0

Sorry! TYPO!

Do this:
Command Prompt

TYPE DIR /x "C:\PROGRA~1" >> C:\LOGIT.txt ENTER

Navigate to C:\LOGIT.txt and post that for me.

The first command didn't work in command prompt, however I found the LOGIT text file anyway. The spyware doc directory seems to be SPYWAR~1
Volume in drive C has no label.
Volume Serial Number is DCF9-B69E

Directory of C:\PROGRA~1

08/30/2009 02:32 PM <DIR> .
08/30/2009 02:32 PM <DIR> ..
04/21/2007 06:26 PM <DIR> 7-Zip
04/02/2007 06:02 PM <DIR> AC3FIL~1 AC3Filter
12/10/2005 08:11 PM <DIR> ACDSYS~1 ACD Systems
12/31/2008 05:15 PM <DIR> ACTIVI~1 Activision
03/01/2009 09:36 AM <DIR> Adobe
04/05/2009 07:40 AM <DIR> AGEIAT~1 AGEIA Technologies
07/07/2007 07:11 PM <DIR> Ahead
10/18/2007 09:31 PM <DIR> AIM
02/17/2007 04:06 PM <DIR> AIMGAD~1 AIM Gadgets
06/10/2009 12:35 PM <DIR> AIM6
05/18/2008 09:59 PM <DIR> ALKYFO~1 Alky for Applications
03/03/2008 04:26 PM <DIR> ALWILS~1 Alwil Software
09/14/2006 04:55 PM <DIR> AOD
05/18/2008 10:58 PM <DIR> ATITEC~1 ATI Technologies
08/27/2008 08:54 PM <DIR> AVG
09/07/2008 06:33 PM <DIR> BitComet
06/03/2008 11:12 AM <DIR> BITTOR~1 BitTorrent_DNA
11/04/2008 09:10 AM <DIR> BLACKI~1 BlackIsle
03/26/2008 03:46 PM <DIR> Bonjour
11/14/2008 06:53 PM <DIR> Brother
11/14/2008 06:53 PM <DIR> Brownie
05/18/2008 09:57 PM <DIR> CCleaner
07/24/2009 04:28 PM <DIR> CHEATE~1 Cheat Engine
05/06/2009 01:01 PM <DIR> CHEATE~1.3 Cheat Engine5.3
10/20/2007 07:06 PM <DIR> Client
07/24/2009 01:34 PM <DIR> COMMON~1 Common Files
08/16/2005 03:38 AM <DIR> COMPLU~1 ComPlus Applications
12/07/2005 05:09 PM <DIR> CONEXANT
01/28/2007 09:21 AM <DIR> COREL(~1.5TB Corel(R) Painter(TM) IX.5 TBYB EN
03/03/2008 04:57 PM <DIR> CRYSTA~1 Crystal Player
08/15/2008 11:24 AM <DIR> Cucusoft
12/07/2005 05:23 PM <DIR> CYBERL~1 CyberLink
07/03/2008 05:17 PM <DIR> DAEMON~2 DAEMON Tools Lite
06/03/2008 11:15 AM <DIR> DAEMON~1 DAEMON Tools Pro
03/02/2008 02:55 PM <DIR> Darkeden
10/20/2007 06:58 PM <DIR> Dell
05/18/2008 09:44 PM <DIR> Desktop
12/07/2005 05:23 PM <DIR> DIGITA~1 Digital Line Detect
12/26/2008 12:48 PM <DIR> directx
01/17/2009 11:36 AM <DIR> DivX
03/01/2008 11:29 AM <DIR> DOWNLO~1 Download Master
03/15/2006 01:56 PM <DIR> ELECTR~1 Electronic Arts
08/16/2005 07:51 PM <DIR> ENGLIS~1 EnglishOtto
01/05/2006 06:38 PM <DIR> EPSON
07/26/2009 12:28 PM <DIR> FBSearch Toolbar
05/16/2007 06:33 PM 2,874,926 FLVPLA~1.EXE FLV PlayerRCATSetup.exe
