Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

4 typical instances of High Risk REG.SecDrop Trojan

Started by ifyoufly , Jul 11 2006 02:56 AM

Please log in to reply

#1
ifyoufly

Posted 11 July 2006 - 02:56 AM

New Member

Member
9 posts

Allo. I've been treating this virus that I received about a week ago for hours at a time each day and have tried the many suggestions in these forums. Using Ewido, ZoneAlarm Suite, Spyware Doctor, and a-squared, to name a few (but separately, of course), I've managed to rid myself of the most troublesome pests that all resulted from contracting the SpyQuake virus (or SmitFraud I think). Now, as far as I know, I'm left w/ this annoying Trojan that only ZoneAlarm picks up on called REG.SecureDrop (listed as Active 4 times), and though I've updated everything before its use, it says that there is no treatment available to fix it yet. I've searched Google for steps on its removal but w/ little luck and it seems that the other virus detectors that I've used besides ZoneAlarm only detect and remove the low-risk malware that the Trojan releases.

I hope I've provided enough info. and if someone could provide me w/ the steps I need to take I'd REALLY appreciate it. I'll provide my HijackThis log below and Thanks so much in advance.

Logfile of HijackThis v1.99.1
Scan saved at 4:52:47 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\swdoktor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chuck Rh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoktor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#2
Flrman1

Posted 15 July 2006 - 07:15 PM

Malware Assassin

Retired Staff
6,596 posts

Hi ifyoufly

Welcome to GTG! :whistling:

Sorry for the long wait.

I don't see anything in your HJT log, but a benign, leftover BHO with no file. Please tell me exactly what ZA is finding and where.

In the meantime, please do the following:

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - AutorunsDisabled - (no file)

Restart your computer.

* Go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

Note: You have to use Internet Explorer to do the online scan.

#3
ifyoufly

Posted 16 July 2006 - 01:05 PM

New Member

Topic Starter
Member
9 posts

Hi. First off, thank you a billion for the response, and the wait was no problem. I've followed all of your instructions and hope that I've come up w/ the sufficient info. It is as follows:

ZONEALARM:

Virus Name: Secdrop.D
Pervasiveness: 1 of 5
Destructiveness: 2 of 5
Wildness: 2 of 5

Type: Trojan
Aliases: [Win32.]Secdrop.D; [Win32/]ChangeSecure.Trojan; [REG.]Secdrop.D;

Date Modified: 19-Sep-2004
Date Published: 30-Aug-2004

Description:

#1

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/16 12:10:46-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\WINDOWS\system32\de.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

#2

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/16 12:10:46-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\WINDOWS\system32\de.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

#3

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/16 11:49:14-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

#4

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/16 11:49:14-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

NEW HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 2:49:45 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\swdoktor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chuck Rh\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoktor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks again and I hope this is helpful info. Look forward to hearing from you again!

Attached Files

bitdefenderscanreport.html 38.53KB 20 downloads

#4
Flrman1

Posted 16 July 2006 - 06:40 PM

Malware Assassin

Retired Staff
6,596 posts

It looks like the Bitdefender scan deleted the files ZA was finding. Now let's run another scan.

* Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

#5
ifyoufly

Posted 17 July 2006 - 12:08 PM

New Member

Topic Starter
Member
9 posts

Hello again! I ran the scan that you told me to (BTW, both these are pretty kick [bleep] online scanners) and many results appeared though I found no option in the end to fix or repair them. The results were pretty surprising as you will see in the log. The results from ZA were the same as before so I won't include that info...and as a small footnote, ZA is the last scan that I run before replying to GTG. K, here's my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:06:21 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\swdoktor.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chuck Rh\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoktor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks again for the great advice and I look forward to your reply.

Attached Files

kaspersky.html 71.94KB 8 downloads

#6
Flrman1

Posted 17 July 2006 - 08:03 PM

Malware Assassin

Retired Staff
6,596 posts

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

* Click Here and download Killbox and save it to your desktop.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

C:\WINDOWS\system32\de.exe

C:\WINDOWS\system32\dacx\cheat_plugin.exe

C:\WINDOWS\Downloaded Program Files\rdgCA2405.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgCA2405.exe
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Exit the Killbox.

* Run ATF Cleaner:

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

[*]Click Exit on the Main menu to close the program.
[/list]
* Restart back into Windows normally now.

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

#7
ifyoufly

Posted 19 July 2006 - 11:56 AM

New Member

Topic Starter
Member
9 posts

Hi. I apologize for my delay but we had a three day blackout where I live. Anyway, after running ZA this time it came up w/ two more REG.Secdrop occurances. :whistling:

I'll post the results from this scan along w/ the others that you've requested. Each path that I was to delete through KillBox were present; I didn't need to skip any.

