YIKES, Please help!

[Mr_JAk3]

That means that the other files are not there anymore.

You could try to see if you can locate the files manually via My Computer.
If you can't find them, they're gone

 

[nacra]

Not done???

I found all files but the first one.

 

[nacra]

MRJak3 still need help please

I went to my computer like you said and the following files are still on the computer
C:\WINNT\system32\dxvwtdop.exe
C:\guxpw.exe
C:\hcjvnlu.exe
C:\WINNT\system32\rm2.exe

I also get some netbios warnings from zona alarm so I am still reluctant to use the machine Thanks for the help

 

[Mr_JAk3]

Hi again

Delete those files manually. Let me know if you got problems with the deletions.

The ZoneAlarm warnings are a good thing, you know that it is protecting you from the attacks. If they annoy you, you can turn the notifications off. Please read the following ZoneAlarm tutorial

 

[nacra]

Wanted to check with you first. I'll let you know. Thanks again for all of your help. It is greatly appreciated. Have a Merry Christmas and a Happy New Year.

 

[Mr_JAk3]

You're very welcome and Merry Christmas and a Happy New Year to you too :

Let me know how it went and if I can archive this topic :bigthumb:

 

[nacra]

still finding things

I ran scans this morning with all avg,and spybot. Spybot found smitfraud. Avg anti spyware =nothing, avg antivirus= dr3.exe , if1.exe, desktop.exe, and if2 should I still be worried??? some are kind of gray when they show up on the scan instead of blue.

 

[Mr_JAk3]

Hi

What did you do to the found files ?

Did you disinfect or remove those with AVG ?

 

[nacra]

files

with spybotsd/smitfraud I used fix tool, avg antivirus tries to automatic heal, but when I scan again they show up

 

[Mr_JAk3]

Ok could you please post the exact locations of the infected files to here.

We can remove those with a stronger tool

What is the Spybot finding ? A reg key ? Could you please post the Spybot log to here.

 

[nacra]

files list and spybot log

OBJECT RESULT

C:WINNT\system32\drivers\etc\hosts Changed (blue "i")

C:\WINDOWS\Destop.exe:\dr3.exe trojanhorsedownloader.Generic2.WDW
C:\WINDOWS\Desktop.exe:if1.exe VirusfoundWin32/PEPatch
Both of the above are grey excamation points
both status=Infected,embedded object

C:\WINDOWS\Desktop.exe Trojan horse downloader.Generic2.WDW
Red, yellow and blue looks like the winzip icon
status=Infected archive


C:\WINDOWS\if2.exe Virus found Win32/PEPatch
RED exclamation point status + infected

--- Report generated: 2006-12-06 10:23 ---

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
securityresponse.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads1.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads2.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads3.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads4.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.trendmicro.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
rads.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
customer.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
liveupdate.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
us.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
updates.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.nai.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
secure.nai.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
dispatch.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
download.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.my-etrust.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
mast.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
ca.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.ca.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
networkassociates.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.networkassociates.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
avp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.kaspersky.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.avp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.f-secure.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
viruslist.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.viruslist.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
liveupdate.symantecliveupdate.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
sophos.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.sophos.com=127.0.0.1

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)

 

[Mr_JAk3]

Hi again, let's get all those nasties removed.

Download free! Hoster v3.5 from here: http://www.funkytoad.com/content/view/13/
When you have it click on the button to "Restore Microsoft's Hosts File", follow any prompts.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download the Killbox.
Unzip it to the desktop.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

==================

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Desktop.exe
C:\WINDOWS\if2.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Use the Windows search

• Start
• Search
• All files and folders
• More advanced options

Checkmark these options:

• "Search system folders"
• "Search hidden files and folders"
• "Search subfolders"
• Search for this and delete if found: dr3.exe

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
  
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

 

[nacra]

HJT and cure-it report

Logfile of HijackThis v1.99.1
Scan saved at 08:29:02 PM, on 12/08/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


DR.WEB CUREIT:

cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Deleted.;
dxvwgagn.exe;C:\!KillBox;BackDoor.Pva;Deleted.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix\apps;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
if1.exe;C:\WINNT\system32;Trojan.DownLoader.14617;Deleted.;
rm2.exe;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

 

[Mr_JAk3]

Hi

Looks like Killbox & CureIt did the job.

How is the computer running ? Is AVG still finding something ?

 

[nacra]

avg scan results

C:\!KillBox\Desktop.exe:\dr3.exe Trojan horse Downloader.Generic2.WDW Infected, Embedded object
C:\!KillBox\Desktop.exe:\if1.exe Virus found Win32/PEPatch Infected, Embedded object
C:\!KillBox\Desktop.exe Trojan horse Downloader.Generic2.WDW Infected, Archive

 

[Mr_JAk3]

Ok go ahead and delete Killbox backup folder, C:\!KillBox

Everything is running fine ?

 

[nacra]

Yippee!

Mr.Jak3,
I think that finally did it. What a nightmare. Thank you again for your help. It is greatly appreciated. Computer seems to be fine. zone alarm complains about net bios and two programs Services.exe and IPclient.exe. I don't know what these are so I haven't allowed the connection. Any Ideas? CFD.exe was trying to connect but I think that the last cureit and atf cleaner, kill box took care of this. :angel:

 

[Mr_JAk3]

You're very welcome

You may be informed about the attacks made from the outside. You can turn these notifications off if you want.

The IPclient.exe belongs to your "Visual IP InSight" program. Allow if use this.

You can allow services.exe connect if the file is located in C:\WINNT\system32\services.exe, it is the legitimate windows file.

:bigthumb:

 

[Mr_JAk3]

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: