Posts by PhilliePhan

I need to go out and buy a hard drive to back up my files before I do anything labled as "proceed at your own risk". I'm going to do that as soon as i get out of class tomorrow. Just to scare me a little more...what exactly am I risking? I suppose it can't really get much worse than it already is.

Well . . . I always say that. I am doing ten things at once and it's always possible I can screw up a simple batch . . . Plus, it is not always a good idea to run something a stranger posts on the web . . .

Since you seem comfortable digging around the registry, you need to change this:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

To This:
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

Basically, you want to remove only the part in bold:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

My little batch should do that, but if you're more comfortable doing it manually, go for it!!

PP :)

not sure what those files are.

should they be removed?

Lots of times parents like to spy on their kids . . . .

Please Download LSPFix and extract it from the ZIP.

-Please run LSPFix.

-Check the Box labeled "I know what I'm doing" and then click on the nmnsp.dll file (in the “Keep” section) to select it.

-Then, Select the >> button to move nmnsp.dll into the Remove section.

-Please do the same for cespy.dll.

-Now, click the Finish Button. When the Repair Summary box appears, click OK.

-Now, just click the Finish Button. When the Repair Summary box appears, click OK.

Do a fresh scan with HJT and post the log.

PP:)

Will post more tomorrow. thank you!

Happy to try to help :)

Other than that, everything seems to be working fine...hahaha.......... seriously though... What should i do next???

Thanks for the help

If you are feeling brave, you can try this, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip
and EXTRACT the KILLBAD folder to your C:\ Drive

Use a command prompt:

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

Or, you ought to be able to DoubleClick KILLBAD.bat

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

You've already removed most of the baddies, but this may fix the registry - it's still a "work in Progress."

I'll try to check back as time permits - probably Tuesday Night...

Best Luck :)
PP

O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll

Do you know if there is a commercial Key-logger or spyware on this machine?

I have not yet tried to rename the mbam.exe yet, but does it seem like i might have to reformat? What things could happen if i were to run the killbad.zip? I feel like my drivers might have not been updated correctly. Steam had asked me a while back to update my drivers which was kinda wierd. I did what valve asked but it kinda screwed some stuff up. Do you think that might have to do with anything? I need to reformat anyways i havent in like 2 years so i feel its time. Do you think that it might be best if i were to just do that instead of try to save my PC?

Well . . . If you are going to format anyway, there is probably no harm in trying the other options first.
Try renaming mbam.exe first.

Killbad probably won't do any harm.

Let us know how you want to proceed....

PP :)

I have tried to run hijack this, sd fix, as well as Malwarebytes' Anti-Malware 1.40, but all to no avail.

What happens when you try to run the tools?

PP :)

What is your OS?

-- Rename mbam.exe to Zappa.com and try to run it. Any luck?

PP :)

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

I tried system restore, nada.
I double clicked the .bat.

OK - The problem with the KILLBAD was PhilliePhan Error!
Not a big error, though and the registry should have been fixed....

Try this one:

KILLBAD.zip

This one should pop up with the right log. Let's see what it says.

PP :)

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Hi Dave -

I am a bit stretched thin, so I find that I am missing things - I didn't even see where you said Firefox doesn't re-direct.....

-- Did you reboot after running MBA-M?

The item in the quote is part of a very nasty infection - I am not sure if MBA-M will get it.
Something like this compromises any online banking and credit card info - you might want to check your banking info and change any passwords (from a clean compy, of course).

-- If you are able, please try to run SDFix from the linky below and post the log:
http://www.bleepingcomputer.com/forums/topic131299.html

I'll try to check back as time permits. Hopefully some of the other volunteers will be back soon - I'm stretched a bit thin between real work and Forums.

PP :)

Good god! This sucker is evil I tell you.

Something is not right - if notepad opened with a blank log. I'll have to have another look at the darn thing. I very easily could have made a mistake - doing ten things at once here.... :)

-- Did it run when you DoubleClicked the .bat file or did you use command.com for command prompt?
-- Are you comfortable digging around the registry? We need to change this:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

To This:
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

Basically, we want to remove only the part in bold:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

The thing is, I don't think regedit will run for you. The tool I wrote should have done this automatically - I need to re-check it.

It seems you've killed all the processes, so fixing the registry value ought to work, if we can do it....

Hang in there:)

-- Hey, did we try System Restore? That might be an option:
Open a command prompt with command.com

Type %systemroot%\system32\restore\rstrui.exe ENTER

See what happens.

I've got to cut out for a bit to get something to eat - Will try to check back tonight.

PP :)

Hi Dave,

Sorry - I got tied up....

I'd like to have a more thorough look at what is going on.
Please follow the directions in the linky below to run ComboFix and post the log for us.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I will try to check back as time permits.

