View Full Version : Spybot won't run
Hello,
Spybot S&D was running fine until I was attacked. I ran it after I was attacked once and it detected 108 entries. The next time I tried to run it, it wouldn't run. All I get after I doubleclick the desktop icon is a flash of the hourglass.
I have already uninstalled and reinstalled it twice following the directions I found in another thread, to no avail.
I have downloaded and installed Hijackthis and it wont run either. Same symptom, just a flash of the hourglass when I doubleclick the desktop icon.
My computer is still infected. I'm running Windows XP and Spybot 1.6
Thanks for any help. Regards, Jim
P.S. I have also tried to install RSIT but it won't install. Got an error mesage about it not being a valid win32 application.
pskelley
2008-10-13, 15:01
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Hey Jim, why don't you try the directions? They are also pinned (sticky) to the top of this forum. After you read them, then post the HJT log.
Zenobia provided you a link and you seem to have ignored it?
Thanks
Hi pskelley, thanks for your reply. It might not seem so, but I did read (and re-read) the stickey.
You advise that I should post a HJT log. I would love to. The problem at the moment is that I can't create a logfile since I can't get HJT to run in either Safe mode or Windows. It was installed according to directions but when I doubleclick the icon all I get is a flash of the hourglass and then nothing. I also tried to install RSIT, which I understand is another logfile grabber, but without success. As I mentioned above, I aalso can't get Spybot S&D to run in Safe or windows.
I'm wondering where to go from here. Am I missing something?
Best regards, Jim
pskelley
2008-10-13, 21:54
Jim, hackers know the tools we use, amd often block them, try these directions for a self-installer.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Follow those directions exactly. If that does not work, then when you click the link:
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
and choose "Save this file now" make sure you are saving it to the "Desktop" but change the File name to okrobie.exe before you "Save" now follow the instructions as posted.
Thanks
Hi pskelley, Thanks!
I deleted the old copy of HJT and then re-installed it according to your instructions, but it still wouldn't run. I then deleted it all again and re-installed it using the "save as okrobie.exe" option, but it still won't run.
What next?
Regards, Jim
pskelley
2008-10-13, 22:54
Does not sound good, let's give combofix a try and see what happens. Follow the directions carefully and if you can not run combofix from the Desktop in normal mode, then try booting into safe mode and running it there.
http://spyware-free.us/tutorials/safemode/
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log. <<< if possible at that point.
Thanks...Phil
Thanks
Hi pskelley, Thanks for the help.
I followed your instructions, read the ComboFix tutorial and installed ComboFix. It installed smoothly. I even did the little trick with the Windows Boot Disk icon. Everything smooth so far... but when I double clicked on the icon, it wouldn't run. I then booted up in safe mode with the same result... nada.
I have been staying off line as as much as possible like you suggested. The only good news is that it is stable and not getting any new symptoms.
Any plan B up your sleeve?
Thanks, Jim
pskelley
2008-10-14, 02:33
If you can not get any program to run, it does not sound good. You may want to think about a reformat. It is unusual when nothing will run? Here is another good malware program you can try.
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Have you thought about trying a System Restore to an earlier point?
http://support.microsoft.com/kb/306084/
Or trying this:
http://support.microsoft.com/kb/307852
Phil, here is the log from Malwarebytes' Anti-malware I'll re-boot now and try to run the other programs. Thanks
Malwarebytes' Anti-Malware 1.28
Database version: 1267
Windows 5.1.2600 Service Pack 2
10/13/2008 11:03:32 PM
mbam-log-2008-10-13 (23-03-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 119313
Time elapsed: 1 hour(s), 18 minute(s), 32 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 10
Files Infected: 70
Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\wbszidij\sjyfefyv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a2aa1df5-6e92-4d92-90ea-c8739016e923} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e76bab5-f558-4345-a5fb-43e7028fa258} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b437ae7e-edc1-4a83-825e-e2cad11905e8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xp_antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jbgomfijea (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule23 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp antispyware 2009 (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\wbszidij\sjyfefyv.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\0486cc67.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\mmmatt.exe (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\n2ewsys.exe (Rogue.Spymonitor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\3nick568.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\44.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\gettpa222.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\stf8BC.tmp (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\AVEngn.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033205.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033206.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032834.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032894.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032895.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032909.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032913.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032915.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032916.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032918.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP97\A0032938.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\smwin32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv393.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv473.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\crap.1187090851.old (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\comp.dat (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\htmlayout.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\pthreadVC2.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Uninstall.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\wscui.cpl (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data\daily.cvd (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\James T. Robson\Desktop\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\robie1\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\okrobie.MUSIC\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
Hi Phil, Viola! I can now run HJT and here is the log. Thank you, Jim
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:55 PM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.turbotax.com
O18 - Filter hijack: text/html - {863eaa62-57ba-4cd6-b38c-d2185624e47a} - C:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
--
End of file - 7356 bytes
pskelley
2008-10-14, 13:08
Thanks Jim, MBAM did a fantastic job, what a freeware tool!! Let's see if we can get combofix to run, it may remove malware MBAM does not have in it's databases, I see a little more junk in the HJT log.
