22 ответов в этой теме

[coca cola]

I have tried and tried! but dr.web is constantly fiending this trojan and it cant be removed. deleted or cured! It is located at d:/hp/drv/app12050/src object: kbdstub.exe

located at another location: c:/documents and settings/doctor web/quarantine



please help me my comupter is crazy and phone line as well

[drumut]

Hi,

Please see our tutorial How To Use Online Virus Scanners?

After doing so, please post your results here!

Removal of one file is kinda easy but first let's see your results if that file is legit or dr.web gives you false positive result..

[coca cola]

kbdstub.exe;C:\Documents and Settings\Sho Is\DoctorWeb\Quarantine;Trojan.PWS.Vkontakte.341;Incurable.Moved.;KbdStub.exe;D:\hp\Drv\APP12050\src;Trojan.PWS.Vkontakte.341;Incurable.Moved.;I tried to upload the file which it was saved in excel when it finished scanning it wouldnt let me upload the file: it gave me this error message:
Upload failed. You are not permitted to upload this type of file

[coca cola]

kbdstub.exe;C:\Documents and Settings\Sho Is\DoctorWeb\Quarantine;Trojan.PWS.Vkontakte.341;Incurable.Moved.;KbdStub.exe;D:\hp\Drv\APP12050\src;Trojan.PWS.Vkontakte.341;Incurable.Moved.;I tried to upload the file which it was saved in excel when it finished scanning it wouldnt let me upload the file: it gave me this error message:
Upload failed. You are not permitted to upload this type of file

i have tried to used the scanners but something is permitting me from getting to the file on my computer, i went to d drive and click on properties and noticed the size is 2.87gb (3,084,599,983bytes) and size on disk is 2.88(3,094,724,608) WOW!!!!!

[coca cola]

kbdstub.exe;C:\Documents and Settings\Sho Is\DoctorWeb\Quarantine;Trojan.PWS.Vkontakte.341;Incurable.Moved.;KbdStub.exe;D:\hp\Drv\APP12050\src;Trojan.PWS.Vkontakte.341;Incurable.Moved.;I tried to upload the file which it was saved in excel when it finished scanning it wouldnt let me upload the file: it gave me this error message:
Upload failed. You are not permitted to upload this type of file

i have tried to used the scanners but something is permitting me from getting to the file on my computer, i went to d drive and click on properties and noticed the size is 2.87gb (3,084,599,983bytes) and size on disk is 2.88(3,094,724,608) WOW!!!!!

[coca cola]

