Author Topic: Cant find/remove virus  (Read 7228 times)

0 Members and 1 Guest are viewing this topic.

Jeff785

  • Guest
Cant find/remove virus
« on: December 27, 2003, 05:40:04 AM »
I first noticed I had a problem when I turned on my computer and it took 5 minutes to get to windows. Then I notice next to my mouse pointer, a blinking cd icon is flashing all the time. Internet explorer takes about 5 minutes to open the first time. I installed Avast and it found bugbear-b and win32:trojan-gen. I removed them but bugbear keeps coming back. In my msconfig under startup, there is a item called "ivbxxbi" I have unchecked it but it turns it self back on every time I check. This ivbxxbi is also in my local/settings/temp folder. I cannot delete it and it shows as not infected. I dont know whats what to do, the system is way too slow to use and probably not secure. Im beginning to think I must format but maybe you guy know whats wrong.



Logfile of HijackThis v1.97.7
Scan saved at 8:30:37 PM, on 12/26/2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\PaperPort\fbdirect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\Remind32.exe
C:\Program Files\Greetings Workshop\Gwremind.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINZIP\winzip32.exe
C:\Documents and Settings\Maureen\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [fbdirect] C:\Program Files\ScanSoft\PaperPort\fbdirect.exe
O4 - HKLM\..\Run: [ivbxxbi] rundll32 C:\WINDOWS\System32\ivbxxbi.dll,Init 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37786.0460416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Cant find/remove virus
« Reply #1 on: December 27, 2003, 11:03:56 AM »
I removed them but bugbear keeps coming back. In my msconfig under startup, there is a item called "ivbxxbi"

It is an Afcore Variant, i d o not know why Avast did not find it, because they have a sample of this Malware. Maybe it is not ITW, but it is definitly not ZOO. You can easily remove it by typing:
rundll32 C:\WINDOWS\System32\ivbxxbi.dll,uninstall in a Dosbox. Than disable the Startups via msconfig or Hijackthis and make a restart.
Use the Avast cleaner http://www.avast.com/i_idt_171.html to get rid of the Bugbear Worm. Where does Avast report the Bugbear(file/folder)?
MfG Ralf

Jeff785

  • Guest
Re:Cant find/remove virus
« Reply #2 on: December 27, 2003, 08:56:09 PM »
When I type that it gives me a error saying missing entry: uninstall. The bugbear was in system restore files, which I turned off, and if I remember it was iexlporer once, audio.exe, pagefile.sys and others.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Cant find/remove virus
« Reply #3 on: December 27, 2003, 09:25:08 PM »
Da*n, okay an other try, are you able to find the file in the System32 folder? If yes, than start a dosbox change to the system32 folder, open the Taskmanager and kill the Explorer.exe(!!) Task and all rundll32.exe Tasks, than  delete the file, by typing: del ivbxxbi.dll
  and restart.
MfG Ralf

Jeff785

  • Guest
Re:Cant find/remove virus
« Reply #4 on: December 27, 2003, 09:40:53 PM »
Raman, before I read this I created a win98 boot disk to get to dos (I use xp but fat32). I deleted the ivbxxbi.dll file through dos sucessfully because it gave me errors saying it could not find it on startup. So that is gone, but I still get this strange flashing cd icon next to my mouse pointer, its like the hourglass but it blinks all the time. Also my computer took just as long to turn on, but internet exlporer opened at a decent speed. Im gonna do another scan at the moment.
« Last Edit: December 27, 2003, 09:41:10 PM by Jeff785 »

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Cant find/remove virus
« Reply #5 on: December 27, 2003, 09:48:56 PM »
FAT32, nice to here that, because that thing  hide itself in alternate datastreams of NTFS drives and is difficult to find. One thing you should really do is to update your Windows /IE via www.windowsupdate.com.
MfG Ralf

mnelson

  • Guest
Re: Cant find/remove virus
« Reply #6 on: September 30, 2006, 03:48:19 AM »
Hi all, I am working on a problem and need some help...a lot of help  :)  It is related to pagefile.sys.  I ran BART and it reported an infection, ZLOB, with the infected file pagefile.sys.  BART removed it from the directory, said it was deleted so I thought I was home free.  However, when Windows booted and re-built pagefile.sys it placed pagefile.sys back in the same area on disk, so I had to use the shreader option BART provides.  That seemed to work.  AT least until I rebooted Windows and then later ran BART again.  ZLOB was back.  I repeated the process and found that other infections would come up, also attached to pagefile.sys, such as Agent, BV, and a few others.  I have ran AVAST's own AV, as well as Trend-Micro, Norton, AVG, and quite a few others.  In all cases they report no infection so take no action.  But when i run BART again it reports the infection.  I think thats because they may not be able to scan pagefile.sys as it is in use, and a Windows Protected File.  I have tried turning System Restore off, turning pageing off, and a few other things.  I have not tried a 5 pound sledge yet..but it may come to that :).  I also tried moving the pagefile to another disk, but that was unsuccessful as well.  I have searched all over for information and have yet to find much.    I am somewhat convinced that the real culpret is somehow imbeded in Windows XP Pro, and when Windows sets up pagefile.sys at boot time...whammo!   As to why no AV software finds it is beyond me.   My question is has anyone else experienced similar problems and if so, did you get rid of this pest.

Thanks
Mike Nelson

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Cant find/remove virus
« Reply #7 on: September 30, 2006, 09:15:39 AM »
Hi mnelson,

Why have you attached this question to a very old topic?

In future, please start a new thread in the appropriate board.

Zlob is a Trojan downloader associated with rogue anti-spyware scams.

To look for Trojans, I recommend the anti-Trojan program Ewido (requires win200/XP):

http://www.ewido.net/en/

The malware downloaded by Zlob is very tricky to remove but there is a removal tool:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Follow the instructions on the page.

Good luck!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog