Download these tools. Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download Ewido Security Suite then set it up this way Ewido Setup Instructions We will need this later in safe mode Be sure to update Ewido Download killbox to your desktop from this link Killbox We will need it later in safe mode Reboot into safe mode. Run HT from safe mode, close all windows except HT, place a check to the left of the following items and press "fix checked": O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Run Ewido from safe mode and let it delete all that it finds. Run ATF-Cleaner from safe mode. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button" Copy this whole list into the windows clipboard, all the bolded file paths below. Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\WPDShServiceObj.dll C:\WINDOWS\libHide.dll Next in Killbox go to File > Paste from clipboard "Click on the All Files button." Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now. Click Yes and let the computer reboot. If the computer does not restart automatically just restart it manually. Post a new HT log.

0

sorry it took so long to do full scan ewido anti-malware - Scan report + Created on: 6:57:55 PM, 5/21/2006 + Report-Checksum: 487FE3F7 + Scan result: C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Ignored L:\progs\Trojan.Remover.v6.3.5\lcd4000y.zip/LUCiD.part1.rar/Crack\RmvTrjan.exe -> Heuristic.Win32.HostFile : Cleaned with backup L:\progs\UltraISO[1].Media.Edition.7.60.1081.zip/Patch/Patch 7.2x.exe -> Trojan.Agent.jh : Cleaned with backup L:\progs\Digital Transforms Total Game Control v3.5\Digital.Transforms.Total.Game.Control.v3.5\patch01x.exe -> Downloader.VB.ts : Cleaned with backup L:\progs\UltraISO Media Edition v7.6.5\Patch\patch.exe -> Trojan.Agent.jh : Cleaned with backup ::Report End and here my hjt new log Logfile of HijackThis v1.99.1 Scan saved at 7:15:37 PM, on 5/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\SOUNDMAN.exe C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Agnitum\Outpost Firewall\outpost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\All Users\Documents\jack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.210.128.9:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe an i still see this C:\WINDOWS\libHide.dll on my pc

0

Could you post the results of the Kaspersky scan requested in response #4. Go to start>control panel>add/remove programs and uninstall "SaveNow" if found.

0

"SaveNow" not found in add/remove for this C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Ignored i just rescan with ewido anti-malware an removed it this time the Ignored on first attempt was my mistake sorry --------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, May 21, 2006 3:54:33 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 21/05/2006 Kaspersky Anti-Virus database records: 195461 --------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ G:\ Scan Statistics: Total number of scanned objects: 56090 Number of viruses found: 11 Number of infected objects: 50 Number of suspicious objects: 0 Duration of the scan process: 01:26:10 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Administrator\My Documents\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\Documents and Settings\Administrator\My Documents\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\Documents and Settings\Administrator\My Documents\ccsetup128.exe NSIS: infected - 2 skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner\dopewars.exe/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner\dopewars.exe/cd_load.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner\dopewars.exe/cd_swf.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner\dopewars.exe ZIP: infected - 3 skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar/Stoner/dopewars.exe/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar/Stoner/dopewars.exe/cd_load.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar/Stoner/dopewars.exe/cd_swf.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar/Stoner/dopewars.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar RAR: infected - 4 skipped C:\Downloads\screensavers\New Folder (3)\snow2.exe/data0008 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped C:\Downloads\screensavers\New Folder (3)\snow2.exe Inno: infected - 1 skipped C:\Downloads\screensavers\New Folder (3)\waterfall.exe/data0008 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped C:\Downloads\screensavers\New Folder (3)\waterfall.exe Inno: infected - 1 skipped C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\SAMInside.v2.3\d-3d2sa1.zip/d-000sa.rar/DVT.rar/Setup/SAMInside.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.c skipped L:\progs\SAMInside.v2.3\d-3d2sa1.zip/d-000sa.rar/DVT.rar Infected: not-a-virus:PSWTool.Win32.SAMInside.c skipped L:\progs\SAMInside.v2.3\d-3d2sa1.zip/d-000sa.rar Infected: not-a-virus:PSWTool.Win32.SAMInside.c skipped L:\progs\SAMInside.v2.3\d-3d2sa1.zip ZIP: infected - 3 skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.180Solutions skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe/stream Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip/CEDP-msn.wink.stealerStealer-Setup.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip ZIP: infected - 11 skipped L:\progs\scoops mirc\Scoop2004.mirc6.12.rar/Scoop2004/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped L:\progs\scoops mirc\Scoop2004.mirc6.12.rar RAR: infected - 1 skipped L:\progs\scoops mirc\Setup.mirc612.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped L:\progs\scoops mirc\Setup.mirc612.exe mIRC: infected - 1 skipped L:\progs\badcdrepairpro\badcdrepairpro.zip/badcdrepairpro/bad_cd_repair_pro_install.exe/data0002 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\badcdrepairpro\badcdrepairpro.zip/badcdrepairpro/bad_cd_repair_pro_install.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\badcdrepairpro\badcdrepairpro.zip ZIP: infected - 2 skipped L:\progs\badcdrepairpro\badcdrepairpro46.zip/badcdrepairpro/bad_cd_repair_pro_install.exe/data0002 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\badcdrepairpro\badcdrepairpro46.zip/badcdrepairpro/bad_cd_repair_pro_install.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\badcdrepairpro\badcdrepairpro46.zip ZIP: infected - 2 skipped L:\progs\badcdrepairpro\bad_cd_repair_pro_install.exe/data0002 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\badcdrepairpro\bad_cd_repair_pro_install.exe NSIS: infected - 1 skipped L:\progs\Bad CD Repair PRO v4.0\badcdrepairpro\bad_cd_repair_pro_install.exe/data0002 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped L:\progs\Bad CD Repair PRO v4.0\badcdrepairpro\bad_cd_repair_pro_install.exe NSIS: infected - 1 skipped L:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped L:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped L:\Scoop2004\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped Scan process completed.