PP :)

thanks - I will be at his house Tuesday night to try both of those.

Good luck!:)

PP

If you are still having trouble, navigate to your C:\Program Files\MamwareBytes Folder.

Then, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

Best Luck :)
PP

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,

So sorry to be the bearer of bad news, but you have a nasty backdoor trojan with rootkit components.
This thing is far worse than Windows Police Pro - If you do any sort of online banking, there is a good chance your info has been compromised. Definitely check your banks, credit cards, etc. and change any passwords.

In cases such as this, I generally recommend a re-format because, even if we are able to clean the machine, you'll never be able to trust it......

PP :)

Phillie, I can't rename mbam. See my last post.

KILLBAD won't run even when typed in as you posted. It lists many lines of Cannot find specified file...no log report. :(

Sorry - it didn't register.

Did you download the new KILLBAD I linked in my last post? It is a different tool - just used the same name.

You'll need to delete the old one first.

-- What happens when you navigate to the new C:\KILLBAD folder and DoubleClick on KILLBAD.bat?

PP :)

We may have a doorstop if I can't work out a way to reassociate EXE files to work, as I can't find the original XP CD on this box.

If you are able to get MBA-M onto the machine, try this:
First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

I will check back as time permits, though I do not know when that will be.

Best Luck :)
PP

I have to exact same problem!

Please start your own thread.

Thanks :)

I am not sure that you have the same infection as the others. Sounds like you have a bigger mess going on....

If you are able to install MBA-M, try this:

First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

-- I gotta say, though, it sounds like you have a larger issue at play and I am not sure this would be the best idea...

Best Luck :)
PP

I tried renaming mbam in normal and safe mode and I get the Access Denied error message.

Phillie, when I'm using cmd to run KILLBAD, I can't get rid of C:\Documents and Settings\Username\_

I can't backspace to get rid of it and when I hit enter it's still like that instead of C:_
I'm assuming that is why I can't get KILLBAD to run properly.

*continues to pull hair out*

That shouldn't be an issue - type cd c:\ enter to change it back. That doesn't matter when you type the whole path to the tool...

Let's try this:

First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

I'll try to check back as time permits.

Best Luck :)
PP

Renaming it in that way had no effect for me. Same problem - I get the Open With box. Anyone else have ideas? I'm desperate.

First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

Best Luck :)
PP

Hi Dave,

Try this:
Please download GooredFix
http://downloads.securitycadets.com/GooredFix.exe

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

PP :)

Hi Sisaly,

Here is a fix you can try. Again, it is a "Use at your own Risk!" proposition:

-- Download the attached KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive.

Use command.com to get a command prompt

TYPE C:\KILLBAD\KILLBAD.bat ENTER

It should run quickly.

-- Now, try to run MBA-M.

Let me know if you run into any problems.

*** To any others reading this post: This fix was specifically made for Sisaly. IT MAY OR MAY NOT WORK FOR YOU. IT MAY RESTORE SOME FUNCTION TO YOUR COMPY, BUT YOU RUN IT AT YOUR OWN RISK.....
'Course your compy's pretty borked already, or you wouldn't be reading this . . . . .

Best Luck :)
PP

I apologize for the length of that sucker! I never got around to fixing that.....

There is a good deal of malware showing that we can remove. I am sure crunchie and the other volunteers can see it and can show you what needs to be deleted.

I will definitely be gone until Monday Night EST, but will check back then.

Cheers :)
PP

If you like, we can try this to have a better look at what is going on. This is an old tool that I wrote some time ago and if you can get it to run, it might help us see what we are missing.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

If you like, this is an old tool that I wrote some time ago and if you can get it to run, may give us a better picture of what is going on.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

renaming it to zappa.exe still causes it to crash while scanning and spyware doctor wont connect to the internet/wont work at all

Looks like reformatting is rearing its head in :[

There are a few options I would like to try, but I have to get back to work and won't be back until Monday night at the earliest.
-- I'd like to try to get Safe Boot back as an option.
-- Also, I'd like to get a look at the files that have been added in the last 15 days or so.
I can probably put something together for you Monday night.
Or, maybe one of the other volunteers can jump in....

PP :)

I am having the same problem and can't run anything.

To ALL posters with similar problem: PLEASE START A NEW THREAD for your problem.

It makes things much easier for the volunteers.

Thanks :)
PP

The first command didn't work in command prompt, however I found the LOGIT text file anyway.

So . . . . It worked :)

I added something to my last post RE MBA-M. Try that.
If it doesn't run when you click on it, use the command prompt:

Type C:\PROGRA~1\MALWAR~1\zappa.exe ENTER

Do I type In C:\C:\ or is one of those just a mistake? Also, how can I find the spyware doc entry?