1) C:\Program Files\Java\jre1.6.0_02\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks...Phil
Thanks Phil, Here are the two logs you requested:
ComboFix 08-10-14.03 - James T. Robson 2008-10-14 16:01:45.1 - NTFSx86
Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\James T. Robson\Application Data\Install.dat
C:\Program Files\INSTALL.LOG
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\Downloaded Program Files\temp
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.
2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 10:51 . 2008-10-12 10:51 86,016 --a--c--- C:\WINDOWS\system32\cdgjejep.exe
2008-10-12 09:46 . 2008-10-12 11:09 65,428 --a--c--- C:\WINDOWS\system32\wini10451631.exe
2008-10-12 09:18 . 2008-10-12 09:18 86,016 --a--c--- C:\WINDOWS\system32\hudklklw.exe
2008-10-12 04:13 . 2008-10-12 04:13 77,824 --a--c--- C:\WINDOWS\system32\kzwnqxuj.exe
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 77,824 --a--c--- C:\WINDOWS\system32\czanohgz.exe
2008-10-11 23:16 . 2008-10-11 23:16 77,824 --a--c--- C:\WINDOWS\system32\byxkbkrm.exe
2008-10-11 19:01 . 2008-10-13 23:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\wbszidij
2008-10-11 19:01 . 2008-10-11 19:01 77,824 --a--c--- C:\WINDOWS\system32\mbgjcdij.exe
2008-10-11 19:00 . 2008-10-11 19:00 71,715 --a--c--- C:\WINDOWS\system32\syvkqpiicj.exe
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 20:45 . 2008-10-09 20:45 7,704 --a------ C:\WINDOWS\system32\msziptools.dll
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 1,265,783 2004-02-18 14:51:44 C:\Program Files\Ahead\InCD\bak\InCD.exe
-c--a-w 892,928 2004-03-18 14:33:26 C:\Program Files\Logitech\iTouch\bak\iTouch.exe
-c--a-w 473,928 2005-07-12 20:35:18 C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
-c--a-w 1,359,872 2006-05-15 02:59:20 C:\Program Files\PC TechZone\AuctionMagic7\bak\Snipe.exe
-c--a-w 1,372,160 2008-05-04 04:06:58 C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
-c--a-w 77,824 2005-04-02 10:23:49 C:\Program Files\QuickTime\bak\qttask.exe
-c--a-w 1,976,544 2005-12-13 21:13:36 C:\Program Files\Spyware Doctor\bak\swdoctor.exe
-c--a-w 1,860,608 2002-04-22 20:40:12 C:\Program Files\TimeCalendarLE\bak\TCLE.exe
----a-w 1,860,608 2002-04-22 20:40:12 C:\Program Files\TimeCalendarLE\TCLE.exe
-c--a-w 3,896,832 2006-03-27 06:50:10 C:\Program Files\Yagoon\Time\bak\Time.exe
-c--a-r 28,672 2002-10-30 09:40:34 C:\WINDOWS\bak\htpatch.exe
-c--a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe
-c--a-r 155,648 2001-07-09 10:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2008-05-04 1372160]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"RegistryMechanic"="" [N/A]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]
C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James T. Robson\Application Data\Mozilla\Firefox\Profiles\lkvhatoc.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 16:13:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
scan completed successfully
hidden files: 15
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\WINDOWS\system32\msdtc.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.exe
C:\Program Files\Mail Enable\Bin\MEMTA.exe
C:\Program Files\Mail Enable\Bin\MEPOC.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.exe
C:\Program Files\Mail Enable\Bin\MESMTPC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-14 16:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-14 20:23:27
Pre-Run: 62,386,860,032 bytes free
Post-Run: 63,638,523,904 bytes free
184 --- E O F --- 2007-08-27 03:10:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:21 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223958421265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223958690312
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
--
End of file - 7630 bytes
P.S. All programs are now able to run, including Spybot S&D
pskelley
2008-10-15, 00:52
Thanks for returning this information, this is indeed a very infected computer. You also have this infection:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Agent.AWF&threatid=134083
combofix will usually remove it, if not we have a complex manual removal on our hands. Please read and follow the directions carefully, and in the numbered order.
