0

Hi
I tried this on usenet but no replies yet so I thought I'd try here...a couple of weeks ago I had an infection with Freshbar, I changed from Avast to Kaspersky which I thought removed everything but it has now found this Freshbar related trojan:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS%5FPSYME%2EK&VSect=P
it will also find items in the Temporary Internet Files folder which it has
trouble deleting. I looked at the folder and its size on the disk is 840
MB!! I have it restricted to 240 in my internet options, even if I empty
it it still has a folder Content.IE5. Under the command prompt it contains a file index.dat, 32,768 bytes,
and 3 folders, named . (a dot), .. (two dots) (which I cannot access using
dir) and G1HCGLI which contains 2 directories named . and .. and 3 files:
file1.: O(with a squiggly line above), 2,744,320 bytes
file 2: e(with acute accent)and a symbol that looks like a little devil
face! 865, 329, 152 bytes
file 3: = 6, 512, 640 bytes

I have tried deleting these files in the command prompt using the remove hidden/system/read only attrib, but it still doesn't work, I think because they are file names which DOS and windows do not recognise. :eek: Using Fprot command line scanner and a DOS floppy it reports an error when
scanning these files. Can someone tell me what these are and how to get rid
of them, also any advice on how to remove Freshbar? I am willing to do a full reinstall, but I am worried that a format will not be successful if these files cannot be deleted normally.

Thanks

Will

5
Contributors
12
Replies
13
Views
12 Years
Discussion Span
Last Post by Ander
0

A reinstall will fix it if you Format before the install because a format will remove all files from your hardrive !
Have you tried booting into safe mode and deleting the temp files .
hit f8 on reboot to get to safe mode

0

OMG!!!! I just tried running Stinger and the computer just switched off and wont turn on again!!!!!! What on earth is this thing??? I took a screenshot of the files that I think maybe were suspect, the large one has a smiley face :evil:
http://uk.geocities.com/will64637/commanpic.jpg

ARGHHHHHHHHHHHHHH PLEEASE HELP MEEEEEEEEEEEE

0

The strange characters in the filenames in your screenshot indicate file/folder corruption, as does the fact that one of the files is listed as being more than 865MB in size (which I highly doubt to be true).

When you say that the computer "won't turn on again", what exactly do you mean? Does it even power up/start to boot? If so, where in that process does it "die"?

0

Thanks for quick reply. The first time I tried a couple of hours ago about 10 times only the fan started. I just tried again to (its a Toshiba Satellite 3000x4 laptop) the 1st time the light just came on, the 2nd the fan started a bit, the 3rd time it started OK now Im in Safe mode, I definitely had the Freshbar and About Blank viruses- I think there is still something in here as trojans associated with Freshbar keep reappearing even though I have Kaspersky and ZA Spysweeper Spyblaster Spybot running .... there were definitely viruses in the Temp Internet Files folder have these corrupted the disk or BIOS?? :(

0

I forgot to add a couple more symptoms, it takes about 4 minutes to shut down in normal mode but its ok in Safe Mode, + the Windows XP blue Start menu and windows with a red cross has disappeared so it looks like old Windows 2000/98.... :?:

0

You may have more than one issue going on here. While spyware and viruses can do some pretty severe things to your system, the low-level startup problems you describe (combined with the apparent disk/filesystem corruption) could be indicative of other problems such as a failing hard drive or bad RAM. :(

Since you seem to able to at least get in to Safe Mode now, please try the following (assuming you are using Win 2K or XP; let us know if otherwise):

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed (the same is true of the Local Settings\Temporary Internet Files\Content.IE5 folders).. Windows will allow you to delete the versions of hte desktop.ini and index.dat files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist directly in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot.

Let us know the results.

0

I forgot to add a couple more symptoms, it takes about 4 minutes to shut down in normal mode but its ok in Safe Mode, + the Windows XP blue Start menu and windows with a red cross has disappeared so it looks like old Windows 2000/98.... :?:

Ok- in light of that additional info, please do the following:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.) Do not have HJT fix anything yet, only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

0

Thanks for your help!!! I tried to delete all the Temp/Cookie/Temp Internet folders before, that is when I found out I couldn't delete these files:
http://uk.geocities.com/will64637/commanpic.jpg
I also ran Hijackthis before it showed a few things I didnt recognise (about blank etc.) so I cleared them, now I think my log is clean so that doesn't really help :-| in fact I did so many scans since I got the Freshbar/about blank I think maybe this is what has exhausted the computers components!!! :( I installed many Anti Spy/Virus programs Microsoft Anti spy Beta, Spysweeper, Spywareblaster, Spybot browser protect, Kaspersky, Zone Alarm so maybe these programs exhausted the RAM as I only have 256- is it possible to damage RAM by running too many programs at the same time??

here is the Hijackthis log done in safemode (the 018 was something I did by mistake I think following instructions from Trend Micro to remove all Freshbar associated trojans I deleted a key in regedit :cool: :

Logfile of HijackThis v1.99.0
Scan saved at 15:19:36, on 26/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\WINDOWS\Explorer.EXE
C:\Hthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

0

Have you tried the remv3 utility yet (link in post #3)? That should clean up the freshbar files.

Did you try emptying your Temp folders from Safe Mode?

0

Have you tried the remv3 utility yet (link in post #3)? That should clean up the freshbar files.

Did you try emptying your Temp folders from Safe Mode?

Hi
I tried deleting all the Temp and Temporary Internet Files in safe mode but I still couldn't delete the files with illegal file names even in command prompt, this was definitely the location of the About Blank and Freshbar files so it looks like they corrupted the file system somehow :evil: anyway I couldn't wait any longer so I did a reinstall . I thought Id mention that Spysweeper was the only prog to detect one of these Freshbar related trojans after running Spybot, Adaware SE, MS AntiSpyware, and Kaspersky Personal Pro, maybe this was because I couldn't run Kaspersky in Safe Mode though. Im trying to decide to get Spysweeper or one of the new Security Suites that claim to have spyware scanning i.e. F-Secure, Trend Micro PC-Cillin ..

Will

0

Did you try emptying your Temp folders from Safe Mode?

I've just been cleaning FreshBar from a friend's system. I found that it had created more than a dozen folders here:

c:\Documents and Settings\[the user's log-on name]\Local Settings\Temp\Temporary Internet Files\Content.IE5

...which I could not delete, even in Safe Mode.

On a moderator's advice here:

http://www.techsupportforum.com/showthread.php?p=159213

...I downloaded a utility called Killbox.exe, copied it to the infected computer, and ran it (still in Safe Mode). I ran its "Delete Temp Files" command (on the Tools menu), and it wiped all of those "undeletable" folders clean. Yay!

Apparently, Killbox can be used to delete any stubborn files or folders, even if they require rebooting to do so. Give it a try.

Cheers, Ander

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.