ACTIVESCAN:

Incident Status Location

Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Virus:Trj/LowZones.BB Disinfected C:\WINDOWS\system32\dacx\x.bat
Adware:Adware/Redswoosh Not disinfected C:\WINDOWS\RSEDNClientUninstaller.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chuck Rh\Cookies\chuck [email protected][2].txt
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Mozilla Firefox\plugins\npclntax.dll

UNINSTALL LIST:

µTorrent
Adobe Reader 7.0.8
Alone in the Dark - The New Nightmare
Amazon DVD Shrinker 2.5.2
a-squared Free 1.6.5
Digital Camera Drivers
Efficient Networks SpeedStream DSL
ewido anti-spyware 4.0
Fallout
Fallout2
GTA San Andreas
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Intel® Extreme Graphics 2 Driver
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
K-Lite Mega Codec Pack 1.51
Lexmark 2200 Series
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Mozilla Firefox (1.5.0.4)
MSN Messenger 7.5
Nero 7 Demo
Panda ActiveScan
PowerDVD
PowerISO
QuickTime
realMYST Interactive 3D Edition
RealPlayer
Realtek AC'97 Audio
Security Task Manager 1.6f
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shogo
Sony ACID Pro 6.0
Sony Media Manager 2.1
SoulSeek Client 156b
Spyware Doctor 3.8
Tom Clancy's Splinter Cell
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
VIA Platform Device Manager
VideoLAN VLC media player 0.8.5
VobSub v2.22 (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm Security Suite

HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:49 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\swdoktor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chuck Rh\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoktor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

and finally...ZONEALARM:

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 12:10:56-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\!KillBox\de.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 12:10:56-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\!KillBox\de.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:50:34-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:50:34-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:49:20-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:49:20-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

I appreciate your patience...Thanks again!

#8
Flrman1

Posted 19 July 2006 - 07:23 PM

Malware Assassin

Retired Staff
6,596 posts

* 2 of the REG.Secdrop files that ZA found are nothing more than the backups that Killbox creates in the C:\!killbox folder. It store backups of any file you delete with it in case you inadvertanntly delete the wrong file. There was another in System Restore. Those are all harmless for now. We will delete the C:\!Killbox folder and clear System Restore when everything else has been done.

* There have been several infected files found in the C:\WINDOWS\system32\dacx folder. I'm thinking this entire folder was put there by some malware. Check that folder please and let me know what is there. I'm fairly certain we can go ahead and delete it, but I want to be sure.

* Go to Add/Remove programs and uninstall this old version of Java:

J2SE Runtime Environment 5.0 Update 6

* Now go here and install the latest version of Java.

* I am attaching a fix.zip file to this post. Download it and save it to your desktop. Unzip it to extract the fix.reg file it contains.

Doubleclick on the fix.reg file to add it to the registry. Answer yes to confirm the merge.

* Double-click on Killbox.exe to run it.

Put a tick by Delete on Reboot.
Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
```
c:\windows\switchagreement.txt 
C:\WINDOWS\RSEDNClientUninstaller.exe 
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
```
Next in Killbox go to File > Paste from clipboard
Click on the All Files button.
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot.

* After it reboots, come back here and let me know if there are any remaining issues to deal with

Attached Files

fix.zip 220bytes 125 downloads

Edited by Flrman1, 19 July 2006 - 07:24 PM.

#9
ifyoufly

Posted 20 July 2006 - 01:39 AM

New Member

Topic Starter
Member
9 posts

Ok....the folder that was suspect was empty so I went ahead and deleted it. I've followed everything precisely as you've said so far and it's all gone w/o a hitch...unfortunately the trojan is still there. It's definately an annoying little pest! The ZA info. is the same so I'll leave it out. I'll post another HiJackThis log below and I was just wondering, now that I've used the fix file and merged it is it safe to toss the file from my desktop?

Logfile of HijackThis v1.99.1
Scan saved at 3:37:45 AM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoktor.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Chuck Rh\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoktor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido anti-malware\ewidoguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks again! You've been extremely helpful so far.

#10
Flrman1

Posted 20 July 2006 - 05:48 PM

Malware Assassin

Retired Staff
6,596 posts

I've followed everything precisely as you've said so far and it's all gone w/o a hitch...unfortunately the trojan is still there. It's definately an annoying little pest! The ZA info. is the same so I'll leave it out.

Did you not read this?