1) C:\Program Files\Java\jre1.6.0_02\ <<< out of date, see this information.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Open notepad and copy/paste the text in the codebox below into it:
AWF::
C:\Program Files\Ahead\InCD\bak\InCD.exe
C:\Program Files\Logitech\iTouch\bak\iTouch.exe
C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
C:\Program Files\PC TechZone\AuctionMagic7\bak\Snipe.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Spyware Doctor\bak\swdoctor.exe
C:\Program Files\TimeCalendarLE\bak\TCLE.exe
C:\Program Files\Yagoon\Time\bak\Time.exe
C:\WINDOWS\bak\htpatch.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\NeroCheck.exe
File::
C:\WINDOWS\system32\cdgjejep.exe
C:\WINDOWS\system32\wini10451631.exe
C:\WINDOWS\system32\hudklklw.exe
C:\WINDOWS\system32\kzwnqxuj.exe
C:\WINDOWS\system32\czanohgz.exe
C:\WINDOWS\system32\byxkbkrm.exe
C:\WINDOWS\system32\mbgjcdij.exe
C:\WINDOWS\system32\syvkqpiicj.exe
C:\WINDOWS\system32\msziptools.dll
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
Folder::
C:\Documents and Settings\All Users\Application Data\wbszidij
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
6) Update MBAM and run another scan.
Post the log from CFScript, the log from MBAM and a new HJT log.
How is the computer running?
Thanks
Phil, Item 1: Good catch on the Java thing. That is an old problem which has been present for over a year. It seems that I have been robbed of my administrative privileges so I haven't been able to update anything including Windows and Java for a very long time. I can't install printer drivers or anything. Sorry I forgot to mention it. Should I proceed to the next item or do we need to work on that first? When I go to the control panel and try to change my logon it says that I am an administrator. Its just that my privileges don't work.
Thanks, Jim
P.S. Right now hyper links are not working from web pages but especially this one http://forums.spybot.info/showpost.p...80&postcount=2
looks like too many dots. I have cut and paste it into a browser and it won't work.
pskelley
2008-10-15, 02:10
Continue with the instructions, we have much worse problems that out of date Java proigram.
You understand you can not just copy/paste the link I posted above, the process is called "truncicated" I believe. This link:
http://forums.spybot.info/showpost.p...80&postcount=2 <<< will not work
http://forums.spybot.info/showpost.php?p=12880&postcount=2 <<< this link will.
Please note they look alike.
Thanks
Hi Phil, Here are the logs you requested:
ComboFix 08-10-14.07 - James T. Robson 2008-10-14 20:03:18.3 - NTFSx86
Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James T. Robson\Desktop\cfscript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\byxkbkrm.exe
C:\WINDOWS\system32\cdgjejep.exe
C:\WINDOWS\system32\czanohgz.exe
C:\WINDOWS\system32\hudklklw.exe
C:\WINDOWS\system32\kzwnqxuj.exe
C:\WINDOWS\system32\mbgjcdij.exe
C:\WINDOWS\system32\msziptools.dll
C:\WINDOWS\system32\syvkqpiicj.exe
C:\WINDOWS\system32\wini10451631.exe
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.
