I got a virus a while ago (months ago) and ever since my Freedom telus antivirus helped remove the virus i keep on getting the rb4.tmp files in my recycle bin, rb26.tmp, rb4f.tmp and many more different types. I think there might also be more hidden viruses on my computer but i cant find a way to find and delete them. I have been told not to use system restore or there may be a chance of letting the virus run loose again. The one thing i used after i got the virus was SDFix.exe in safe mode to delete some part of the virus i totally forgot what though. Please help me, i really don't want to reformat everything. Everytime i delete the rb4.tmp files and other rb.tmp files they keep on reappearing in the recycle bin where i first deleted them and ever since the virus my graphics card seems to be working exremely slow.
Recommended Answers
Jump to PostHi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running …
Jump to PostIt looks like Panda broke your mIRC - you may have to reinstall that.
Is that the BearShare installer in C:\Downloads? C:\Downloads\BSINSTALL.exe - if so, it is okay.
If MyGlobalSearch is listed in Add/Rmv pgms, uninstall it.
=I see that you have MyWay Search Assistant. You can get rid of …
Jump to Post=Cyberlink DVD Solution which you have is for watching, editing and burning DVD's. I don't have it so I do not know what capabilities the toolbar has, but I can tell that yours is broken. To get it to work you would have to reinstall DVD Solution again, anyway.
=SDFix …
Jump to PostHeya, cynikal... we'll get there....
In a standard windows installation Windows Explorer [explorer.exe] is the user's point of contact with the OS, it is the shell, the outside casing if you like, of your OS and everything else runs inside or around it; it [or a modified replacement] is always …
Jump to PostCynikal, whenever you have a window open which shows your drives and files/folders you should have in the top toolbar Files, Edit... Tools. Anyway, you found the same Folder Options in CP, and that is fine. Combofix does turn it off, a lot of folks like to see them but …
All 64 Replies
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:13 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\RPS.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\mom.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\gcc.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: tcpsvcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
--
End of file - 5332 bytes
Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.
i cant find a tcpsvcs.dll file i can only find a tcpsvcs.exe file in my C:\WINDOWS\system32\
i also ran a AVG anti-spyware scan which found a Trojan.Inject.fm but i cant save the report this was before you replied to my post.
Okay, that one [tcpsvs.exe] is legitimate, so leave it there. Let's remove that key though...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?
I found that file in the hijackthis and clicked on fix this after i ticked it. Its not in the report anymore or i dont think it is. For the AVG there is nothing under the report tab but it says 4 files are currently quarantined. I see them under the infections tab but i cant get a report of them to show you.
do you recognise the entries in the quarantine? You could list them here.. but if they are merely cookies you could just empty the bin safely.
these are basically copy pasted and one of them or 2 of them are in the system voume folder and when i clicked on apply all to quarantine and delete everything a popup came up and asked me if i wanted to quarantine the entire system volume folder or file and i clicked yes so this is what shows up in my quarantine tab (i had to manually type them all from the tab) the *** are what im typing in for what the file is infected with:
C:\System Volume Information\_restore{EBCB510F-B2E2-4905-9575-7F04221D52A4}\RP403\A0131478.exe ***This one is infected with Adware.180Solutions***
HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} ***This one is infected with Adware.Generic***
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave ***This one is infected with Adware.SaveNow***
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BKR0LWOQ\m2_18_09_07_1[1].exe ***This one is infected with Trojan.Inject.fm***
Also i think almost all the cookies were deleted when i clicked on Apply Now after setting elements to Quarantine. Only those 4 were quarantined.
That's okay... this will clear all of them... btw, did you check out Telus and those rb.tmp files like I mentioned?
==You SHOULD clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
So i shoudn't click on "Remove Finally" on the AVG anti-spyware, i should just delete all restore points first? I havent restarted my computer so i dont know about the rb4.tmp files yet.
I restarted my computer and the rb4.tmp files keep on appearing in the recycle bin. I'm having trouble disabling my Telus antivirus program because when i disable it on msconfig startup i end up disabling my internet connection as well but the rb4.tmp files seem to stop coming when i disabled all of that. Should i just reinstall my Telus antivirus program or should i first find a way to disable the antivirus program without disabling my internet connection to see if its the internet connectivity that is causing the problem of the rb4.tmp files appearing in my recycle bin.
In AVG you can click on "remove finally"; then, to ensure that no other points are infected but undiscovered you clear all your restore points and make a fresh one by the method I detailed.
Telus, I think, makes those rb/rb4.tmp files for its own purposes.... I proposed testing that by your disconnecting from the net and then disabling Telus [usually this is possible from a service's control panel - there should be no need to uninstall it. With Telus temporarily disabled you shouuld be able to delete those files in the recycle bin, but Telus will recreate them once restarted. [this is my ... what..? best guess... yeah... test it, they are no harm in the bin].
I screwed up the title, i meant that i "can" delete the rb4.tmp files but they keep on coming back in the recycle bin everytime i restart my computer. What can i do to stop them from coming back to the recycle bin? This is a quote i found on another website about this it seems to inquire that there is still something infected that needs to be moved around to prevent further infection "The temporary files are created by the Anti-Virus in the Sympatico Security Manager. At start-up, the Anti-Virus engine scans the Recycle Bin for Viruses. The Recycle Bin is difficult to clean-up when it contains infected files. The temporary files are used to help move the files around and prevent an infected file from being restored by accident. You will notice that the original location of the temporary file is the Recycle Bin itself and that the file size is zero." thats from the www.misec.net website it might be the response from "their" antivirus program but i have no clue. Does this mean that i still have a virus somewhere that if i remove the virus the rb4.tmp files will stop appearing in the recycle bin?
