[morog]

Before some period my KAV 6.0 after each restart or re-boot of my PC reporting that found and "NEUTRALIZED" two a/m trojan programs.Fila are in C:\Documents and Settings\User name\Local Settings\Temporary Internet Files\Content.IE5\UDQRMNC1\popup[1].htm and
C:\Documents and Settings\User name\Local Settings\Temporary Internet Files\Content.IE5\C11Z0U6L\popup[1].htm
If I am doing Full Scan after Star-up cleaning KAV can not find any Trojan or Virus
Searched for removal tool-nothing found
Try to remove it with all raccomanded programs now in use-no success.
So the fact that the trojan is only "neutralized" but not removed or deleted, show trojan appearing in each new restart or reboot.
This is my Hijack.this log file to be egzaminated, please:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:01 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Documents and Settings\momo\Desktop\Programi XP\Hijack this 199.1\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: Spellin&g - C:\WINDOWS\web\Spell_It.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134761366352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120398838933
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE659785-D27D-4EC5-BDFB-CCEF96D8FDF4}: NameServer = 195.66.160.1 195.66.160.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Regards,
morog

[Advertisements]

Hi morog,

Found you.

As we have tried several ways to empty your cache I asked you to post your HijackThis log.

I can't find anything wrong in it, so I'd like to ask you to run another tool.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please post the combofix log.

Regards,

[Metallica]

Hi morog,

Found you.

As we have tried several ways to empty your cache I asked you to post your HijackThis log.

I can't find anything wrong in it, so I'd like to ask you to run another tool.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please post the combofix log.

Regards,

[morog]

Hi,
This is combox log:
momo - 06-09-22 22:51:31.56 Service Pack 2
ComboFix 06.09.23 - Running from: "C:\Documents and Settings\momo\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-20 12:22 73,728 --a------ C:\WINDOWS\system32\nms32.dll
2006-09-20 12:22 40,960 --a------ C:\WINDOWS\system32\nod32m2.exe
2006-09-20 12:22 234,496 --a------ C:\WINDOWS\system32\nod32cc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-20 12:17 -------- d-------- C:\Program Files\Eset
2006-09-18 20:03 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-15 15:19 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-09-14 17:45 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-14 15:36 -------- d-------- C:\Documents and Settings\momo\Application Data\Talkback
2006-09-14 13:42 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-09 16:16 -------- d-------- C:\Program Files\Kaspersky Lab
2006-09-07 13:25 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-03 13:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-03 13:16 -------- d-------- C:\Program Files\D-Link
2006-08-23 15:02 -------- d-------- C:\Program Files\RegSupreme Pro
2006-08-22 01:46 -------- d-------- C:\Program Files\Ashampoo
2006-08-21 14:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-19 14:36 -------- d-------- C:\Program Files\Yahoo!
2006-08-14 13:31 37888 --a------ C:\WINDOWS\system32\setupnt.dll
2006-08-13 21:24 -------- d-------- C:\Program Files\JAM Software
2006-08-08 16:00 5 --ahs---- C:\WINDOWS\system32\ffdddfefb_g.dll
2006-08-05 15:24 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-27 15:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-23 15:08 -------- d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-07 15:11 39424 --a------ C:\WINDOWS\zipinst.exe
2006-06-22 07:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 07:06 1435648 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"UIWatcher"="C:\\Program Files\\Ashampoo\\Ashampoo UnInstaller Platinum 2\\UIWatcher.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
@=""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Setup]
"Registrando Panda ActiveX"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\as.dll"
"Registrando Panda Almacen"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\pavpz.dll"
"Registering ActiveScan controles"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\ascontrol.dll"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Fri 09/22/2006 22:56:25.82
ComboFix.txt
>>>>>>>>>>>>>>>>>>>>>>>>>
Please don't forget that all what we are doing is after Trojan-Clicker.HTMLAgent.a is already "neutralized" from the KAV
Regards
morog

[Metallica]

I hope you are not wasting our time on purpose.

You have been asked before to submit this file:
C:\WINDOWS\system32\ffdddfefb_g.dll

Follow the instructions here:
http://www.thespykil...x.php?topic=5.0
to do so.

I will offer no further help untill you have done so.

Thanks for understanding.

[morog]

Hello Metallica,
I hope also that we are doing right and usefull things.I feel that you become nervous.Since now I beleive I followed strictly your advices and reply promptly.
If you think that you are wasting your time helping me to solve this inconvinient, then please forget it.
Followed your instuctions and sent the file I can found on my System-
the other one ,C:\WINDOWS\system32\ffdddfefb_g.dll,I can not find any more.
Thanks again for your time and patiente
Regards,
horn alias morog

Edited by morog, 23 September 2006 - 06:28 AM.