2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 22:15 --------- dc----w C:\Program Files\TimeCalendarLE
2008-10-14 22:15 --------- dc----w C:\Program Files\Spyware Doctor
2008-10-14 22:15 --------- dc----w C:\Program Files\QuickTime
2008-10-14 22:15 --------- dc----w C:\Program Files\Microsoft AntiSpyware
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2008-08-22 07:08 878,592 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 -c--a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 -c--a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 -c--a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 -c--a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 -c--a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 -c----w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 -c--a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 -c--a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 -c--a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 -c--a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 21:55 265,720 -c--a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-19 02:08 205,000 -c--a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:07 210,976 -c--a-w C:\WINDOWS\system32\muweb.dll
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
2001-11-23 18:08 712,704 -c--a-r C:\WINDOWS\inf\Other\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-10-14_16.22.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-10-30 09:40:34 28,672 -c--a-w C:\WINDOWS\htpatch.exe
+ 2001-07-09 10:50:42 155,648 -c--a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2008-10-14 23:52:40 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_700.dat
- 2008-10-14 20:19:39 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 00:03:21 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2006-05-14 1359872]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]
C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 20:07:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
scan completed successfully
hidden files: 15
**************************************************************************
.
Completion time: 2008-10-14 20:11:11
ComboFix-quarantined-files.txt 2008-10-15 00:10:40
ComboFix2.txt 2008-10-14 22:19:30
ComboFix3.txt 2008-10-14 20:23:35
Pre-Run: 63,623,327,744 bytes free
Post-Run: 63,607,615,488 bytes free
163 --- E O F --- 2007-08-27 03:10:48
Malwarebytes' Anti-Malware 1.28
Database version: 1267
Windows 5.1.2600 Service Pack 2
10/14/2008 9:38:53 PM
mbam-log-2008-10-14 (21-38-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 113781
Time elapsed: 1 hour(s), 17 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033296.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033297.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033298.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033299.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033300.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033301.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033302.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033303.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033304.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033353.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:11 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223958421265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223958690312
O18 - Filter hijack: text/html - {8c7ead1f-0863-4758-b9a5-07979bb77561} - C:\WINDOWS\system32\msziptools.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
--
End of file - 7698 bytes
pskelley
2008-10-15, 13:19
How is the computer running?
See this information:
http://www.prevx.com/filenames/X882145234024887170-0/MSZIPTOOLS2EDLL.html
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O18 - Filter hijack: text/html - {8c7ead1f-0863-4758-b9a5-07979bb77561} - C:\WINDOWS\system32\msziptools.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\msziptools.dll <<< delete that file
This is the next step we must take:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Would you also post an uninstall list.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Thanks
Hi Phil, Thanks for all your help... and your patience.
The computer is running basically pretty good. The only anomalies are the failure of some hyper links to work, especially the truncated ones and my Merlin Snipe program can't logon to eBay. When I go to eBay through the browser I get a warning message about how I am about to view pages over a secure connection... Maybe I have increased my security level on the browser. Other than that it is operating "normally".
I did what you said on HJT with the msziptools.dll but it didn't work. I navigated to it manually and it was still there and I could not delete it manually. I got a message stating that it was in use. I went to the task manager and it was not on the list of active processes.
The recovery console was not installed because I did the drag and drop thing before it was allowed to run it obviously didn't realize this. It is running now and here is the log:
ComboFix 08-10-14.07 - James T. Robson 2008-10-15 9:39:37.4 - NTFSx86
Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James T. Robson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.
2008-10-14 21:26 . 2008-10-14 21:26 7,704 --a--c--- C:\WINDOWS\system32\msziptools.dll
2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 22:15 --------- dc----w C:\Program Files\TimeCalendarLE
2008-10-14 22:15 --------- dc----w C:\Program Files\Spyware Doctor
2008-10-14 22:15 --------- dc----w C:\Program Files\QuickTime
2008-10-14 22:15 --------- dc----w C:\Program Files\Microsoft AntiSpyware
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2008-08-22 07:08 878,592 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 -c--a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 -c--a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 -c--a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 -c--a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 -c--a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 -c----w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 -c--a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 -c--a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 -c--a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 -c--a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 21:55 265,720 -c--a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-19 02:08 205,000 -c--a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:07 210,976 -c--a-w C:\WINDOWS\system32\muweb.dll
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
2001-11-23 18:08 712,704 -c--a-r C:\WINDOWS\inf\Other\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-10-14_16.22.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-10-30 09:40:34 28,672 -c--a-w C:\WINDOWS\htpatch.exe
+ 2001-07-09 10:50:42 155,648 -c--a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2008-10-15 03:33:48 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
- 2008-10-14 20:19:39 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 13:39:40 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2006-05-14 1359872]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]
C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James T. Robson\Application Data\Mozilla\Firefox\Profiles\lkvhatoc.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 09:42:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
scan completed successfully
hidden files: 15
**************************************************************************
.