Antivirus", "Version", "Last update", "Result" "AhnLab-V3", "2011.08.23.01", "2011.08.23", "-" "AntiVir", "7.11.13.216", "2011.08.24", "-" "Antiy-AVL", "2.0.3.7", "2011.08.24", "-" "Avast", "4.8.1351.0", "2011.08.24", "-" "Avast5", "5.0.677.0", "2011.08.24", "-" "AVG", "10.0.0.1190", "2011.08.24", "-" "BitDefender", "7.2", "2011.08.24", "-" "ByteHero", "1.0.0.1", "2011.08.22", "-" "CAT-QuickHeal", "11.00", "2011.08.24", "-" "ClamAV", "0.97.0.0", "2011.08.24", "-" "Commtouch", "5.3.2.6", "2011.08.24", "-" "Comodo", "9851", "2011.08.24", "-" "DrWeb", "5.0.2.03300", "2011.08.24", "Trojan.PWS.Vkontakte.341" "Emsisoft", "5.1.0.10", "2011.08.24", "-" "eSafe", "7.0.17.0", "2011.08.24", "-" "eTrust-Vet", "36.1.8519", "2011.08.24", "-" "F-Prot", "4.6.2.117", "2011.08.24", "-" "F-Secure", "9.0.16440.0", "2011.08.24", "-" "Fortinet", "4.2.257.0", "2011.08.24", "-" "GData", "22", "2011.08.24", "-" "Ikarus", "T3.1.1.107.0", "2011.08.24", "-" "Jiangmin", "13.0.900", "2011.08.23", "Trojan/PSW.VKont.of" "K7AntiVirus", "9.111.5047", "2011.08.23", "-" "Kaspersky", "9.0.0.837", "2011.08.24", "-" "McAfee", "5.400.0.1158", "2011.08.24", "-" "McAfee-GW-Edition", "2010.1D", "2011.08.24", "-" "Microsoft", "1.7604", "2011.08.24", "-" "NOD32", "6405", "2011.08.24", "-" "Norman", "6.07.10", "2011.08.23", "-" "nProtect", "2011-08-24.01", "2011.08.24", "-" "Panda", "10.0.3.5", "2011.08.23", "-" "PCTools", "8.0.0.5", "2011.08.24", "-" "Prevx", "3.0", "2011.08.24", "-" "Rising", "23.72.01.03", "2011.08.23", "-" "Sophos", "4.68.0", "2011.08.24", "-" "SUPERAntiSpyware", "4.40.0.1006", "2011.08.24", "-" "Symantec", "20111.2.0.82", "2011.08.24", "-" "TheHacker", "6.7.0.1.284", "2011.08.24", "Trojan/PSW.VKont.bbz" "TrendMicro", "9.500.0.1008", "2011.08.23", "-" "TrendMicro-HouseCall", "9.500.0.1008", "2011.08.24", "-" "VBA32", "3.12.16.4", "2011.08.24", "TrojanPSW.VKont.acp" "VIPRE", "10252", "2011.08.24", "-" "ViRobot", "2011.8.24.4637", "2011.08.24", "-" "VirusBuster", "14.0.182.0", "2011.08.23", "-" "MD5", "7088b136bb58a5f95cf0de8386ca6c0f" "SHA1", "1e097570fc327ca89f72f8b2d4921bf6e1b7fb93" "SHA256", "7136f482c3795b6a18f4315fd9f01c88cd0372c4b4e3b6ce994402459d7bedc9" "File size", "65536 bytes" "Scan date", "2011-08-24 11:59:35 (UTC)"

[coca cola]

http://www.virustotal.com/file-scan/report...edc9-1314205677

[sgian-dubh]

Hello -

Looks like a false-alarm to me, the file would seem to part of HP's Keyboard Handle.

If the file is in quarantine, please right click on the Dr.Web icon and select Tools> quarantine> the quarantine window will open> once its finished, click on the file in question and then right-click> select submit one or more files to Dr.Web`s lab for analysis.

Another windows will open, in the first box choose false-alarm> in the next box fill out your e-mail address so the lab can contact you once the file has been analysed. You can include in the comment section the virustotal scan results and any other comments you wish to make( keep it short and to the point).

[CARON67]

Hi,

I think that this is a false-alarm.

Please, post here also a HJT Log, thanks

Kind regards

[ezzo]

coca cola
Hello...
Can you send that file via PM? Before, turn off Spider Guard protection, archive the file with password and send me.
Kind regards.

[coca cola]

when I rigth click I dont see any of this you are talking about! my computer keeps getting limited connwctivity at all times, so I dont believe this is a false alarm here, something is going on here because I can be working on the internet and all of sudden I am cut off from accessing the internet! I have tried to get rid of this but it comes back ferious each time, Computer is very sluggish, stalling when going from page to page, and stalls when I enter my password into sites! Please give me step by step on how to send the file to you! I located the file and have it on my desktop!

Сообщение было изменено coca cola: 28 Август 2011 - 23:28

[coca cola]

when I try to upload it tells me the file is not permitted as usual.

[coca cola]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:42:00 PM, on 8/28/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\College Graduate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZ2AV537\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4900 bytes


Here is the hjt log you ask for. I can work only in safe mode with networking so far!

[sgian-dubh]

Hello

Can you tell us which Dr.Web programme you are using, as your log indicates that you have Avira installed. You cannot have two antivirus programs running on the same system as they can cause a multitude of problems, including but not limited to a system crash.

So, if you have two or more antivirus programs running (i also see Symantec(Norton)in your log) please remove them and just leave one antivirus installed. They same is also true for firewalls, no more than one.