Sorry! TYPO!

Do this:
Command Prompt

TYPE DIR /x "C:\PROGRA~1" >> C:\LOGIT.txt ENTER

Navigate to C:\LOGIT.txt and post that for me.

Also Go into Program Files and the MalwareBytes folder and rename mbam.exe to zappa.exe. I don't think we tried that.....
DoubleClick it and see if it runs.

Here's the Quick Scan version...

You didn't have it remove the baddies . . .

Try another Full Scan and make sure that everything is checked, and click Remove Selected.

Then post us the new log plus a fresh HJT.

PP :)

EDIT: Normal Windows boot is what we want. Yes, you definitely want to remove the baddies ;)

crunchie... that's random! But it's working... Results in a few

Great!
Is this Safe Mode?
Ideally, we'd like a Full Scan in Normal Windows boot.

If Safe Mode, let it run and we'll go from there once the scan wraps up.

PP:)

i dont know the command for SD, nor do I know how to access aborted MBA-M logs. The logs i see right now don't have any of the recent ones, just past scans from weeks ago

Ok.
Let's try Spyware Doctor.

Command prompt
Type C:\C:\PROGRA~1\DIR /x ENTER

Find the Spyware Doctor entry. Will probably look like SPYWAR~1 or similar.

Then, Type C:\PROGRA~1\XXXXXX~1\DIR /x ENTER and find what the executable is and let me know - XXXXXX~1 is whatever you found previously.

Give it a try in Safe mode.
Also, try re-naming mbam.exe to crunchie.exe and see if it runs.

PP :)

I also have spyware doctor, maybe it can scan/clean up?

You could try that - do you know the executable for SD? Bearing in mind that this is command.com.

-- Can you get me the log(s) from the aborted MBA-M runs?

Wow, it worked, and I hit quick scan, and already found 7 infected objects. Hoping it works:)

Great! Good job :)

Make sure to have MBA-M remove all it finds and post the log - you may be instructed to run it again if the defs are not up to date. Plus, you'll want to do a "Full Scan" next time.

If I am not around, I'm sure another volunteer will be happy to assist you further.

Best Luck :)
PP

Yes, its in program files and my system drive is C:\

Using your command prompt:

Type C:\PROGRA~1\MALWAR~1\mbam.exe ENTER

See if that works.

malware bytes anti malware? Yes, and no I don't know how to run it in command prompt

Is it installed in Program Files (it should be)?

Is your system drive C:\ or different?

No bolded days on the calendar, and no restore points available:(

I also have no windows CD on hand, one of my friends has it. Recovery partition as in another HD? Don't have it

I was afraid of that....

You have MBA-M installed, right? Do you know how to run it via command prompt?

System Restore pops up. Should I restore my computer to an earlier time?

YES - Preferably to a point long before your issues started.

Then, see if you can Update and Run MBA-M. Have it remove what it finds and post back here with the scanlog.

-- Let us know if you run into problems.

PP :)

But i've seen these kind of issue before & there the system restore doesn't work... that's why gave the option for system reformate...

Let us try a few options before resorting to this.

BTW - did you ask the poster if they have a copy of Windows or a recovery partition?

-- Open a command prompt with command.com

Type %systemroot%\system32\restore\rstrui.exe ENTER

What happens?

Is this like reformating where it deletes all the files, or is it a settings change, and how do I go about doing it?

That is the "Last Resort," and certainly not called for at this time.
You will lose any data that is not backed up......

-- Are you able to access System Restore?

PP :)

Also does anyone know why im getting those "your windows is not genuine" messages? . . . .
But my vista business is genuine! I got it pre installed when I bought my toshiba satellite pro A200! I have that little sticker on the bottom that sais its genuine

-- Do you have a Windows disc?
-- Do you have a Product Key for your copy of windows and what does it look like? (don't post the contents, just appearance) Is it that sticker you mentioned? If so, what does it look like?

Often, unscrupulous retailers will install the same copy of Windows onto multiple machines in an effort to cut corners and make extra profit. I am not saying that this has happened to you, but I did see this a lot when M$ introduced Genuine Validation.

Best Luck to you :)
PP

Hi Dave,

Please run MBA-M as per this linky and then post the log:

http://www.daniweb.com/forums/thread134865.html

PP:)

BTW: using Winkey+R and running MSConfig - Windows Config should allow you to disable most start-up processes, but sometimes the 3rd party utility will pull the more tricky buggers

LOL!
Hey KL, that's an argument I'm NOT going to have with you ;)

Suffice it to say that I believe that msconfig is for "diagnostic" startup rather than as a "startup manager." Frankly, HJT is a better startup manager. And I'm sure Judy will have her say . . . LOL!

@Kevin - Happy to see things are looking good :)

PP