Completion time: 2008-10-15 9:46:08
ComboFix-quarantined-files.txt 2008-10-15 13:45:53
ComboFix2.txt 2008-10-15 00:12:29
ComboFix3.txt 2008-10-14 22:19:30
ComboFix4.txt 2008-10-14 20:23:35
Pre-Run: 63,539,408,896 bytes free
Post-Run: 63,553,429,504 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
152 --- E O F --- 2007-08-27 03:10:48
Here is the uninstall list from HJT:
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
AT&T Internet Security Wizard 1.5.11
ATT-NAP
AusLogics Disk Defrag
BellSouth Application Management
CADopia IntelliCAD 5 Standard
C-Media WDM Audio Driver
Cox Online Support Controls
e-AA
EASEUS Partition Manager 1.6.2
Enhancement Browser Tools Bigadnetwork
FastAccess® DSL Help Center 4.1
Fastream IQ Web/FTP Server Engine
Fastream IQ Web/FTP Server GUI
FREE CallCenter
GEAR Replicator
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HTMLGATE FREE version 12.2.1B
InCD EasyWrite Reader
IntelliCAD 5 Standard v.5.1.5.05 Standard Edition
ItsDeductible Express
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Logitech iTouch Software
MailEnable Messaging Services for Windows NT/2000
Malwarebytes' Anti-Malware
Merlin AuctionMagic
Merlin AuctionMagic
MSIDVD
MSN Music Assistant
Napster
Napster Burn Engine
Nero Media Player
Nero OEM
PHPRunner 2.0
R-Drive Image (remove only)
Realtek AC'97 Audio
Registry Mechanic 5.1
SafeCast Shared Components
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 10 (KB936782)
SiS 650_650GL_650GX_651
Sony DPP-SV55
Spybot - Search & Destroy
SpywareBlaster v3.5.1
TimeCalendar LE 1.6.3
TurboTax Deluxe Deduction Maximizer 2006
VCW VicMan's Photo Editor 8.1
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 Beta 2
Windows Media Format Runtime
Windows Media Player 10
Yagoon Time 2.31
Yahoo! Install Manager
Yahoo! Toolbar
Thanks again for everything. I'm 66 years old and a little slow sometimes.
Regards, Jim
pskelley
2008-10-15, 20:10
Thanks again for everything. I'm 66 years old and a little slow sometimes.
I was born 4/19/1942 so now I don't know if I should call you sir or sonny? Only the Jax location in the profile information.
Let's move on, before we uninstall combofix there are files I was sure were bad that did not get removed by CFScript? At least it removed AWF and for that I am greatful.
The files are 15 that are marked as hidden files and they all look like this:
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat <<< this is just one, they are different numbers.
What I need to do is find out what they are, being Temp files, there should be no reason why we can not delete them.
Make sure you can view all files and folders here:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Now use one or more of these free online scanners to find out what they are:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You do not need to scan them all, scan two or three at random, that will be enough so you will know if they are malware or not. Post that information for me to view. If the ones you scan are malware obviously, then delete them all. I can not tell when they were created, but you should be able to by right clicking and looking at properties. You may delete everything in that Temp folder. A few old files put there by Windows may not delete, but all recent files should, expecially anything put there by the malware.
uninstall list <<< I look for malware and security issues only, and I will not know them all.
Here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.0 <<< out of date and being exploited by hackers
http://www.filehippo.com/download_adobe_reader/
J2SE Runtime Environment 5.0 Update 2 <<< please see the information in this link:
Java(TM) 6 Update 2
http://forums.spybot.info/showpost.php?p=12880&postcount=2
(posted earlier in instructions)
SpywareBlaster v3.5.1 <<< a good program, but out of date. to update you must turn off the old program.