0

Reboot into safe mode. Run Killbox. Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time. C:\Documents and Settings\Administrator\My Documents\ccsetup128.exe C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar C:\Downloads\screensavers\New Folder (3)\snow2.exe C:\Downloads\screensavers\New Folder (3)\waterfall.exe C:\Program Files\DAEMON Tools\SetupDTSB.exe L:\progs\SAMInside.v2.3\d-3d2sa1.zip ZIP L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip L:\progs\scoops mirc\Setup.mirc612.exe L:\progs\scoops mirc\Scoop2004.mirc6.12.rar L:\progs\badcdrepairpro\badcdrepairpro.zip L:\Program Files\mIRC\backup\mirc.exe Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok. Navigate to and delete thes folders if found: L:\progs\CEDP-msn.wink.stealerStealer-Setup.zip L:\progs\badcdrepairpro\badcdrepairpro.zip L:\Program Files\mIRC Reboot to normal mode, do another Kaspersky scan and post the results.

0

hi ok well i have deleted all the files from the L:/progs/ now empty folder an deleted this folder L:\Program Files\mIRC then deleted C:\Documents and Settings\Administrator\My Documents\ccsetup128.exe C:\Documents and Settings\All Users\Documents\00.mixd\stoner\Stoner.rar C:\Downloads\screensavers\New Folder (3)\snow2.exe C:\Downloads\screensavers\New Folder (3)\waterfall.exe C:\Program Files\DAEMON Tools\SetupDTSB.exe they were not needed anyways all from safe mode but without the killbox.exe i did not use this but none the less i have deleted the files above an now i am scaning with kaspersky online will post when complete

0

also i removed this folder L:\Scoop2004\ man sorry i realy need an edit post button where do i find it on here?

0

--------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, May 22, 2006 12:37:23 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 22/05/2006 Kaspersky Anti-Virus database records: 195675 --------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ G:\ Scan Statistics: Total number of scanned objects: 47835 Number of viruses found: 1 Number of infected objects: 3 Number of suspicious objects: 0 Duration of the scan process: 01:26:47 Infected Object Name / Virus Name / Last Action C:\System Volume Information\_restore{B56A80FD-38AA-4B00-9D26-F1A56A7E2AEB}\RP159\A0423048.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\System Volume Information\_restore{B56A80FD-38AA-4B00-9D26-F1A56A7E2AEB}\RP159\A0423048.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\System Volume Information\_restore{B56A80FD-38AA-4B00-9D26-F1A56A7E2AEB}\RP159\A0423048.exe NSIS: infected - 2 skipped Scan process completed.

0

You need to clean out the system restore folder. Go to start>control panel>system>system restore tab>put a check in the box to the left of "turn off system restore">apply (takes a minute or two)>ok. Once you get through go back, remove the check>apply>ok. Create a new restore point. To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer. If libHide.dll is still there. Reboot into safe mode. Run Killbox again. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button" Copy this whole list into the windows clipboard, all the bolded file paths below. Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\libHide.dll C:\WINDOWS\system.exe C:\WINDOWS\bot.exe C:\WINDOWS\down.exe C:\WINDOWS\system16.exe C:\WINDOWS\vbstub.exe C:\WINDOWS\awnfcandidateform.exe C:\WINDOWS\keygen.exe Next in Killbox go to File > Paste from clipboard "Click on the All Files button." Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now. Reboot into normal mode. Click Yes and let the computer reboot. If the computer does not restart automatically the just restart it manually.

0

hi thankx i'll do this right away an i just have 1 problem with the hole safemode F8 i can't do it i have usb gaming keyboard an the buttons don't work untell windows starts so i have to use the msconfig then boot.ini tab an pick safeboot so next reboot it ether back to safemode or normal start if i msconfig in safemode but then the msconfig pops up right at the start so is this still ok to enter safemode like that ???

0

Yes safeboot is fine.

0

hi wow i thank you so very much for all this help an now the weird files are gone an IE is working and the pc seems alot faster now but i did have to add 3 more lines to Killbox C:\WINDOWS\vb.ini C:\WINDOWS\vbfile.exe C:\WINDOWS\vbaddin.ini ===== C:\WINDOWS\libHide.dll C:\WINDOWS\system.exe C:\WINDOWS\bot.exe C:\WINDOWS\down.exe C:\WINDOWS\system16.exe C:\WINDOWS\vbstub.exe C:\WINDOWS\awnfcandidateform.exe C:\WINDOWS\keygen.exe i put all that into Killbox now they don't comeback that i can see anything else i have to do??

0

Sounds like you are clean. If you run into any more baddies let us know. You might consider installing "Spwareblaster" to your computer as a spyware preventer. Just do a google search for it, download, install and update. The free version has to be updated manually every two to three weeks.

0