[Crustyoldbloke]

Hello again David

Looking at the Ewido log, there is just one item live on your system that has not been killed off:

C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1158754910.dll -> Downloader.Agent.asl : Error during cleaning.

The last part Error during cleaning usually means that the file was in use at the time and could not be killed immediately. You can get round this by either running Ewido in safe mode or deleting the file in safe mode.

Why not Killbox it using "delete on reboot"? Killbox will delete it before Windows loads it.

Please install Killbox by Option^Explicit.

• Please double-click Killbox.exe to run it.
• Select Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1158754910.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please physically check that the file has disappeared from the temp folder. Do this by going to START > RUN and typing in %temp% and hitting ENTER.

Afterwards, you can delete the content of the C:\!KillBox\ folder which are backups.

Please confirm and I will give you final instructions and some advice for the future.

Edited by Crustyoldbloke, 20 September 2006 - 08:26 AM.

[Advertisements]

Hi again,

So I killboxed the files and when i rebooted into safe mode the temp folder was empty, but when i rebooted normally 2 new dll files apeared in the temp folder and there was a .exe as well and ewido gave me a warning again.

here is the contents of that folder:

t1158894431.dll
t1158894431.exe
t115589432.dll
_delete_on_reboot_t_1_1_5_5_8_9_4_3_2_._d_l_l

I'm a little confused now where it is coming from.

Thank you,
David

[david_macrae]

Hi again,

So I killboxed the files and when i rebooted into safe mode the temp folder was empty, but when i rebooted normally 2 new dll files apeared in the temp folder and there was a .exe as well and ewido gave me a warning again.

here is the contents of that folder:

t1158894431.dll
t1158894431.exe
t115589432.dll
_delete_on_reboot_t_1_1_5_5_8_9_4_3_2_._d_l_l

I'm a little confused now where it is coming from.

Thank you,
David

[Crustyoldbloke]

Hello again David

Looking at what you wrote and applying some logic to it, I come up with this explanation.

If the Temp folder is empty in safe mode but has malware in normal mode, then you can conclude from that the malware is in one of two startup areas since they are not loaded in safe mode. They are NT services and StartUp programmes.

Unfortunately, Win2000 did not have MSCONFIG included in it since it was an update of WinNT and not Win98. You can download MSconfig for XP and it will work OK with Win2000, but that is your call.

I would recommend to you, Mike Lin's StartUp: http://www.mlin.net/.../StartupCPL.zip It will give you a simple list of StartUp programmes, and an easy way of disabling/deleting them.

I have just checked the last HJT I saw and the 04 entries (StartUps) look OK as do the 023 (Services) entries. The only programme listed that I have had problems similar to this in the past is BlackIce, but I am far from pointing a finger in that direction.

Post a fresh HJT log from normal mode and I'll take a look.

[david_macrae]

well my newest update to my avast antivirus seems to have found it. It found something in my startup which it never found before and i quarantened it. and now on start up there are no warnings and the temp folder seems to be o.k.

but here is a fresh copy of my hijack this log. please take a look one more time.


and thank you again,
Dave

Logfile of HijackThis v1.99.1
Scan saved at 2:50:54 AM, on 9/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.TUCO\My Documents\My Programs\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

[Crustyoldbloke]

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.

[Crustyoldbloke]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.