You also have AVG Antispyware, this programme was discontinued a few years ago, you should uninstall that as well.
http://forums.avg.com/us-en/avg-free-forum...w&id=164551

Once that is done, let us know if the problem persists.

Сообщение было изменено sgian-dubh: 29 Август 2011 - 01:16

[coca cola]

Ok, I h ave tried to uninstall Symante3c and it keeps giving me an error! It want let me uninstall it! Also, I am not able to download certain things and everytime I open IE it tells me that operation has been aborted!! UGGGGGGGGGGGh

Also, how do I find out what version of Dr. web I am running! I tried and it just stated the program is 16 days old

Сообщение было изменено coca cola: 04 Сентябрь 2011 - 03:27

[sgian-dubh]

* Start HijackThis
* Click on the Config button
* Click on the Misc Tools button
* Click on the Open Uninstall Manager button.
* You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next reply.

You`ll need to re-download hijackthis, do not run hijackthis in your browser, instead save the file to your desktop and then run it from there - this will install HJT

To remove Norton, try their removal tool.
ftp://ftp.symantec.com/public/english_us_...emoval_Tool.exe
http://us.norton.com/support/kb/web_view.j...0080828154508EN <---Run the removal tool in normal mode and disable Avira if it is active, also disable Dr.Web if it too is active. Right-click on the Dr.Web icon> Spider Guard> Disable> enter the numbers in the box

You can download these tools in safe mode with networking, if you have trouble in normal mode.

As for which version of Dr.Web you have installed, there should be an icon in your taskbar, right-click on it and select about.

[coca cola]

I cant not use my mouse or keyboard, so what I have on my system is messing up everything.

[coca cola]

Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
AVG Anti-Spyware 7.5
Avira AntiVir Personal - Free Antivirus
Enhanced Multimedia Keyboard Solution
Hardware Diagnostic Tools
HijackThis 2.0.2
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.0
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
Microsoft Antimalware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 6.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
NVIDIA Drivers
Python 2.4.3
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Word 2007 Help (KB963665)

[coca cola]

ok here is a message that I keep getting everytime I try to download user "System" has previously initatied an install for product 'MSXML 4.0 (kb973688)' That user will need to run that install again before they can use that product. Your current install will now contine and nutin happens when I do. So a trjoan or virus is definetly controlling this computer. At times I am not able to use the mouse, scroll or anything so I guess it has taken over.



Removal of one file is kinda easy but first let's see your results if that file is legit or dr.web gives you false positive result.. (please help me remove any part of this it will be helpful) this was a post one of yur moderators posted early on!

Сообщение было изменено coca cola: 11 Сентябрь 2011 - 00:54

[sgian-dubh]

Hello

I cant not use my mouse or keyboard, so what I have on my system is messing up everything.

The reason you`re unable to use the keyboard/mouse is because the file in quarantine is needed for your keyboard/mouse. I still believe this is a false-alarm.

You still have AVG Antispyware installed, you also have Microsoft Antimalware installed, both of these have been discontinued - so remove them.

ok here is a message that I keep getting everytime I try to download user "System" has previously initatied an install for product 'MSXML 4.0 (kb973688)' That user will need to run that install again before they can use that product. Your current install will now contine and nutin happens when I do. So a trjoan or virus is definetly controlling this computer. At times I am not able to use the mouse, scroll or anything so I guess it has taken over.

I have not seem anything that would deem this to be a virus or trojan. There seems to be quite a few people having trouble installing kb973688.
http://answers.microsoft.com/en-us/windows...8b-35c5b6a6202d

As i see kb973688 is installed according your hjt add/remove log, you may want to uninstall it - this may correct the problem, you can always re-install if need be.

As i see no indication of Dr.Web being installed, can you tell us which version of Dr.Web did/are you use/using?

We have to send the file to the lab for clarification - only the lab can give you the answer as to whether the file is malicious, or as i believe it to be a false-alarm.

Сообщение было изменено sgian-dubh: 12 Сентябрь 2011 - 20:08