RB3.tmp file - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Aug 8^th, 2008, 2:04pm

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   RB3.tmp file

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: RB3.tmp file (Read 1870 times)

timdwalker
Newbie

Gender:

Posts: 2

RB3.tmp file
« on: Nov 9^th, 2006, 6:32am »

Quote

Modify

Can't seem to get rid of the above file so have already conducted a log after running HijackThis. Results are shown below:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Tim\Desktop\AnalyzeThis\AnalyzeThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] "C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" /s
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QT4HPOT] "C:\Program Files\HPQ\One-Touch\OneTouch.EXE"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1139427839839
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1140899391032
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Any help I would appreciate it a great deal, thank you.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5576

Re: RB3.tmp file
« Reply #1 on: Nov 9^th, 2006, 7:47am »

Quote

Modify

Welcome to the forum timdwalker � Wink

Nothing obvious is showing up in your HJT scan log. �However, that does not mean that everything is okay because there was recently another person with this same problem and the system was infected. �Please do this:

1. �Download/Install the trial version of TrojanHunter V4.6.930.

http://www.misec.net/trojanhunter/

2. �Once installed, run LiveUpdate to obtain the very latest rulesets for TH.

3. �Then open TH scanner and click on the Options icon on the left side bar. �Check mark all the options in the list of options. �Close TH scanner. �

4. �Reboot your system into SAFE MODE.

5. �Run a FULL Scan with TH scanner. �Let it quarantine what it finds. �Under File in the top menu, save the scan log.

6. �Once the scan/cleaning is completed, reboot back into NORMAL mode. �

7. �Then run a REMOTE scan using Bit Defender. �The link below provides a link to the remote Bit Defender scanner.

- �BE SURE your resident anti-virus is disabled while you run the remote scan.
- �You will need to use IE because the remote scanner requires that ActiveX be used. �

http://www.misec.net/forum/board/FAQ/1141894786

8. �Then post the scan log results for TrojanHunter and also the Bit Defender scan.

9. �Post a new HJT scan log. �

« Last Edit: Nov 9^th, 2006, 7:56am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

timdwalker
Newbie

Gender:

Posts: 2

Re: RB3.tmp file
« Reply #2 on: Nov 11^th, 2006, 8:34am »

Quote

Modify

Having completed the scan in SAFE MODE and ran Bitdefender, I have enclosed the following scan results:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Tim\Desktop\Unused Desktop Shortcuts\AdbeRdr707_en_US.exe (Add to ignore list)
C:\pagefile.sys Not scanned (in use by another application)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\$NtServicePackUninstall$\usbuhci.sys (Add to ignore list)
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_78dc7c11\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\mscorrc.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\mscorrc.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\mscorrc.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\mscorrc.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\system.web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\system.xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\vbc7ui.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\vbc7ui.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\vbc7ui.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f81 9\vbc7ui.kor.dll
No trojan files found
16460 files scanned in 1423 seconds

And from Bitdefender:

Scan path: A:\;C:\ Grin

:\;

Statistics

Time

01:10:51

Files

258607

Folders

4183

Boot Sectors

2

Archives

1892

Packed Files

27643

Results

Identified Viruses

1

Infected Files

1

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

1

Engines Info

Virus Definitions

313736

Engine build

AVCORE v1.0 (build 2355) (i386) (Sep 25 2006 13:46:24)

Scan plugins

13

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\System Volume Information\_restore{F2EFCF42-7B10-44D8-8C31-4D3A14FAC0D0}\RP295\A007873 5.exe=>(NSIS o)

Infected with: Trojan.Zlob.EW

C:\System Volume Information\_restore{F2EFCF42-7B10-44D8-8C31-4D3A14FAC0D0}\RP295\A007873 5.exe=>(NSIS o)

Disinfection failed

C:\System Volume Information\_restore{F2EFCF42-7B10-44D8-8C31-4D3A14FAC0D0}\RP295\A007873 5.exe=>(NSIS o)

Deleted

C:\System Volume Information\_restore{F2EFCF42-7B10-44D8-8C31-4D3A14FAC0D0}\RP295\A007873 5.exe

Update failed

Hope this all helps.

Tim

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5576

Re: RB3.tmp file
« Reply #3 on: Nov 11^th, 2006, 1:25pm »

Quote

Modify

Welcome back,

Concerning the infections in your C:\System Volume Information folder, please see the link below for cleaning out the System Restore folder.

http://www.misec.net/forum/board/FAQ/1139255588

If you follow the procedure in the above link, your System Restore will be cleaned.

Are you still seeing the RB3.tmp file since Bit Defender found and cleaned whatever virus it found?

Also, please post a new HJT scan log after you clean out your System Volume Information folder.

« Last Edit: Nov 11^th, 2006, 1:36pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register