[thomo79]

PC seems to be running well, however nortons just bought up another dll file that was a virus. I used killbot to delete it. The log of killbot is below and my pc is currently doing another kaspersky online scan. Will post the results when done.


Pocket Killbox version 2.0.0.648
Running on Windows XP as Nikolai(Administrator)
was started @ Monday, March 13, 2006, 3:15 PM

# 1 [Files to Delete]
Path = C:\Program Files\Norton Antivirus\Quarantine\Portal\479C4537.dll
*File Was Deleted

# 2 [Files to Delete]
Path = C:\Program Files\Norton Antivirus\Quarantine\Portal\6B9156CF.dll
*File Was Deleted

Killbox Closed(Exit) @ 3:17:11 PM

[Advertisements]

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 4:33:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 182084
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 75043
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:10:32

Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton Antivirus\Quarantine\477B215B.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\Program Files\Norton Antivirus\Quarantine\47924741.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\Program Files\Norton Antivirus\Quarantine\479C4537.dll Infected: Trojan-Downloader.Win32.Small.cml skipped

Scan process completed.




I've emptied this folder a couple of times now and these dlls files keep reappearing.

[thomo79]

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 4:33:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 182084
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 75043
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:10:32

Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton Antivirus\Quarantine\477B215B.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\Program Files\Norton Antivirus\Quarantine\47924741.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\Program Files\Norton Antivirus\Quarantine\479C4537.dll Infected: Trojan-Downloader.Win32.Small.cml skipped

Scan process completed.




I've emptied this folder a couple of times now and these dlls files keep reappearing.

[thomo79]

I've also completed a scan with jotti and here are the results. Also nortons has been deactivated again and it wont re-enable. And when nortons detects this virus it keeps popping up after the ok button is clicked.

Service
Service load: 0% 100%

File: 477B215B.dll
Status: INFECTED/MALWARE
MD5 7998b77acf64691b57dee5ea21037e69
Packers detected: CRYPT.QUARANTINE
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.cml
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Service
Service load: 0% 100%

File: 479C4537.dll
Status: INFECTED/MALWARE
MD5 a710d575e37c1e6ddcc5de51194d08be
Packers detected: CRYPT.QUARANTINE
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.cml
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Service
Service load: 0% 100%

File: 47924741.dll
Status: INFECTED/MALWARE
MD5 063d6144382aa4d875edd16b87d63c06
Packers detected: CRYPT.QUARANTINE
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.cml
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[loophole]

Strange...

Please download ATF Cleaner by Atribune.Save it to the desktop
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.




Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

[thomo79]

03/14/06 04:35:03 [Info]: BlackLight Engine 1.0.33 initialized
03/14/06 04:35:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/14/06 04:35:03 [Note]: 7019 4
03/14/06 04:35:03 [Note]: 7005 0
03/14/06 04:35:06 [Note]: 7006 0
03/14/06 04:35:06 [Note]: 7011 1400
03/14/06 04:35:07 [Note]: FSRAW library version 1.7.1015
03/14/06 04:35:47 [Note]: 7007 0


There was no check box for the scan through windows explorer for the version of blacklight that was available for download

Edited by thomo79, 13 March 2006 - 01:01 PM.

[loophole]

Blacklight is negative as you probably know this.

Does norton give you the location of where it is finding these files originally before it moves them into quarantine. I'm guessing a Temp directory.

Download.trojan is a generic name given to a host of trojans therefore its hard to see what it is exactly.

Have you ran ewido in safemode? Does it find any threats.

Edited by loophole, 13 March 2006 - 01:21 PM.

[thomo79]

If nortons did give the location i missed it but it moved the files to the quaratine directory. I'll perform the ewido scan in safe mode and see if it picks anything up.

[thomo79]

Latest kaspersky scan showed this after using killbot to remove and deregister the dll files.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, March 14, 2006 6:26:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/03/2006
Kaspersky Anti-Virus database records: 182283
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 72192
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:17:53

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{C7BBD38F-92F5-4784-BF1C-3FF7567EB199}\RP2\A0000192.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\System Volume Information\_restore{C7BBD38F-92F5-4784-BF1C-3FF7567EB199}\RP2\A0000193.dll Infected: Trojan-Downloader.Win32.Small.cml skipped
C:\System Volume Information\_restore{C7BBD38F-92F5-4784-BF1C-3FF7567EB199}\RP2\A0000194.dll Infected: Trojan-Downloader.Win32.Small.cml skipped

Scan process completed.

how do i remove the system volume information files, then hopefully i'll be trojan free.