1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2 issues: tt1.tmp.vbs missing / "Spyware detected" desktop

Discussion in 'Windows - Virus and spyware problems' started by whiteshoe, Aug 12, 2008.

  1. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @ Zoneblitz,



    1.) The joke bluescreen is NOT a virus. It is a legitimate program that you can get from Microsoft. This one, however, was installed on your computer, without your permission, by a malicious Trojan, which we got rid of.

    Blue Screen Of Death is now available from Microsoft's own Web site.
    But antivirus vendors are not impressed with the spoof screensaver software, which is named BlueScreen v3.2.


    2.) Don’t pay money for an AntiVirus. There are many Free AV’s that do as well or better than the paid versions. - This is the order they are ranked by independent testers according to their ability to remove viruses: No.1 Avira Antivir , No.2 Avast, No.3 AVG.


    3.) No, you did not pass it to your friends. It is not a virus..



    Back to your other problem; I can see where you became confused, if you are a novice to computer problems, so let’s take a little different approach.

    First, were you able to delete this line from your HJT Log? ->
    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe

    And is it missing from a scan now??

    Let me know.
    2OG
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @Oukeef,




    Yes, send MONEY! The pay here is below poverty level! ….. Just kidding. LMAO [​IMG]



    Most of what I know came from over 45 years of programming and being involved with computers in various ways. A lot of reading, research, trial/error and overcoming a lot of mistakes. Good judgment comes from Experience and Experience comes from a Lot of Poor Judgment… Blood, Sweat and Bits. So to speak. [​IMG]

    If you have an interest in malware removal and wish to help others, consider joining Malware Removal University – Click Here to read about it.

    What keeps me going, is just a kind word, occasionally, from some poor malware victim that I was able to help. [​IMG]


    2OG and you are welcome [​IMG]
     
  3. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Thanks for answering the questions.Thanks for helping me again.Let me do a scan and ill be right back with the results.Im pretty sure its still on there because I couldnt figure out how to delete it.
     
  4. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Yeah its still there

    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    --
    End of file - 3059 bytes
     
  5. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @ Zoneblitz,


    I am having trouble because I don’t think you understand the Basic commands and terms like: Navigate to, Copy, Paste, press Ctl+C, Select, and others.

    We’ll try again but please if you cannot understand, please find someone more knowledgeable to assist you with these instructions. I just really don’t have the time to teach you…


    1.) Run Pocket Killbox
    • Download Pocket Killbox from here
    • Double-click on Killbox.exe to start Pocket Killbox
    • Select the Delete on reboot option
    • Click on All Files
    • Select the text in the below codebox and press Ctrl+C to copy it to the clipboard

    Code:
     C:\WINDOWS\system32\octblido.exe 


    • Go back to Pocket Killbox and click File > Paste from clipboard
    • Click on the button in Pocket Killbox that looks like this [​IMG]
    • You will now get the prompt Files will be removed on reboot, Do you want reboot now?
    • Click Yes, this will restart your pc
    Note: If your PC does not restart automatically, please restart it manually



    2. ) Run HijackThis

    Click on do a system scan only
    Place a checkmark next to these lines(if still present)

    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe

    Then close all windows except HijackThis and click Fix Checked


    Now post a fresh HijackThis Log so I can see the results.


    2OG
     
  6. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    I downloaded pocket killbox to my destop but when I go to run it I get this error.Ive tried 2 times already

    "Component 'MSCOMCTL.OCX' or one of its dependencies not currently registered: A file is missing or invalid."

    Any ideas why this is happening?
     
    Last edited: Aug 24, 2008
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Yes, I know what the problem is, but I can't hold your hand through this so get someone to help you..........

    Sometime certain Microsoft Libraries can become unregistered when installing and uninstalling a lot of software. One very common problem is the MSCOMCTL.OCX.

    To correct the error, first search your drive for MSCOMCTL.OCX to see if you have it. If not you can download it from HERE

    The file should be placed in C:\WINDOWS\SYSTEM32 if you are using WinXP.

    Once it is there click START--> RUN and type "REGSVR32 MSCOMCTL.OCX" (No quotes) in the box.

    That should fix the problem.
     
  8. asad_1129

    asad_1129 Member

    Joined:
    Sep 30, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    @ 2oldGeek
    HERE ARE THE LOG FILES FOR MALWARE & HIJACKTHIS

    Malwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 1

    10/1/2008 2:26:49 AM
    mbam-log-2008-10-01 (02-26-42).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 120014
    Time elapsed: 44 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 6
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\http://91.203.92.13/files/41/0/file.exe (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcp9ej0et8e (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdmjq.exe -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\asad\Local Settings\Application Data\Mozilla\Firefox\Profiles\hzaspvpm.default\Cache\40095895d01 (Trojan.Vundo) -> No action taken.
    C:\System Volume Information\_restore{E7D4B289-DA21-4822-9EAE-D7C4D54CD65F}\RP158\A0598424.exe (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\wscmp.dll (Rogue.Multiple) -> No action taken.
    D:\Downloads\CBO_Setup_4.27.exe (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\phcp9ej0et8e.bmp (Trojan.Downloader) -> No action taken.
    C:\WINDOWS\system32\sex1.ico.tmp (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\sex2.ico.tmp (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\sex3.ico.tmp (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\mmdmm.exe (Backdoor.Bot) -> No action taken.
    C:\WINDOWS\system32\lcsass.exe (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system\run.exe (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\lphcp9ej0et8e.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\asad\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
    C:\Documents and Settings\asad\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken.

    ******************************************

    HERE IS THE LOG FILE FOR HIJACKTHIS

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:32:55 AM, on 10/1/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\nod\nod32krn.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    D:\Program Files\nod\nod32kui.exe
    C:\Program Files\A4Tech\Mouse\Amoumain.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\ul\CalCheck.exe
    C:\Program Files\Comodo\CBOClean\BOC427.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - d:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: (no name) - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - d:\Program Files\Orbitdownloader\GrabPro.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] d:\program files\ul\ChkFont.exe
    O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\nod\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [lphcp9ej0et8e] C:\WINDOWS\System32\lphcp9ej0et8e.exe
    O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = D:\Program Files\ul\CalCheck.exe
    O8 - Extra context menu item: &Download by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://d:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3FA0425-FC0F-44C9-A0E8-017D3F7DFB21}: NameServer = 203.99.163.240,203.99.163.243
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\nod\nod32krn.exe

    --
    End of file - 5466 bytes
     

Share This Page