi (*)
2009-05-05 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-05 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-05 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-05 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-04-29 Includes\Trojans.sbi (*)
2009-05-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

i dunno. false positives? and, by the way, just curious, this is a spybot forum, so, why arent we using spybot to fix the problem? the read this before posting said to not fix the problem untill a helper looks at the hijack this report and replies, so you havent said to try spybot, so i havent. just the programs you have told me about. just wondering.

**shelf life** · 2009-05-11, 04:07

wont let me do much of anything in bios.

Commercially purchased computers are really lacking in functionality. simply tinkering in the BIOS can be very limited as you know, not to mention plenty of other things.

You might be interested in this;
http://www.pcdecrapifier.com/home

the trojan. Could be a false positive.

why arent we using spybot to fix the problem?

You have tried 'fixing' it with spybot?
Not all malware scanners are the same. In order to cover all bases i would have at least two on a machine, for most people anyway. If you really practice "safe hex" then one would be ok.

You could get another opinion about the trojan in a online scan;

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Had MBAM flagged it we wouldnt be going through all this. Want to be sure it is a false positive and not really malware patched.

**burgeymon** · 2009-05-11, 21:33

it said alls well. found nothing. here is the log.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4063 (20090508)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d7344cb6fa3745418c4649af2803a1f3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-11 05:01:08
# local_time=2009-05-11 01:01:08 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=730933
# found=0
# scan_time=8105

that one must have been a VERY detailed search. i have 1.5 TB so im used to em taking a while, but wow. i gave up and went to bed it took so long. is nod32 that way too? in depth i mean? been looking for a "good" virus and firewall software. preferably free, but if its good enough....maybe.

so it looks like a false positive, nothing but spybot is finding it, and no, i never tried to fix it with spybot because of the file it said i would have to replace manually. hp didnt send a windows disc and i dont know anyone who has a vista disc for me to grab a clean copy from. so i came here.

so, do i ignore it and set spybot to ignore it as well, or do a backup and try to fix it and see what happens?

**shelf life** · 2009-05-12, 00:26

You had the file checked out at virustotal, MBAM looks ok, the online scan was good. AVG dosnt find anything. I would say its a false positive and have spybot ignore it.
You could run sfc /scannow from the run menu. its system file checker and will scan for windows files that have been over written or corrupt.
I have only done it in XP, you may also be asked to install the windows install CD/DVD which you dont have. there is a way to get around it if you feel like researching it. May not be worth the troubles.

Some free AV:
AVG, AVAST ANTIVIR, CLAMWIN

free Firewalls:

Zone alarm
Outpost free
Online Armor
Jetico
PCtools

Thread: Win32.Agent.icb user.dll help

Thread Tools

Display

thank you!

Posting Permissions