it became a big problem.... help!!!!

Status
Not open for further replies.
BlackLight is clean, remove it from yoru computer. Remove combofix from the computer also.
if you think there are still things to do, as you wrote, i'll try to do it and get cleaned.
Click to expand...
The one item that most confuses me is C:\WINDOWS\trashicon.exe
I can not understand why removing that file causes you not to be able to open programs?

Would you use one or more of these scans to find out what that is and post the information:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINDOWS\wndsk.dll <<< scan this one also and post the results.

Along with the results from those two files scan, please post the results of a Kaspersaky Online Scan using these settings.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
 
information on trshicon.exe.

i dont now if everything is relevant, i copied what i found....


Service load: 0% 100%

File: trashicon.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 7c5f5260f51db2d2a17ce93d6165ade8
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 06 Mar 2008 20:19:08 (GMT)
A-Squared Found Trojan-PSW.Win32.LdPinch.fxi
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Heur.W32
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Dropper.W32.Agent.bno
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan:W32/Renos.BA, Trojan-Dropper.Win32.Agent.bno
Fortinet Found nothing
Ikarus Found Trojan.Crypt.XPACK
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.bno
NOD32 Found nothing
Norman Virus Control Found W32/Smalltroj.CWBU
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-Dropper.Win32.Agent.bno

______________________________________________________________________________________________________
kaspersky:
Scanned file: trashicon.exe - Infected

trashicon.exe - infected by Trojan-Dropper.Win32.Agent.bno


Statistics:
Known viruses: 605235 Updated: 06-03-2008
File size (Kb): 67 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Trojan-Dropper.Win32.Agent.bno
Detection added Aug 02 2007 16:16 GMT
Update released Aug 03 2007 18:55 GMT
Behavior TrojanDropper


Currently there is no description available for this program.

As many viruses and worms are modifications of earlier versions, it may help you to check the descriptions of similar programs. If such descriptions are available, they will be listed at the top of the page.

Our virus analysts work hard to ensure that descriptions of the commonest and most potentially dangerous software are available to users. The Virus Encyclopedia is updated on a regular basis.

If you cannot find the description you need, please check back later, or contact us on webmaster@viruslist.com.



Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs
Trojan Programs
Trojans can be classified according to the actions which they carry out on victim machines.

Backdoors
General Trojans
PSW Trojans
Trojan Clickers
Trojan Downloaders
Trojan Droppers
Trojan Proxies
Trojan Spies
Trojan Notifiers
ArcBombs
Rootkits
Backdoors
Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.

The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.

Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:

Sending/ receiving files
Launching/ deleting files
Executing files
Displaying notification
Deleting data
Rebooting the machine
In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.

Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans
This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.

Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans
This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.

Some PSW Trojans steal other types of information such as:

System details (memory, disk space, operating system details)
Local email client
IP-address
Registration details
Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.

Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

Clickers are used:

To raise the hit-count of a specific site for advertising purposes
To organize a DoS attack on a specified server or site
To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)
Trojan Downloaders
This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.

The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.

Trojan Droppers
These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.

Droppers are normally structured in the following way:

Main file
contains the dropper payload
File 1
first payload
File 2
second payload
...
as many files as the coder chooses to include

The dropper functionality contains code to install and execute all of the payload files.

In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.

Hackers using such programs achieve two objectives:

Hidden or masked installation of other Trojans or viruses
Tricking antivirus solutions which are unable to analyse all components

_______________________________________________________________________________________________________

File trashicon.exe received on 03.06.2008 21:15:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/32 (37.5%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 TrojanDropper.Agent.bno
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.03.06 Suspicious File
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 W32/Smalltroj.CWBU
Ikarus T3.1.1.20 2008.03.06 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.03.06 Trojan-Dropper.Win32.Agent.bno
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 W32/Smalltroj.CWBU
Panda 9.0.0.4 2008.03.06 Suspicious file
Prevx1 V2 2008.03.06 Trojan.Dropper
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 Mal/Generic-A
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 Trojan-Dropper.Win32.Agent.bno
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Trojan.Crypt.XPACK.Gen
Additional information
File size: 68096 bytes
MD5: 7c5f5260f51db2d2a17ce93d6165ade8
SHA1: c1b576baf656cf57c86d9740ae1806548d244874
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FD7D30E00044BE3A0A3B013B3C2E070059D0DF23







the rest of the things you asked will be posted soon.....
 
wndsk.dll information

Service load: 0% 100%

File: wndsk.dll
Status: INFECTED/MALWARE
MD5: da7e8336e1073304c60ed0a4344263a9
Packers detected: PE_PATCH.UPX, UPX
Bit9 reports: File not found

Scanner results
Scan taken on 06 Mar 2008 20:35:36 (GMT)
A-Squared Found nothing
AntiVir Found TR/Spy.Gen
ArcaVir Found Trojan.Clicker.Agent.Ss
Avast Found nothing
AVG Antivirus Found Downloader.Small.60.BJ
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Click.17304
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan:W32/Renos.BA, Trojan-Clicker.Win32.Agent.ss
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Agent.ss
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.SRZ
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-119
VirusBuster Found nothing
VBA32 Found Trojan-Clicker.Win32.Agent.ss

