[Crustyoldbloke]

Hello again Graeme

OK, if it exists, it can be deleted/

Please install Killbox by Option^Explicit.

• Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
• In the Killbox programme, select the Delete on Reboot option.
• Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\SYSTEM32\mscls.exe

• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

I would be even more interested in the result of this fix.

[Advertisements]

Hi Crusty

Same thing happened as last time.
I tried to paste by Ctrl-C but it didn't work, so I right-clicked the file, copied and pasted it into Killbox.
Does this make any difference?

Anyway it said it couldn't find the file.
Have ticked the delete on reboot box in Killbox. Does it matter what goes in the drop-down box on the right? It says system process.

Have noticed the CPU usage going very high today up to 100% - when I look at Task Manager a file called scan32.exe was using a lot of the the process. When I clicked end process it went back to normal. Also had screen go blue for no reason today.

Thought had this one solved, but am lost now.
do you want a HJT log?

Thanks
Graeme

[GraemeJ]

Hi Crusty

Same thing happened as last time.
I tried to paste by Ctrl-C but it didn't work, so I right-clicked the file, copied and pasted it into Killbox.
Does this make any difference?

Anyway it said it couldn't find the file.
Have ticked the delete on reboot box in Killbox. Does it matter what goes in the drop-down box on the right? It says system process.

Have noticed the CPU usage going very high today up to 100% - when I look at Task Manager a file called scan32.exe was using a lot of the the process. When I clicked end process it went back to normal. Also had screen go blue for no reason today.

Thought had this one solved, but am lost now.
do you want a HJT log?

Thanks
Graeme

[Crustyoldbloke]

Hello Graeme

The copying process makes no difference.

scan32.exe belongs to McAfee so nothing unusual there. The drop down is for killing the process whilst deleting. By all means have a look in there for the process, but my guess is you won't find it.

Let's try an online scan. Since you use Firefox, we have a very limited choice of places to go.

Please follow this link for an online scan which supports the Firefox browser
Housecall Firefox Please post the result of the scan in this thread.

[GraemeJ]

Hello again

I did as you suggested - and had the 'Show all files' option on - hope this was right..should this always be on when doing scans?
Anyway, after about an hour it found
Grayware/Spyware
BHO_SE.75767 and
BHO_SE.75768

and Vulberabilities
MS04-027 and
MS04-028

It cleaned the first two and gave further info on the 2nd two, and the chance of them being a probkle seemed sp remote I didn't download anything.

Sorry but it seemd not to wat to provide a report on what it had done.

Have just lost the bottom toolbar as I'm writing (it's gone blue!) , so going to go now, and worry!

Thanks again for your persistence with this

Graeme

[Crustyoldbloke]

Hello Graeme

That sounds just like Smitfraud:

Download NoahDfear's smitRem.exe©. and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem.exe©. folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

[GraemeJ]

Hello again

Did as you suggested.
Log is below.

One other thing - in between postings I looked at the C\WINNT\SYSTEM32 folder and mscls.exe was there!
I did what you had said before with Killbox
hope this didn;t invalidate the smit.rem thing

Anyway log is:


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Thu 10/11/2005
The current time is: 20:41:11.33

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

[Crustyoldbloke]

Hello again Graeme

Well I'm glad that we have eliminated Smitfraud, PSGuard and SpySheriff.

My understanding is that you keep deleting the said file and it just returms whcih means another file is keeping it alive.

Let's give it 48 hours or until it shows up again, whichever is the sooner.

[GraemeJ]

Hi Crusty

Afraid the Viruscan message keeps coming up, which wouldn't be a problem, I guess, if other problems didn't keep coming back too.
Main issue is that the screen goes blue and loses the screensaver and the bottom toolbar..
As the mscls.exe was in explorer.exe, as far as I understand it, a problem in explorer would explain the bluescreen and the toolbar problem? Suggests to me that there is a problem somewhere that keeps getting renewed.

Grateful for any clues.

Graeme

[Crustyoldbloke]

Hello Graeme

Let's just check for a rootkit.

Download:
RKFiles.zip

Create a new folder called C:\Antispyware\RKFiles

Extract the contents of RKFiles.zip into this new RKFiles folder.

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Open the C:\Antispyware\RKFiles folder * Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait until it has finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.

N.B.: It should save by default to C:\Log.txt

Reboot back to Normal Mode and post the log.

[GraemeJ]

Hi again!

At least this gives me something to do on a Sunday night...

The logfile you aked for is below.
UPX sounds bad!

Thanks
G

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\SYSTEM32\mscls.exe: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\RMAgentOutput.dll: UPX!
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye

[Crustyoldbloke]

Hello Graeme

Those are false positves, nothing showing up there either.

There is, I fear, only one place to go.

Please be very careful with this one. Make sure you follow the instructions to the letter as I hate burdoning people with this.

Please download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
Please run MWav by double-clicking on mwav.exe.
Put a check next to the following items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

[GraemeJ]

Should I have 'show all files' on?
G

[Crustyoldbloke]

Hello again Graeme

Should I have 'show all files' on?

No, only the ones that I mentioned. For example if you tick or check REGISTRY, you'll have a log big enough to swamp this board.

But before you do that, just try this, slightly different, and wait a short while to see if we get it.

Please install Killbox by Option^Explicit.

• Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
• In the Killbox programme, select the Replace on Reboot and use Dummy option.
• Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\SYSTEM32\mscls.exe

• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Replace on Reboot prompt. Click "Yes" at the reboot now prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

[GraemeJ]

Crusty,

sorry, afraid we've got out of sequence. I did the Mwav scan and have the infected items list.

I haven't done what you suggested with Killbox yet.

I'll wait to hear back from you before doing anything further.

It came up with 72 viruses and 8 errors - infected items below

Thanks
Graeme


File C:\WINNT\System32\run.dll infected by "Trojan-Downloader.Win32.Small.btm" Virus! Action Taken: No Action Taken.
Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "unknown toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "fastwebfinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "fastwebfinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imiserver ieplugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINNT\system32\run.dll infected by "Trojan-Downloader.Win32.Small.btm" Virus! Action Taken: No Action Taken.
File C:\WINNT\SYSTEM32\run.dll infected by "Trojan-Downloader.Win32.Small.btm" Virus! Action Taken: No Action Taken.
File C:\WINNT\SYSTEM32\run.dll infected by "Trojan-Downloader.Win32.Small.btm" Virus! Action Taken: No Action Taken.

[Crustyoldbloke]

Hello again Graeme

I would think that MWAV is highlighting old bad files that are in your quarantine folder or restore points since it is not giving a path. The only one there is run.dll which is presumably meant to look like rundll. I don't know the file, I don't have it on my system and there is too much confusion on google sites to be sure of it, although in gairness, Bleeping Computer say definitely bad, so let's give it to the experts to analyse.

Please visit Kaspersky for an online file scan.

Browse to: C:\WINNT\system32\run.dll submit it and wait for their verdict.

If it's bad, and i think it is, please Killbox it using Delete on Reboot option.

Let's see if it behaves itself afterwards.