View Full Version : Spybot Loads But doesnt open!
FJAScott
2009-09-09, 22:04
I could be being a complete idiot, but i cant find any reason why it is not starting. When icon double clicked hourglass flashes for a few seconds and then goes back to cursor. Spybot symbol is in taskbar(spybot sd resident) but spybot itself does not come up on screen at all.
Dont know if helps but:
// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\MSIVXcount"
File:"Hidden file","C:\WINDOWS\system32\MSIVXmkyrsrfwvtbpjklypltobiqxeppjqidl.dll"
File:"Hidden file","C:\WINDOWS\system32\MSIVXtavtmdymlmtjqfxylqgutkbnfviwwutp.dll"
File:"No admin in ACL","C:\WINDOWS\system32\D926A39D53.sys"
File:"No admin in ACL","C:\WINDOWS\system32\KGyGaAvL.sys"
File:"Invisible to Win32","C:\WINDOWS\system32\MSIVXcount"
File:"Invisible to Win32","C:\WINDOWS\system32\MSIVXmkyrsrfwvtbpjklypltobiqxeppjqidl.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\MSIVXtavtmdymlmtjqfxylqgutkbnfviwwutp.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\MSIVXkwklxdyouxbrqtoqvdhbmwucplcrmyns.sys"
Directory:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data"
Any help would be appreciated
Hello FJAScott
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Your infected with a Rootkit that is preventing security scanners from running.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
FJAScott
2009-09-14, 11:28
exeHelper by Raktor - 09
Build 20090911
Run at 09:24:22 on 09/14/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Finished.
FJAScott
2009-09-14, 11:59
ComboFix 09-09-13.05 - Fraser 14/09/2009 9:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2039.1546 [GMT 1:00]
Running from: c:\documents and settings\Fraser\Desktop\Combo-Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\MSIVXkwklxdyouxbrqtoqvdhbmwucplcrmyns.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXmkyrsrfwvtbpjklypltobiqxeppjqidl.dll
c:\windows\system32\MSIVXtavtmdymlmtjqfxylqgutkbnfviwwutp.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSIVXserv.sys
-------\Legacy_MSIVXserv.sys
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.
2009-09-09 20:09 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 18:52 . 2009-09-09 18:52 -------- d-sh--w- c:\documents and settings\Fraser\PrivacIE
2009-09-09 18:42 . 2009-09-09 18:42 -------- d-----w- c:\program files\Safer Networking
2009-09-09 17:20 . 2009-09-10 02:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-09 17:20 . 2009-09-10 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-09 13:45 . 2009-09-09 13:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-09 13:44 . 2009-09-09 13:44 -------- d-sh--w- c:\documents and settings\Fraser\IETldCache
2009-09-08 19:46 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-08 19:46 . 2009-09-08 19:46 -------- d-----w- c:\windows\ie8updates
2009-09-08 19:45 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-08 19:45 . 2009-07-19 17:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-08 19:45 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-08 19:45 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-08 19:45 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-08 19:45 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-08 19:41 . 2009-09-08 19:43 -------- dc-h--w- c:\windows\ie8
2009-09-07 00:21 . 2009-09-07 00:21 -------- d-----w- c:\windows\ServicePackFiles
2009-09-06 21:50 . 2009-09-06 21:50 -------- d-----w- c:\documents and settings\Fraser\Local Settings\Application Data\DOSBox
2009-09-06 21:33 . 2009-09-06 21:33 -------- d--h--w- c:\windows\PIF
2009-09-06 21:03 . 2009-09-09 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-06 21:03 . 2009-09-06 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-06 20:50 . 2009-09-06 21:19 -------- d-----w- c:\windows\system32\Adobe
2009-09-06 19:52 . 2009-09-06 19:52 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-06 19:52 . 2009-09-06 19:52 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-06 19:52 . 2009-09-06 19:52 -------- d-----w- c:\program files\OpenAL
2009-09-06 18:03 . 2009-09-06 18:08 -------- d-----w- c:\documents and settings\Fraser\Application Data\Spotify
2009-09-06 18:03 . 2009-09-06 18:03 -------- d-----w- c:\documents and settings\Fraser\Local Settings\Application Data\Spotify
2009-09-06 18:03 . 2009-09-06 18:03 -------- d-----w- c:\program files\Spotify
2009-09-06 15:29 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-09-06 15:29 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 08:36 . 2006-01-07 10:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-09 17:53 . 2006-01-07 10:49 -------- d-----w- c:\program files\Norton Internet Security
2009-09-06 21:03 . 2006-01-07 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-06 17:31 . 2009-04-29 01:21 -------- d-----w- c:\documents and settings\Fraser\Application Data\uTorrent
2009-09-05 20:55 . 2009-08-08 04:07 -------- d-----w- c:\documents and settings\Fraser\Application Data\vlc
2009-09-02 18:31 . 2009-05-11 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-16 02:53 . 2009-04-29 01:21 66232 ----a-w- c:\documents and settings\Fraser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 15:24 . 2009-05-02 01:04 4432 ----a-w- c:\documents and settings\Fraser\Application Data\wklnhst.dat
2009-08-11 15:17 . 2009-08-11 15:17 -------- d-----w- c:\program files\CleanUp!
2009-08-05 09:11 . 2004-08-10 12:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 00:10 . 2009-08-04 00:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_nielprt_01007.Wdf
2009-08-04 00:10 . 2009-08-04 00:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-26 23:26 . 2009-07-26 23:26 -------- d-----w- c:\documents and settings\Fraser\Application Data\Apple Computer
2009-07-23 19:15 . 2009-04-29 01:20 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-23 19:15 . 2009-04-29 01:20 104 --sh--r- c:\windows\system32\D926A39D53.sys
2009-07-17 18:55 . 2004-08-10 12:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 21:02 . 2009-07-16 21:02 -------- d-----w- c:\program files\NetRatingsNetSight
2009-07-13 01:18 . 2004-08-10 12:51 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:55 . 2004-08-10 12:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 12:51 82432 ----a-w- c:\windows\system32\fontsub.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-28 100056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-09 393216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25881:TCP"= 25881:TCP:utorrent
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys [x]
R3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [x]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-08-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Fraser.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-10-28 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackle.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Fraser\Application Data\Mozilla\Firefox\Profiles\y0fa9h9k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Wdf01000.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 09:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-09-14 9:58
ComboFix-quarantined-files.txt 2009-09-14 08:58
Pre-Run: 5,794,873,344 bytes free
Post-Run: 5,770,158,080 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
177 --- E O F --- 2009-09-10 02:00
Good Morning,
That nasty Rootkit is gone :bigthumb:
Things look pretty good but lets double check.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
How are things running now ??
Due to inactivity, this thread will now be closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.