______________________________________________________________________________________________________

File wndsk.dll received on 03.06.2008 21:36:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 13/32 (40.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 TR/Spy.Gen
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 Downloader.Small.60.BJ
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 TrojanClicker.Agent.ss
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 Trojan.Click.17304
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 W32/Injector.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.03.06 Trojan-Clicker.Win32.Agent.ss
Ikarus T3.1.1.20 2008.03.06 Trojan-Clicker.Win32.Agent.ss
Kaspersky 7.0.0.125 2008.03.06 Trojan-Clicker.Win32.Agent.ss
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 Trj/Downloader.SRZ
Prevx1 V2 2008.03.06 Trojan.Gorhax
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 Mal/Emogen-G
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 Trojan-Clicker.Win32.Agent.ss
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Trojan.Spy.Gen
Additional information
File size: 32256 bytes
MD5: da7e8336e1073304c60ed0a4344263a9
SHA1: f207006a4734183893e5ff87d79afe3aca67ce8b
PEiD: -
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=919CF7EC00A790BC7E7600EABCCD9A009E6BCF30
______________________________________________________________________________________________________

Scanned file: wndsk.dll - Infected

wndsk.dll - infected by Trojan-Clicker.Win32.Agent.ss


Statistics:
Known viruses: 605235 Updated: 06-03-2008
File size (Kb): 32 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0
 
here is the kasparsky report:

KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 11:31:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 554803


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 64130
Number of viruses found 2
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 00:29:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Desktop\New Folder (2)\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\~DF1DCE.tmp Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\RECYCLER\S-1-5-21-789336058-1935655697-725345543-500\Dc1.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP109\A0011984.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP112\A0013026.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP113\A0013100.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP113\A0013101.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\A0014194.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP114\change.log Object is locked skipped

Scan process completed.


thanks

ransimch.
 
Hello Ransimch, here is the results of the Kaspersky Online Scan done at: Thursday, March 06, 2008 11:31:50 PM

Number of infected objects 10 <<< 6 of these items are infected System Restore files that I would like to clean last so we only have to do it once. The items in System Restore can not get back on your system unless you do a restore with the infected restore point. I will post the information so you can see it:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Understand that it can be done now but might have to be done again and the files can not harm us where they are.

These are the other four items:

(I do not know why wndsk.dll is in a folder on your Desktop? Delete it)
C:\Documents and Settings\ran simchas\Desktop\New Folder (2)\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

(This item is in the Recycle Bin on your Desktop, delete it)
C:\RECYCLER\S-1-5-21-789336058-1935655697-725345543-500\Dc1.dll ------> Trojan-Clicker.Win32.Agent.ss


I believe you have looked at enough information about these two files to understand that they have to go no matter what.
C:\WINDOWS\trashicon.exe ------> Trojan-Dropper.Win32.Agent.bno
C:\WINDOWS\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

Before we delete them, could you describe in detail exactly what happens when you remove trashicon.exe. I need all of the information you can provide, if there are error message or any messages at all, please post them word for word. I am trying to find some why to fix the problem without repairing or reinstalling Windows.

Thanks
 
finally... some good news

hello,

while i was writing reply to you i deleted trashicone.exe so i could tell you exactly whats goin on, i tried to open something and i was surprised to see that it did open. all programs runing ok...
i tried deleting wndsk.dll and succeeded it too :D:
both of them in my recycle bin now....
when i ran combofix it rebooted my computer once, maybe thats what caused the positive change.

till now my explorer didnt closed down but i hope it wont happened in the future. i hope the problem solved (though it didnt happened often so i'll guess i only need to wait and see).

now we can finish cleaning up...
i'll just inform you that i wasn't able to find dc1 in the recycle bin.

waiting for further instractions...

thanks a lot

ransimch.
 
Good morning Ransimch, (6:23 AM EST on the West Coast of Florida) that is good news to hear. I was surely uncertain as to why that malware file was causing that issue with your programs.
I just looked back over your post and I see I did not offer you the opportunity to install Recovery Console which may come in handy during a major emergency one day. Read about it here:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
I remember issues with the Windows CD so if you do not have the CD needed to install RC, combofix will do it for you as you have read. If you removed combofix, you may download it again to do the installation.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

If you do not wish to install RC, then I suggest you empty your Recycle Bin to clean that junk from it.

Thanks...Phil
 
hi phil and good morning,
(you r getting up real early....)

about the recovery console i think i'll take your advice, do you think i should install it?

i deleted my recycle bin.

and what about the other things, you mentioned something about restore files, should i do something with it?

do you want to take a final check to see that everything is ok?

thank you

ransimch.
 
I can say I have two Dells and I installed Recovery Console on both. I am surprised this program, which is on the Windows CD, is not installed by default by Microsoft. May be they don't think the average user could use the tool?

If you start reading here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below.
Click to expand...
Read and follow the directions carefully, once you have RC install, post the .txt file you are presented with.

rc1.gif



Here are the instructions again for cleaning infected System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Thanks
 
Status
Not open for further replies.
Back
Top