trojan.ribdew & HIJACKTHIS log

[silas_t]

HI - i ran the free online virus scan from trendmicro and it found a virus but couldn't remove it, i have tried a few other web bases scanners and they all can find this virus trojan.ribdew but none are able to remove it please help, here is my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:32 AM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Silas\Desktop\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B848372-7DF9-4A8F-B7E6-DA4A900857F1}: NameServer = 204.127.198.4,63.240.76.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B848372-7DF9-4A8F-B7E6-DA4A900857F1}: NameServer = 204.127.198.4,63.240.76.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B848372-7DF9-4A8F-B7E6-DA4A900857F1}: NameServer = 204.127.198.4,63.240.76.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[steamwiz]

Hi

Your hijackthis log is clean...

Can you tell us the name and location of the file which is tagged as a virus, or post the log from one of the scans which find it...

steam

[silas_t]

BitDefender Online Scanner

Scan report generated at: Sat, Mar 11, 2006 - 13:08:41

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;

Statistics

Time 00:43:00

Files 261328

Folders 3312

Boot Sectors 4

Archives 1888

Packed Files 21889

Results:

Identified Viruses 2

Infected Files 2

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 2

Engines Info

Virus Definitions 304289

Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins 13

Archive plugins 39

Unpack plugins 4

E-mail plugins 6

System plugins 1


Scan Settings

First Action Disinfect

Second Action Delete

Heuristics Yes

Enable Warnings Yes

Scanned Extensions *;

Exclude Extensions

Scan Emails Yes

Scan Archives Yes

Scan Packed Yes

Scan Files Yes

Scan Boot Yes

Scanned File Status

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014877.exe=>(Instyler o)=>(Instyler Module 11)


Detected with: Application.Adware.NewDotNet.Dropper

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014877.exe=>(Instyler o)=>(Instyler Module 11)


Deleted

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014877.exe=>(Instyler o)


Update failed

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014892.exe=>(NSIS o)=>lzma_nsis0005


Infected with: Trojan.Ribdew.C.DLL

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014892.exe=>(NSIS o)=>lzma_nsis0005


Disinfection failed

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014892.exe=>(NSIS o)=>lzma_nsis0005


Deleted

C:\System Volume Information\_restore{319C775A-6231-4C9E-BA6A-5A0D45537900}\RP136\A0014892.exe=>(NSIS o)


Update failed

[steamwiz]

Hi

According to the log you posted, the infections could not be cleaned, so they were successfully deleted...

However if you are repeatedly getting these detections in this location, then your system restore folder is infected...

You need to purge your system restore :-

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same proceedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam


steam

[silas_t]

i did all that and now the scans say that my machine is clean, thank you for your help

[steamwiz]

Hi

You're very welcome

I'll lock this thread now that it is resolved...

Should the original poster require it re-opening, please PM a moderator ... thanks

steam