Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help


  • Please log in to reply
1 reply to this topic

#1 keymaker

keymaker

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 23 February 2005 - 01:25 AM

Ivan
PLEASE HELP ANYONE!!!!!!!!!!!!

Kaspersky has detected some viruses on my system and it's unaible to remove this

There's a vbsys2.dll (infected by trojan-clicker.win32.agent.ac),tftp1668 tftp1776 (infected by worm.win32.lovesan.a) and a usbn.exe file (infected by trojan-downloader.win32.small.agx) that are assigned as a risc by Kaspersky.

The problem is that my username changes every time i reconnect with the internet.

I've launched a HijackThis-scan and this was the log-file i got:
Logfile of HijackThis v1.99.1
Scan saved at 9:24:11, on 22.2.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\AntiViral Toolkit Pro\avpcc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\usbn.exe
C:\Program Files\Kaspersky Lab\AntiViral Toolkit Pro\avpcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\Kaspersky Lab\AntiViral Toolkit Pro\avpm.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\wincmd\WINCMD32.EXE
D:\ivan\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\elektroerozija\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w
O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\AntiViral Toolkit Pro\avpcc.exe /wait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire\i486_nt\obj\pvx_install.exe
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\AntiViral Toolkit Pro\avpcc.exe" /Service (file missing)
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 23 February 2005 - 02:54 PM

Hello, keymaker and Welcome! :thumbsup:
Sorry you're having malware trouble.

SpyKiller is a rogue program. It is listed here. Once you install the Windows XP Service Pack 2, you won't need the BestPopupKiller as well. Please go to Start, Settings, Control Panel Add/Remove Programs, and uninstall SpyKiller and BestPopupKiller.

Please disable Windows System Restore. For instructions click here
NOTE: After the cleaning process has completed, please enable System Restore and create a new restore point, name the restore point "After Malware Cleaning."

Please enable all hidden files and folders in Windows. For instructions click here

Download and install the latest version of Ad-Aware SE here

NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE. Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.

Please do not run a scan with Ad-Aware yet.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, please close ALL open windows AND browsers and open HijackThis, click on Do a system scan only and put checks next to all the following, then click "Fix Checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire\i486_nt\obj\pvx_install.exe
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll


From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.

C:\WINDOWS\system32\usbn.exe <----Delete this file.
C:\WINDOWS\System32\vbsys2.dll <----Delete this file.
C:\Program Files\SpyKiller <----Delete this folder.

From Safe Mode, please run your Kaspersky antivirus program again. Scan the entire C:\drive.

From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.
Run the program again a second time.

Now reboot back into Normal Mode (Windows) and open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

Edited by SirJon, 23 February 2005 - 03:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users