[morog]

Hi,
I add to already submited data, the Report of Online Scan F-Secure done yesterday:
F-Secure Online Scanner 3.0.19 - Scanning Report - Friday, September 22, 2006 22:39:20Scanning
Report
Friday, September 22, 2006 18:41:54 - 22:39:08
Computer name: MOMOR
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\



Result: 13 malware found
SDBot.CQL (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL-7\DRIVER GENIUS PRO 2005
4[1].0.0.845\CRACK.EXE
Tracking Cookie (spyware)
System (Disinfected)
W32/Botol.O (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL-16\SPY EMERGENCY 2005 BUILD 2[1].0.300
FULL\SE2005-KEYGEN.EXE
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL-13\SPY EMERGENCY 2005 BUILD 2[1].0.300
FULL\SE2005-KEYGEN.EXE
W32/Delf.BHI (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL-15\ALL ADOBE ALL NERO AND MUCH MORE\NSW
2005 KEYGEN.EXE
D:\DATOTEKA\PODACI\CRAKS\NORTON 2005 -5IN
1\SYMANTEC.NORTON.SYSTEMWORKS.2005.KEYGEN-SSG.EXE
W32/Dialer (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL\MASTERA\-NEWSECA2\NEWSECA2.EXE
(Submitted)
W32/Smalldrp.FBW (virus)
D:\DATOTEKA\PODACI\CRAKS\DR WEB CRACKS\DRWEBUNI\DRWEBUNI_CRK.EXE (Submitted)
D:\DATOTEKA\PODACI\CRAKS\DR WEB CRACKS\DRWEBUNI_CRK\DRWEBUNI_CRK.EXE
Zlob.IGF (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL\PC FILES\WINDOWS XP
ACTIVAT\WINDOWS_XP_ALL_EDITIONS_ACTIVATION_CRACK_BY_HARPARTAP_SINGH_CHHINA\WINDOWS
XP HOME(OR ALL) EDITION ACTIVATION CRACK BY HARPARTAP SINGH CHHINA.EXE
D:\DATOTEKA\PODACI\PC FILES\WINDOWS XP
ACTIVAT\WINDOWS_XP_ALL_EDITIONS_ACTIVATION_CRACK_BY_HARPARTAP_SINGH_CHHINA\WINDOWS
XP HOME(OR ALL) EDITION ACTIVATION CRACK BY HARPARTAP SINGH CHHINA.EXE
Zlob.IRH (virus)
D:\DATOTEKA\INSTALL1-2-3-4-5\INSTALL\WINXP-2K3-ANTI-PRODUCT ACTIVATION-PATCH
1[1].2\WPA_KILL.EXE
D:\DATOTEKA\PODACI\WINXP-2K3-ANTI-PRODUCT ACTIVATION-PATCH 1[1].2\WPA_KILL.EXE




Statistics
Scanned:
Files: 32881
System: 4240
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 12
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT



Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-22
F-Secure Libra: 2.4.1, 2006-09-22
F-Secure Orion: 1.2.37, 2006-09-21
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 2006-09-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics



Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

[Metallica]

Well, you should defnitely delete those cracks, as you have been told at Wilders.
And I have to wonder why you never continued the thread at Bleeping.

But to continue with the problem at hand. The file is definitely there. It is just hidden.

Please download the Killbox by Option^Explicit.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\ffdddfefb_g.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot look for the folder C:\!KillBox
That is where Killbox will have moved the file.
Then upload the file at TheSpykiller as I indicated.
You can use the same thread as for pcboot.exe

Regards,

[morog]

HI,
Just to inform you as follows:
Instead of a/m requsted dll. file I submit another one I found which looks to be the same as requsted but only renamed one.
This one what I submit now is present in System 32 folder.
Regards,
morog

[Metallica]

Where did you submit that?

Can you please follow the instructions in my previous post ?

[morog]

Sorry for my disattention, please.
Done as you ask and submited the file at TheSpykiller as you indicated.
After restart the KAV is showing the same - "neutralized" two threats on stat-up cleaning -
deleted: Trojan program Trojan-Clicker.HTML.Agent.a File: C:\Documents and Settings\momo\Local Settings\Temporary Internet Files\Content.IE5\UDQRMNC1\popup[1].htm
and
deleted: Trojan program Trojan-Clicker.HTML.Agent.a File: C:\Documents and Settings\momo\Local Settings\Temporary Internet Files\Content.IE5\C11Z0U6L\popup[1].htm

In my previous post I told you I've found another file as this one what we delete , but with another name ( in System 32 folder) and I submit it in the same way .
Shall we try to kill this one also .

Edited by morog, 23 September 2006 - 09:26 AM.

[Metallica]

Let me have a look at the file you uploaded.

In the meantime tell me the full name of that file you found please.

Regards,

[Metallica]

That file is either not complete or just a helpfile for something.

Let me know about the other file you found.

[morog]

Hi
The file name is:C:\WINDOWS\system32\fcaabbaffdda_g.ocx
I am going to upload it agin.
Please confirm if you have found Kill files what I uploaded and submited the file at TheSpykiller.
Regards,
NB.Please confirm if you find this file what I uploaded just now at the Spykiller site.

Edited by morog, 23 September 2006 - 11:27 AM.

[Metallica]

So far I have seen two threads by you at TheSpyKiller and downloaded the files.

The .ocx is next?

[morog]

Should be already there.
Please confirm if you find it.
Thanks,
regards,