1) Open the interface and DISABLE ALL PROTECTION
2) Close the program and uninstall it in Add Remove Programs
3) Dolwnload v4.1 here: http://www.javacoolsoftware.com/spywareblaster.html
4) Make sure you update and then enable all protection
Merlin Snipe program <<< is that this:
http://www.pctechzone.com/merlin/ad/
Here is more information about AWF:
http://www.google.com/search?hl=en&q=trojan+AWF&btnG=Google+Search
This is a file infector trojan and if you look at the code box for CFScript you will see:
C:\Program Files\PC TechZone\AuctionMagic7\bak\Snipe.exe <<< the clue it was infected
That program was infected and replaced by the trojan. Though combofix does try to fix the problem, it may be you will have to install the program again.
When the hyper-links do not work, do you get any error message I can research?
Here is some generic informaton at Google:
http://www.google.com/search?hl=en&q=hyper-links+do+not+work&btnG=Search
Jim, let's see if we can get that far this time. I would not do a lot of online activites until we are sure you are clean and I have posted information to help you harden your defense.
Thanks
Phil from Clearwater
Phil, I'll have to start calling you Junior since my birthdate is 4/9/1942. 10 days is a lot of time :-)
There is only 1 file in c:\windows\temp and that is perflib_perfdata_588.dat but it won't let me delete it since it is in use.
I have opened up the viewfile settings.
The online scanners don't seem to work for me. When I select the file I want to scan it won't seem to upload. I tried it on all three sites.
I can't update anything such as J2SE or Adobe due to my missing admin privileges.
I re-installed Spyware Blaster and Snipe and they are both working fine now. It cleared up the problem I was having with Snipe.
Hyper-links are working everywhere except this forum. No error message. When I mousover the link, the full URL appears in the box on the lower left but clicking does nothing. I just right click on the link and choose copy shortcut and put it in the browser address box. Not really a problem.
In the meantime I have run Spybot and MBAM Spybot found "Right Media" which I think I get from the Drudge Report but MBAM ran clean.
Well Phil... whats next?
Thanks, Jim
pskelley
2008-10-15, 22:46
Thanks for the feedback Old Timer. Let's see if we can clear up the last details.
There is only 1 file in c:\windows\temp and that is perflib_perfdata_588.dat but it won't let me delete it since it is in use.
Boot the computer into safe mode and delete that file there.
http://spyware-free.us/tutorials/safemode/
I can't update anything such as J2SE or Adobe due to my missing admin privileges.
Post for me exactly the message you get when you try to sign in as administrator so I can research the message.
Hyper-links are working everywhere except this forum.
did you look at the links in Google, perhaps you will recognize a similiar sy,ptom. I am hard pressed to know how to research this without more information.
http://www.lavasoftsupport.com/index.php?showtopic=19240
Watch for a private message so it does not go to the spambox.
Thanks Phil
Hi Phil, Thanks for the tip on going to safe mode for deleting those files. I have now deleted perflib_perfdata_588.dat and msziptools.dll.
Currently, aside from mopping up this malware mess, my biggest problem is that I don't have Windows Installer and I can't install it since Microsoft can't verify that I have a valid copy of XP. I can't use my installation disk because my CD drive is broken. I have one on order but it's not here yet. I have been to this point before and from what I remember, I will eventually get to a point where I get a message that says roughly "You cant install this because you are not an Administrator". I'm convinced that my admin privileges were taken away by malware over a year ago, but I didn't worry about it because my machine was doing all the things I needed. But now that I know the dangers of security risk, I want to get everything up to snuff.
I'm not worried about the hyperlink thing. I'm used to it since I can't use links from Email either.
Thanks for all your help and interest, and patience.
Regards, Jim
pskelley
2008-10-16, 00:49
Thanks for providing that information, you did find the private message I sent you?
You will need to be able to get critical updates, so that issue must be cleared up. If you do not, you will continue to get infected.
Here are a few links that might help.
Microsoft Technical Support
http://support.microsoft.com/
Genuine Windows
http://www.microsoft.com/genuine/
Validate Windows XP
http://www.microsoft.com/windowsxp/using/setup/winxp/validate.mspx
Since you have issues I can not help with, let's do this:
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I suggest you update MBAM and run a scan to make sure it is scanning clean.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html