01/29/2008 08:15 PM <DIR> FREECI~1.2-G Freeciv-2.1.2-gtk2
03/25/2009 11:03 PM <DIR> GIMP-2.0
07/26/2009 11:04 AM <DIR> Google
05/18/2008 09:44 PM <DIR> HASHTA~1 HashTab Shell Extension
05/29/2002 03:11 PM <DIR> Icons
12/24/2006 07:45 AM <DIR> ICQLite
09/08/2006 12:02 PM <DIR> ICQTOO~1 ICQToolbar
12/07/2005 05:22 PM <DIR> Intel
04/05/2009 08:06 AM <DIR> INTELC~1 Intel Corporation
12/10/2008 08:34 PM <DIR> INTERN~1 Internet Explorer
07/26/2009 04:53 PM <DIR> Internet Saving Optimizer
12/07/2005 05:26 PM <DIR> Intuit
12/24/2006 07:44 AM <DIR> iWin
05/18/2008 09:58 PM <DIR> Java
09/06/2008 08:04 PM <DIR> K-LITE~1 K-Lite Codec Pack
03/05/2008 08:47 PM <DIR> Kodak
05/18/2008 09:58 PM <DIR> KRISTA~1 Kristanix
05/18/2008 09:44 PM <DIR> LClock
07/30/2009 11:22 AM <DIR> Macro Buddy
11/22/2007 08:51 PM <DIR> MACROM~1 Macromedia
08/02/2009 03:29 PM <DIR> MALWAR~1 Malwarebytes' Anti-Malware
07/26/2009 04:53 PM <DIR> Media Access Startup
05/06/2002 02:26 PM <DIR> Meshes
08/14/2008 11:16 PM <DIR> MESSEN~1 Messenger
12/10/2005 08:06 PM <DIR> MI3AA1~1 Microsoft ActiveSync
08/16/2005 03:43 AM <DIR> MICROS~1 microsoft frontpage
03/23/2009 11:14 PM <DIR> MIAEFD~1 Microsoft Games for Windows - LIVE
12/10/2005 08:05 PM <DIR> MICROS~4 Microsoft Office
12/07/2005 05:24 PM <DIR> MICROS~2 Microsoft Plus! Digital Media Edition
12/07/2005 05:24 PM <DIR> MICROS~3 Microsoft Plus! Photo Story 2 LE
05/18/2008 09:44 PM <DIR> MIC8D2~1 Microsoft PowerToys
05/18/2008 02:22 PM <DIR> MI7BEA~1 Microsoft Windows OneCare Live
08/13/2009 04:51 PM <DIR> mIRC
04/19/2006 09:09 PM <DIR> MJUICE~1 Mjuice Media Player
12/07/2005 05:23 PM <DIR> MODEMH~1 Modem Helper
11/04/2008 02:46 PM <DIR> MOVIEM~1 Movie Maker
08/30/2009 05:49 PM <DIR> MOZILL~1 Mozilla Firefox
05/18/2008 09:54 PM <DIR> MSBuild
07/24/2009 10:04 PM <DIR> MSNGAM~1 msn gaming zone
11/16/2006 11:46 PM <DIR> MSXML4~1.0 MSXML 4.0
10/20/2007 07:02 PM <DIR> MUSICM~1 MUSICMATCH
10/20/2007 06:59 PM <DIR> NCHSWI~1 NCH Swift Sound
07/07/2007 07:56 PM <DIR> Nero
03/14/2008 12:51 PM <DIR> NETLIM~1 NetLimiter 2 Pro
08/16/2005 03:40 AM <DIR> NETMEE~1 NetMeeting
12/07/2005 05:23 PM <DIR> NETWAI~1 NetWaiting
10/14/2007 12:03 PM <DIR> NHNUSA~1 NHN USA
07/12/2009 05:25 PM <DIR> NOS
07/24/2009 02:38 PM <DIR> oliykb
05/01/2006 06:34 PM <DIR> ON2TEC~1 On2 Technologies
08/16/2005 03:38 AM <DIR> ONLINE~1 Online Services
06/29/2008 06:02 PM <DIR> OpenAL
05/18/2008 09:47 PM <DIR> OUTLOO~1 Outlook Express
