Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: Unknown Malware - SpyBot won't start...

  1. #21
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    .... and the latest hjt log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:59:55 PM, on 3/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\csrss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    E:\Program Files\McAfee.com\Agent\mcagent.exe
    E:\Program Files\ThreatFire\TFTray.exe
    E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    E:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    E:\Program Files\Logitech\MouseWare\system\em_exec.exe
    E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    e:\program files\common files\mcafee\mna\mcnasvc.exe
    e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    E:\Program Files\McAfee\MPF\MPFSrv.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\ThreatFire\TFService.exe
    E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    E:\WINDOWS\System32\alg.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Windows Live\Messenger\usnsvc.exe
    E:\WINDOWS\system32\wuauclt.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://******
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [McENUI] E:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKLM\..\Run: [mcagent_exe] "E:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: AutorunsDisabled
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - E:\lotus\org6\organize\bandobjs.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
    O16 - DPF: {C84FC09C-C258-44C2-B2BE-F31D1EFB2703} (bCentral Photo Upload Tool) - http://commerce.bcentral.com/catalog...d/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
    O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

    --
    End of file - 6504 bytes

  2. #22
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    One last thing... I'll be shutting down for the evening, so we'll touch base tomorrow. Thanks so much for your time today... I hope we're on the right track!

    Cheers,

    Michael

  3. #23
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    I need a report from you at this point. How is the computer running? Any malware issues at all?

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #24
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    Quote Originally Posted by pskelley View Post
    I need a report from you at this point. How is the computer running? Any malware issues at all?

    Thanks
    Hi Phil,

    My apologies for taking so long to get back...

    The computer doesn't have "much" of the symptoms that I described before.

    However, here are a few things that I'm seeing:

    1) I am seeing a short glimpse of what looks to be a boot menu, right after the BIOS loads, but before the Windows XP loading screen. It looks similar to the safe mode menu, but I only get about 1/2 second to view it, so I cannot tell. The machine then seems to boot normal with no input from me.

    2) I was installing the Comodo firewall, and prior to installation, it ran a scan and found something called "f3initialsetup1.0.0.6.inf" in the "Downloaded Program Files" directory. I had Comodo remove it. (that's the only thing Comodo found.)

    and lastly (this is as far as I've got)

    3) Immediately after installing Comodo firewall and rebooting, it blocked an attempt for the "system" (system.exe ??) to allow a connection from IP 192.168.254.2 . This was right after boot up with nothing running. I checked the IP and it seems to be from California : http://ws.arin.net/whois/?queryinput=192.168.254.2

    My tasks now are to remove and/or update the outdated software that you suggested.

    Should I be running additional scans using MBAM, Spybot, etc, etc?

    Thanks again for your help!!

  5. #25
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    1) I have that myself on two Dells, are you sure you just did not notice it before?

    2) Can't help with Comodo, don't use it and never have.
    http://forums.comodo.com/ <<< free forum

    3) I would say that is what a firewall is supposed to do? The security programs I run block attempts to access my computer.

    Let's see if we can wrap up and see what happens.

    Remove combofix from the computer like this:

    Click START then RUN
    Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.



    Clean the System Restore files like this:

    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
    (MBAM is yours to keep if you wish, update it and run it once a month or so)

    Update mcafee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

    If all is well at this point, let me know and I will close the topic.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.

    http://users.telenet.be/bluepatchy/m...oes/Links.html
    http://www.microsoft.com/windows/ie/...rotection.mspx
    Improve the safety of your browsing and e-mail activities
    http://www.microsoft.com/protect/com.../browsing.mspx
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #26
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    Hi again Phil,

    Removed combofix, cleaned sys. restore, rebooted, update and ran MBAM (all clear! :D)

    Will run McAfee in the morning.

    I've already updated and/or removed the outdated and usafe programs you listed.

    I think at this point we're good to go.

    Many, many thanks for your time and trouble!

    Cheers,

    Michael

  7. #27
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    OK, all seems OK with the exception of some slowness now and then. I'm pretty sure there are some corrupted files as a result of the infection, but nothing critical.

    However, I've run McAfee several times today and it keeps finding the file "DE21.exe" and it cannot be completely removed. I've restarted and rescanned as McAfee suggests, but it's still there.

    The file is located in e:/recycler/(insert a very long series of hyphenated numbers here)/DE21.exe .

    Any suggestions?

    Thanks,

    Michael

  8. #28
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    The file is located in e:/recycler/(insert a very long series of hyphenated numbers here)/DE21.exe .
    This should be thre Recycle Bin on the Desktop. Delete anything in it. If not, then e:\ should not be hidden files, navigate to that file in red and manually delete it:
    e:/recycler/(insert a very long series of hyphenated numbers here)/DE21.exe
    (Recycle Bin is protected and must be cleaned manually, programs may see it but Windows will not let them clean it)

    For possible corrupted/missing files, run System File Checker:
    http://dwightblackburn.com/winxp/

    For slowness, have a look at this information:
    http://www.netsquirrel.com/msconfig/msconfig_xp.html
    http://www.malwareremoval.com/tutori...ningslowly.php
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/atwork/getstarted/speed.mspx
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  9. #29
    Junior Member
    Join Date
    Mar 2009
    Posts
    24

    Default

    That did it!

    All scans clear now.

    Thanks again for your time and trouble, and for the information provided.

    Kudos to you and the rest of the staff/help here at safer networking!

    Cheers,

    Michael


  10. #30
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks for taking the time to let me know safe surfing.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •