Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)

[evilfantasy]

That is part of Avast.

ashdisp.exe is a process belonging to Avast Internet security suite. This utility forms an important part of your computers protection against Internet-bound viruses and worms, and should not be terminated.

[green tea]

Ok, I approved that. Then winpatrol popped up with this message.

Winpatrol File Type Change Alert

Scotty is on patrol and has detected a change to one of your file type associations.                                                                                                                                                                                            .SCR

                                         
The program currently assoc. with this file type is:
No Icon       Name                                                                              Info
                   Company name
                   %1 /S


A change was made to use following program for this file type.
No Icon       Name                                                                              Info
                   Company name
                   %1 %*


Is this change ok?
Yes or No

.........
^I'm trying to replicate how it looks in the window. Evil, what is all this?? I have no clue what's going on.

[evilfantasy]

It is a screensaver file, but can be very dangerous. Don't open if you got one per mail.

Avast has a sceensaver setting so it is most likely related to that. Allow it.

[green tea]

Ok I allowed it. Why is there a screensaver? And if it's dangerous, why is it there?

Also, can you do a rundown of how Winpatrol works? I thought it would just automatically stop everything trying to get in the pc without those popup alerts.

Also, does the number of Avast providers matter (say 4 vs 6)? If the more the better, how can I get back to having 7 providers running.

(Sorry for the nonstop questions)

[evilfantasy]

I have never had all seven providers running on either of my PCs. Depending on what you use they will not all run. Double click on the Avast icon in the system tray then click the details tab near the bottom. You will see what all providers you have in the left side.

WinPatrol is a monitor. It alerts you to new programs installing themselves. If you have just downloaded or updated something it is common that you will get anywhere from 1, to 3 or 4 alerts from it. It is when you haven't downloaded anything that you need to really worry.

[green tea]

Oh ok, I understand now. They're seven different providers, and it depends on what other programs is running on the pc. If was on aim, then that particular one would be running right? Very nice!!

I said "NO" to everything that winpatrol asked when I first rebooted, so there's probably some more related to Avast. Hopefully, those will be asked again.

But I'm still paranoid about anything that pops up after this round.

so where to go from here... F-secure scan? csvnro is still lurking in my pc

[evilfantasy]

so where to go from here... F-secure scan? csvnro is still lurking in my pc

Yes the f-secure scan. Let everything run, without it running it may not show up in the scans. We need to get file paths for these items to know how to delete them.

[green tea]

My java still needs to be updated. Should we do that first, or do the F-secure scan first and then update the Java later?

[evilfantasy]

You can update Java later, let's try to get all of the malware first.

[green tea]

Left it scanning overnight and here's the result

Scanning Report
Thursday, May 01, 2008 00:22:02 - 06:53:12
Computer name: OWNER
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Small (virus)
System
Trojan-Downloader.Win32.Small.uzg (virus)
C:\WINDOWS\SYSTEM32\CLBDLL.DLL

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 72642
System: 4405
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD0237.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-30
F-Secure AVP: 7.0.171, 2008-04-30
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

[evilfantasy]

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\WINDOWS\SYSTEM32\CLBDLL.DLL


Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

• Please add the Avenger log in your next post.

[green tea]

Hi Evil,

Here's the Avenger log... just to note, only the "Scan for rootkit" box was checkmarked. The "Delete" box under that wasn't checkmarked.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\SYSTEM32\CLBDLL.DLL" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\CLBDLL.DLL" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

[evilfantasy]

OK, I wanted to be sure that file was gone and it is. Let's see what else might be lurking. Hopefully we are close to done.

Use the Kaspersky Online Scanner

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • 
    
    • Extended[/COLOR]
    • Scan Options:
    • 
      
      • Scan Archives[/COLOR]
        
        • Scan Mail Bases[/COLOR]
      • Click OK & have it scan My Computer
      When the scan is done, in the Scan is complete window (below), any infection is displayed.
      There is no option to clean/disinfect, however, we need to analyze the information on the report.
      
      To obtain the report:
      Click on: Save Report As...
      
      
      
      
      • Next, in the Save as prompt, Save in area, select: Desktop.
        
      • In the File name area, use KScan, or something similar.
        
      • In Save as type: click the drop arrow and select: Text file [*.txt]
        
      • Then, click: Save
      
      
      Please copy and paste the Kaspersky Online Scanner Report in your next post.
      
      
      

[green tea]

Quick question.. I already have Kaspersky Online Scanner in my Add/Remove program list (from the first time when you helped me in Jan.) Should I remove that first before I do this?

[evilfantasy]

Yes it would be best to remove that and start fresh. That way you will be sure to get all of the current updates.