10/28/2007 06:18 PM <DIR> PERFEC~1 Perfect Macro Recorder
09/06/2008 09:09 PM <DIR> RARPAS~1 RAR Password Cracker
05/30/2009 05:58 PM <DIR> Recount
05/18/2008 09:53 PM <DIR> REFERE~1 Reference Assemblies
07/24/2009 03:22 PM <DIR> REGIST~1 Registry Mechanic
05/16/2007 06:34 PM <DIR> REPLAY~1 Replay Media Catcher
05/18/2008 09:58 PM <DIR> RESOUR~1.0 Resource Hacker 3.4.0
08/16/2005 07:58 PM <DIR> RGB
10/29/2007 06:26 PM <DIR> Rhapsody
04/11/2006 01:30 PM <DIR> RISEOF~1 Rise Of Nations - Thrones And Patriots
03/11/2008 04:17 PM <DIR> ROBSTE~1 Robster Productions
12/07/2005 05:20 PM <DIR> Sigmatel
10/12/2008 06:07 PM <DIR> SISOFT~1 SiSoftware
08/15/2008 11:07 AM <DIR> SMARTF~1 Smart FLV Converter
09/15/2007 09:23 AM <DIR> Sonic
07/24/2009 09:36 PM <DIR> SPYWAR~1 Spyware Doctor
05/18/2008 09:58 PM <DIR> Stardock
08/08/2009 03:00 PM <DIR> Steam
05/18/2008 10:07 PM <DIR> Styler
07/26/2009 04:53 PM <DIR> System Search Dispatcher
12/13/2008 05:27 PM <DIR> SYSTEM~1 SystemRequirementsLab
05/06/2002 02:28 PM <DIR> Textures
09/22/2007 04:34 PM <DIR> THQ
03/02/2008 03:07 PM <DIR> TRUCKD~1 Truck Dismount
07/25/2009 11:24 PM <DIR> Uniblue
07/28/2009 08:54 AM <DIR> Unlocker
09/07/2008 06:11 PM <DIR> uTorrent
03/05/2007 01:43 PM <DIR> Valve
06/20/2008 12:40 AM <DIR> Ventrilo
05/20/2009 06:51 AM <DIR> VEOHNE~1 Veoh Networks
10/25/2007 05:15 PM <DIR> VideoLAN
07/30/2009 07:23 PM <DIR> VIEWPO~1 Viewpoint
05/18/2008 10:07 PM <DIR> VISTAE~1.ORG VistaExperience.org
12/09/2005 08:59 PM <DIR> WILDTA~1 WildTangent
11/16/2006 02:42 PM <DIR> Winamp
06/13/2008 10:41 AM <DIR> WIFD1F~1 Windows Defender
12/25/2006 09:55 AM <DIR> WI81E8~1 Windows Live Toolbar
05/18/2008 10:00 PM <DIR> WI4DF6~1 Windows Media Connect 2
05/18/2008 10:00 PM <DIR> WINDOW~3 Windows Media Player
05/18/2008 09:44 PM <DIR> WINDOW~1 Windows NT
08/16/2005 03:37 AM <DIR> WINDOW~2 Windows Plus
05/18/2008 09:59 PM <DIR> WICC9F~1 Windows Sidebar
05/18/2008 09:44 PM <DIR> WinRAR
01/27/2007 10:56 AM <DIR> WinZip
08/10/2007 01:06 PM <DIR> Wizet
06/03/2009 02:25 PM <DIR> WORLDO~1 World of Warcraft
01/24/2009 10:10 AM <DIR> WOW-23~1.756 WoW-2.3.0.7561-enUS
08/16/2005 03:43 AM <DIR> xerox
09/09/2007 07:31 AM <DIR> Yahoo!
12/07/2005 05:25 PM <DIR> YOURCO~1 Your Company Name
06/13/2008 10:50 PM <DIR> Zune
01/14/2008 10:13 PM <DIR> (PROFE~1 Aiiaoiea oeiainu (professional)
1 File(s) 2,874,926 bytes
152 Dir(s) 24,616,960 bytes free