* 2 of the REG.Secdrop files that ZA found are nothing more than the backups that Killbox creates in the C:\!killbox folder. It store backups of any file you delete with it in case you inadvertanntly delete the wrong file. There was another in System Restore. Those are all harmless for now. We will delete the C:\!Killbox folder and clear System Restore when everything else has been done.

Those are the only infected files in the last ZA report you posted. As I said they are harmless where they are for now. Unless ZA has found new files elsewhere, we are ready to finish this up with those final procedures that I mentioned ie ...clearing System Restore etc...

I was just wondering, now that I've used the fix file and merged it is it safe to toss the file from my desktop?

Yes.

#11
ifyoufly

Posted 21 July 2006 - 02:00 AM

New Member

Topic Starter
Member
9 posts

#12
ifyoufly

Posted 21 July 2006 - 02:09 AM

New Member

Topic Starter
Member
9 posts

: bland blank:

Edited by ifyoufly, 21 July 2006 - 02:12 AM.

#13
ifyoufly

Posted 21 July 2006 - 02:23 AM

New Member

Topic Starter
Member
9 posts

Yes, I've read that. It applies to the two extra viruses as opposed to the four that I had originally and I completely understand that KillBox keeps these as backups. That accounts for two out of six viruses. I'd still love to get rid of the original four viruses that were present as well as the backups that KillBox keeps.

"Those are all harmless for now. We will delete the C:\!Killbox folder and clear System Restore when everything else has been done."

How? And what's everything else?

"Unless ZA has found new files elsewhere, we are ready to finish this up with those final procedures that I mentioned..." < I beg to differ...the original four are present along w/ another two.

P.S. ZA is exactly the same. Surprised? Have you seen and fixed this type of virus before and does it anger you?

#14
Flrman1

Posted 21 July 2006 - 01:15 PM

Malware Assassin

Retired Staff
6,596 posts

Yes, I've read that. It applies to the two extra viruses as opposed to the four that I had originally and I completely understand that KillBox keeps these as backups. That accounts for two out of six viruses. I'd still love to get rid of the original four viruses that were present as well as the backups that KillBox keeps.

This is exactly what you last posted that ZA found:

and finally...ZONEALARM:

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 12:10:56-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\!KillBox\de.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 12:10:56-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\!KillBox\de.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:50:34-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:50:34-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:49:20-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kansup.reg
Action File repair failed
Mode Manual
E-mail

Decription Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2006/07/19 11:49:20-4:00 GMT
Type Treat
Virus name REG.Secdrop
Filename C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kans.reg
Action File repair failed
Mode Manual
E-mail

I appreciate your patience...Thanks again!

I have highlighted in red the files it found. The first 2 are actually only one file ie... C:\!KillBox\de.exe. The others are as follows:

C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kansup.reg

C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP416\A0104187.exe>kans.reg[/color]

C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kansup.reg

C:\System Volume Information\_restore{D2C50C7B-4C2B-403B-AADB-10542EAD427E}\RP429\A0111427.exe>kans.reg

These are all in C:\System Volume Information\_restore ......... That is the System Restore archives so according to what you posted there were no other files found.

"Those are all harmless for now. We will delete the C:\!Killbox folder and clear System Restore when everything else has been done."

How? And what's everything else?

By deleting the C:\!Killbox folder, emptying the Recycle Bin and turning off System Restore. We clear System Restore by turning it off. This clears all restore points and any files stored there. After which we turn it back on and create a restore point. I always do that last when I'm sure we are finished cleaning everything else. The reason I do that is in case a problem occurs and we need to use System Restore to recover from that problem, we have restore points to restore to. If it has been turned off prior to that, there are no restore points.

Everything else simply means anything else that needs to be done to clean the computer other than what is in the C:\Killbox folder or System Restore. It is pointless to deal with those before I am sure everything else is clean. If we clear those before everything else is clean and there are other files to delete with Killbox etc.., we would have to do those steps twice.

P.S. ZA is exactly the same. Surprised? Have you seen and fixed this type of virus before and does it anger you?

Yes I have dealt with this type of infection before. I'm not sure exactly what you mean by,"does it anger you?". If you mean, does malware and what it does to innocent victims anger me, The answer is, yes it angers me. That is why I volunteer my time as I do to help innocent victims like yourself. I despise malware and those who write it. I get a lot of satisfaction from helping people win each and every battle against the bad guys.

Now, back to your problem. As I said before, unless you have other info to provide me as to other locations of infected files we need to clean or problems to address, I am ready to post final directions for deleting the Killbox folder, clearing System Restore as well as some tips and tools to help you prevent this in the future.

Edited by Flrman1, 21 July 2006 - 01:19 PM.