2 issues: tt1.tmp.vbs missing / "Spyware detected" desktop

@ Zoneblitz,

1.) The joke bluescreen is NOT a virus. It is a legitimate program that you can get from Microsoft. This one, however, was installed on your computer, without your permission, by a malicious Trojan, which we got rid of.

Blue Screen Of Death is now available from Microsoft's own Web site.
But antivirus vendors are not impressed with the spoof screensaver software, which is named BlueScreen v3.2.

2.) Don’t pay money for an AntiVirus. There are many Free AV’s that do as well or better than the paid versions. - This is the order they are ranked by independent testers according to their ability to remove viruses: No.1 Avira Antivir , No.2 Avast, No.3 AVG.


3.) No, you did not pass it to your friends. It is not a virus..



Back to your other problem; I can see where you became confused, if you are a novice to computer problems, so let’s take a little different approach.

First, were you able to delete this line from your HJT Log? ->
O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe

And is it missing from a scan now??

Let me know.
2OG

 

@Oukeef,

Yes, send MONEY! The pay here is below poverty level! ….. Just kidding. LMAO

Most of what I know came from over 45 years of programming and being involved with computers in various ways. A lot of reading, research, trial/error and overcoming a lot of mistakes. Good judgment comes from Experience and Experience comes from a Lot of Poor Judgment… Blood, Sweat and Bits. So to speak.

If you have an interest in malware removal and wish to help others, consider joining Malware Removal University – Click Here to read about it.

What keeps me going, is just a kind word, occasionally, from some poor malware victim that I was able to help.


2OG and you are welcome

 

Thanks for answering the questions.Thanks for helping me again.Let me do a scan and ill be right back with the results.Im pretty sure its still on there because I couldnt figure out how to delete it.

 

Yeah its still there

C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 3059 bytes

 

@ Zoneblitz,


I am having trouble because I don’t think you understand the Basic commands and terms like: Navigate to, Copy, Paste, press Ctl+C, Select, and others.

We’ll try again but please if you cannot understand, please find someone more knowledgeable to assist you with these instructions. I just really don’t have the time to teach you…


1.) Run Pocket Killbox
• Download Pocket Killbox from here
• Double-click on Killbox.exe to start Pocket Killbox
• Select the Delete on reboot option
• Click on All Files
• Select the text in the below codebox and press Ctrl+C to copy it to the clipboard

Code:

 C:\WINDOWS\system32\octblido.exe 

• Go back to Pocket Killbox and click File > Paste from clipboard
• Click on the button in Pocket Killbox that looks like this
• You will now get the prompt Files will be removed on reboot, Do you want reboot now?
• Click Yes, this will restart your pc
• Note: If your PC does not restart automatically, please restart it manually



2. ) Run HijackThis

Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe

Then close all windows except HijackThis and click Fix Checked


Now post a fresh HijackThis Log so I can see the results.


2OG

 

I downloaded pocket killbox to my destop but when I go to run it I get this error.Ive tried 2 times already

"Component 'MSCOMCTL.OCX' or one of its dependencies not currently registered: A file is missing or invalid."

Any ideas why this is happening?

 

Yes, I know what the problem is, but I can't hold your hand through this so get someone to help you..........

Sometime certain Microsoft Libraries can become unregistered when installing and uninstalling a lot of software. One very common problem is the MSCOMCTL.OCX.

To correct the error, first search your drive for MSCOMCTL.OCX to see if you have it. If not you can download it from HERE

The file should be placed in C:\WINDOWS\SYSTEM32 if you are using WinXP.

Once it is there click START--> RUN and type "REGSVR32 MSCOMCTL.OCX" (No quotes) in the box.

That should fix the problem.

 

@ 2oldGeek
HERE ARE THE LOG FILES FOR MALWARE & HIJACKTHIS

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 1

10/1/2008 2:26:49 AM
mbam-log-2008-10-01 (02-26-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120014
Time elapsed: 44 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\http://91.203.92.13/files/41/0/file.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcp9ej0et8e (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdmjq.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\asad\Local Settings\Application Data\Mozilla\Firefox\Profiles\hzaspvpm.default\Cache\40095895d01 (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{E7D4B289-DA21-4822-9EAE-D7C4D54CD65F}\RP158\A0598424.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wscmp.dll (Rogue.Multiple) -> No action taken.
D:\Downloads\CBO_Setup_4.27.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\phcp9ej0et8e.bmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\sex1.ico.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sex2.ico.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sex3.ico.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\mmdmm.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\lcsass.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system\run.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\lphcp9ej0et8e.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\asad\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\asad\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken.

******************************************

HERE IS THE LOG FILE FOR HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:55 AM, on 10/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\nod\nod32krn.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
D:\Program Files\nod\nod32kui.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\ul\CalCheck.exe
C:\Program Files\Comodo\CBOClean\BOC427.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - d:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - d:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] d:\program files\ul\ChkFont.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\nod\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphcp9ej0et8e] C:\WINDOWS\System32\lphcp9ej0et8e.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = D:\Program Files\ul\CalCheck.exe
O8 - Extra context menu item: &Download by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3FA0425-FC0F-44C9-A0E8-017D3F7DFB21}: NameServer = 203.99.163.240,203.99.163.243
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\nod\nod32krn.exe

--
End of file - 5466 bytes