For the restore point method, yes i deleted all the previous ones as you instructed and i created a new one.
Also will any of these files affect my sound or sound files if i remove them:
C:\System Volume Information\_restore{EBCB510F-B2E2-4905-9575-7F04221D52A4}\RP403\A0131478.exe ***This one is infected with Adware.180Solutions***
HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} ***This one is infected with Adware.Generic***
Ha! For a moment there I missed your point completely.... Sys Vol Inf is the directory which holds the restore points in each volume. A volume is commonly referred to as a drive such as, in this case, C:. You are safe....
Yes, I understood that you could delete those files but that they would be recreated. I know nothing about Sympatico but I can assure that your Virgin Telus will create those rb.tmp files... they are for its own use and are not dangerous. You know, if you DID have malware files in your bin and you then emptied it there would be no more malware in there for Telus to rename, would there? But there are normally no actual files in the recycle bin...This may help you understand: - when you delete a file all that is added into the recycle bin is the pathname of the file; the file itself remains exactly where it was on disk but is renamed using a simple algoritm. The file will remain where it was until you empty the recycle bin, then the space it occupies will be listed as available for overwriting and in the fullness of time may actually be overwritten. Until that time your file still exists and can be retrieved with software. Malware fights like crazy to prevent its files being deleted because of that renaming - it can no longer find elements of itself because it won't know the new names. So no malware files in the bin are being renamed by your Telus, it is creating files for its own use in there.
If you wish to check your sys further for malware, do this:
Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Ok, i downloaded the atf cleaner and deleted all the temp files.
I also ran the scan from panda and this is the log:
Incident Status Location
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Adware:adware/abox Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/SaveNow Not disinfected C:\Downloads\BSINSTALL.exe
Virus:Bck/MIRCBased.BI Disinfected C:\Program Files\mIRC\mirc.exe
It looks like Panda broke your mIRC - you may have to reinstall that.
Is that the BearShare installer in C:\Downloads? C:\Downloads\BSINSTALL.exe - if so, it is okay.
If MyGlobalSearch is listed in Add/Rmv pgms, uninstall it.
=I see that you have MyWay Search Assistant. You can get rid of it... first see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
This next will clean up the bad entries that Panda found in your registry:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]
[-HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]
[-HKCR\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
__________________________________________________________
Please say how things are after a restart.
Alright, so far i searched "myway" under "all files and folder" when i right click 'My Computer' and go to search. It found nothing under myway. I also did not find MyWay Search Assistant in my Add/Remove pgms list nor did i find MyGlobalSearch. If your sure that I have them on my computer then maybe you could find another way for me to find them and get rid of them.
I also pasted exactly: MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} in my run and i got this message "This action is only valid for products that are currently installed."
I also deleted the BSinstall. It was BearShare that i removed a while ago but forgot to remove the installer.
I also copied the text between the lines as you instructed and ran the fixkey.reg from my desktop. I'm also curious to know what that one does.
Thank you so much so far. You're really helping me out alot.
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]
[-HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]
[-HKCR\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
__________________________________________________________
Ok, noted that re Myway and MyGlobalSearch - you only had remnants in your directory as shown by the Panda scan.
What the above does is invoke the registry editor; more specifically, running it has removed those keys listed. If you check back, three of them were from the Panda sca [ Myway and MyGolbalSearch entries, plus a dilaer], the other two you put in from the AVG scan. If they were still there they are gone now.
I think you might be clean. How are things now?
I just restarted my computer. It seems fine and now i can relax without worrying about any viruses rootkits dialers etc !!!!THANK YOU SOOO MUCH!!!! Do you know what i can do to make sure that all the dialers, rootkits, and spyware are gone now? Should I do another Panda scan?
Also the tmp files still appear in my recycle bin, i know now after you told me that they are harmless but if i reinstalled my Telus anti-virus will they go away?
Also, should i delete fixkey.reg?
Also, i'm running the Panda scan again and so far its found 12 spyware 3 rootkits and 1 dialer. I'll post the log after its complete.
WAK!! 3 rootkits?
Yes, delete fixkey.reg. Reinstalling Telus will not stop it making those files - it is just how it works. Ignore them.
Ok, i think maybe some of the spyware might be from me being on the internet (mainly this website) so i cleared the temp folders with the ATF cleaner again but i dont know which ones it removed if it even removed any. It also looks like i didn't remove the global search bar and the dialer it all seems to be the same stuff and some new spyware i think. Anyway, heres the new log:
Incident Status Location
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Adware:adware/abox Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[3].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Cookies\user@atdmt[3].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[3].txt
Potentially unwanted tool:Application/Processor
This is a new HijackThis log, from what ive seen you point out so far, do these 2 look suspicious or any others?
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
I'm just guessing i have no expertise in these things lol.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:35 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS eProtect\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\gcc.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
--
End of file - 5490 bytes
Ah. No rootkits after all. The first O2 entry is benign, it is to do with Windows LiveMessenger...? The second O2 is MyGlobalSearch toolbar... and should have been removed by running fixkey.reg.
I do not understand why that fix did not work.... you did only copy the text and not the lines, and you did not have notepad format wordwrapped checked? You could run it again, it does no harm.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run
you said unchecked. So is it checked or unchecked? lol
i ran it again with wordwrap checked this time and i just did it again without. Everytime i do it it says "Are you sure you want to add the information in C:\Documents and Settings\user\Desktop\fixkey.reg to the registry?" and i click yes. Then it says added successfully. So i run another hijackthis and the toolbar thing is still there.
Also did you read my other post before i posted the hijackthis log that showed the Panda log (the second one)?
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.