Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trying to find the password to killbox


  • Please log in to reply
3 replies to this topic

#1 desperado

desperado

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 23 June 2005 - 06:58 PM

I have a bad virus and I've been trying to get rid of it. Its apparently new and is a mean thing to get rid of. I saw somewhere that killbox may help me get rid of it. I have a csadc.exe and an rdsndin.exe that do not show in search that are running on my comp.

I loaded killbox but it asks for a password for extracting the files.

BC AdBot (Login to Remove)

 


#2 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 24 June 2005 - 01:14 AM

Make sure you download killbox from a good site...(Bleeping Computer)

Then usually when your antivirus detects the virus it will list the full path to the file.

After the file path is entered Select the make sure you select theDelete on reboot option.

#3 desperado

desperado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 25 June 2005 - 08:52 AM

Hi. Thank you for responding. I have deleted and re-installed killbox and it no longer asks for a password. So I created a folder for the download file, Extracted all files (it creates a killbox folder that is empty, this is for logfiles I suppose,)
and then I go back and double click killbox.exe. But nothing ever happens.
For a second I see the hourglass, then nothing.

I am having trouble getting rid of a very recent trojan virus that every day loads adware for sexandpoker.

My Spysweeper catches it and deletes it, but it is always back the next day. While browsing I get popups that my computer has a virus and asks if I want to get rid of it. Clicking yes leads me a sight that I'm almost sure are the derelicts who put this on my pc to begin with so I'm surely not going to pay them to take it off.

What I know about this virus is that it is constantly changing names and running programs in system32 folder that look like legitimate MS programs. I watch my EZ firewall alerts, so I know I have it isolated in my pc. I'm blocking its attempts to "phone home", but even though I have it isolated, I can't destroy it.

I'm running win XP SP2 with CA EZ trust, and EZ Firewall, I have Webroot Spysweeper, SE AD-aware, Spybot S&D, HJT, CWS Shredder, About:Buster,
and Silent Runners. So far, the combo of these hasn't been able to get rid of it,
although I can use them until they are all clean except Silent runners.

Silent runners right now shows this: (I see the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cssdv.exe" [null data],
but I can find it with a search. This is what led me to killbox to see if I could get rid of it, but alas, I can't get killbox to work.)






"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"OfotoNow USB Detection" = "C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"fpx" = "C:\WINDOWS\System32\fpx.exe" [file not found]
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Lexmark X73 Button Monitor" = "C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe" ["Silitek Corp."]
"Lexmark X73 Button Manager" = "C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe" ["Jetsoft Development Company"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"VetTray" = "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" ["Computer Associates International, Inc."]
"CookieWall" = "C:\Program Files\AnalogX\CookieWall\cookie.exe" [null data]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cssdv.exe" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\WebshotsForGreg.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\WEBSHOTS.SCR" ["Auralis, Inc."]


Startup items in "Greg" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Greg\Start Menu\Programs\Startup
"Webshots" -> shortcut to: "C:\Program Files\Webshots\WebshotsTray.exe" ["The Webshots Corporation"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"EZ Firewall" -> shortcut to: "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe -nopopup" ["Zone Labs Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\KEM.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"wrSpySweeper20050611221116" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /ScheduleSweep=wrSpySweeper20050611221116" ["Webroot Software, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:07:42 PM

Posted 25 June 2005 - 12:21 PM

I suggest you post a HijackThis log for examination.

Read the pinned post in the HijackThis forum, here
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users