0

The first command didn't work in command prompt, however I found the LOGIT text file anyway.

So . . . . It worked :)

I added something to my last post RE MBA-M. Try that.
If it doesn't run when you click on it, use the command prompt:

Type C:\PROGRA~1\MALWAR~1\zappa.exe ENTER

0

renaming it to zappa.exe still causes it to crash while scanning and spyware doctor wont connect to the internet/wont work at all

Looks like reformatting is rearing its head in :[

0

renaming it to zappa.exe still causes it to crash while scanning and spyware doctor wont connect to the internet/wont work at all

Looks like reformatting is rearing its head in :[

There are a few options I would like to try, but I have to get back to work and won't be back until Monday night at the earliest.
-- I'd like to try to get Safe Boot back as an option.
-- Also, I'd like to get a look at the files that have been added in the last 15 days or so.
I can probably put something together for you Monday night.
Or, maybe one of the other volunteers can jump in....

PP :)

0

There are a few options I would like to try, but I have to get back to work and won't be back until Monday night at the earliest.
-- I'd like to try to get Safe Boot back as an option.
-- Also, I'd like to get a look at the files that have been added in the last 15 days or so.
I can probably put something together for you Monday night.
Or, maybe one of the other volunteers can jump in....

PP :)

KK, I'm gonna look into getting safe booting back. I dont know anything about the files though

0

Try the following for safe mode;
Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.

0

Try the following for safe mode;
Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.

There were no prompts/no log, the virus blocks .exe's i think

0

If you like, we can try this to have a better look at what is going on. This is an old tool that I wrote some time ago and if you can get it to run, it might help us see what we are missing.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

0

I did 2 quick MBAM scans where I aborted and removed everything that was on there. I can now use .exe's, command prompt, etc. I'm doing a full MBAM scan now and will post results

Ok, so most traces of it are gone. I still cant do a full MBAM scan(or a full quick one for that matter) without blue screening. I also cant do a full spyware doc run without it blue screening as well. However, I did do a intelli scan on spyware doc and 2 quick scans on MBAM where I got rid of a bunch of different infections. I still get some popup's and svchasts.exe is still in the processes, so it didn't get fully removed

0

also, I couldn't get a PKBOO log file because it had trouble running, I did run HJT though

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:13 AM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\savedump.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\svchasts.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS.0\Temp\_ex-08.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\WINDOWS.0\system32\ZuneBusEnum.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS.0\System32\alg.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Documents and Settings\A.N\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZUxdm486UIUS&ptb=2B6gJJ9AUkSknQyB0sBrtw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: Desktop Smiley Toolbar - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\Desktop Smiley Toolbar\4.1.4.20920\stb0.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS.0\Temp\_ex-08.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS.0\svchasts.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.0\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5387 bytes

1

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,

So sorry to be the bearer of bad news, but you have a nasty backdoor trojan with rootkit components.
This thing is far worse than Windows Police Pro - If you do any sort of online banking, there is a good chance your info has been compromised. Definitely check your banks, credit cards, etc. and change any passwords.

In cases such as this, I generally recommend a re-format because, even if we are able to clean the machine, you'll never be able to trust it......

PP :)

Votes + Comments
very helpful
0

well, that blows; I have a bunch of sensitive info as well as a bunch of online transactions, however everything seems the same

I'm going to change everything on another computer, and then re-format this one whenever I find the disk

Thanks alot for your help, and everyone else that helped too

0

Thanks alot for your help, and everyone else that helped too

Happy to help:)

I may have been a bit premature in calling for you to format - I am finding that these infections tend to have all sorts of rootkit components.

If you like, we can try to clean it. But I still stand by my last post and the severity of the infection shown.

Be very careful putting things on another compy
- I'm not sure that is a good idea, given the nature of this baddie.


Are you able to get combofix to run as per the linky below?
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Try that and post a log, if possible.

PP :)

0

I already formatted(I pretty much needed to already, the computer was cluttered, blue screening very often, etc.) I backed up everything important, and this time I'm gonna keep everything secure. Right now, I'm just trying to set up my internet access(on my PC) since it seems to have been removed or something(I'm gonna go seek help on the appropriate board/forum)

0

All things considered, that is probably for the best because the rootkit on your machine is one of the nastier ones - I am not seeing it on the other machines with similar problems, so you very well may have picked that up some time ago.

Best Luck :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.