[Curtis Mayfield]

OT log -


C:\WINDOWS\Fonts\cenobyte.zip moved successfully.
C:\WINDOWS\Fonts\Horrorfind_Fonts.zip moved successfully.
File/Folder C:\WINDOWS\system32\colbact.exe not found.
File/Folder C:\WINDOWS\pss\Update_0711_KB060653.exe not found.
C:\New Folder\syspfpb.exe moved successfully.
C:\Program Files\HijackThis\backups moved successfully.

OTMoveIt2 v1.0.20 log created on 02232008_164658



HJThis log -


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:04 PM, on 2/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\Common\FSLAUNCH.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4358 bytes


Now I'll attempt the disk cleanup process.

[Advertisements]

The disk cleanup process still doesn't seem to be working. I get a window that says........


Disk Cleanup is calculating how much space you will be able to free on[C:] This may take a few minutes to complete.
Calculating...
Scanning: Compress old files



......... but nothing seems to happen.

[Curtis Mayfield]

The disk cleanup process still doesn't seem to be working. I get a window that says........


Disk Cleanup is calculating how much space you will be able to free on[C:] This may take a few minutes to complete.
Calculating...
Scanning: Compress old files



......... but nothing seems to happen.

[kahdah]

Ok.
Maybye it can be fixed after you apply Service Pack 2.

Question.
The entry in the Kaspersky log >C:\WINDOWS\system32\colbact did it have a file name behind it such as .exe or was it just a folder?

[Curtis Mayfield]

Ok.
Maybye it can be fixed after you apply Service Pack 2.

Question.
The entry in the Kaspersky log >C:\WINDOWS\system32\colbact did it have a file name behind it such as .exe or was it just a folder?

The colbact entry doesn't have a file name behind it and it's not a folder. I went to system32 and checked the properties of the file and it's listed as just a file, unknown application. It's named as follows: colbact(3
There is no extension.




As for applying SP2, everytime I've tried upgrading in the past, I would get a lot of problems with my computer running erratically, so I gave up on it.

Also, I noticed a new application file on my computer in the Windows folder named CPU. It was created on 02 22 08. I don't recall downloading/installing this. Any ideas about it? My computer has been running very slow since yesterday.

[kahdah]

Okay Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\CPU /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here.

[Curtis Mayfield]

Volume in drive C has no label.
Volume Serial Number is C8E8-69C0

Directory of C:\WINDOWS


Directory of C:\Documents and Settings\brent\Desktop

[kahdah]

Can you go to that folder and see what is in it?
Post the file names if any please.

[Curtis Mayfield]

Do you mean the folder where the CPU file is located?

That would be C:\WINDOWS\cpu.exe


Or do you mean the Directory of C:\Documents and Settings\brent\Desktop? That would be everything that's on my desktop. I can post the names of these files, but that may take a while because I have a lot of crap on my desktop. I will post it if this is what you need.

[kahdah]

Sorry I misread what you were saying I thought that you said there was a folder named cpu, I see now that it is a file.

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\cpu.exe
  C:\WINDOWS\system32\colbact(3

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Post those results and then do the following
========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[Curtis Mayfield]

The OTMoveit log -


C:\WINDOWS\cpu.exe moved successfully.
File/Folder C:\WINDOWS\system32\colbact(3 not found.

OTMoveIt2 v1.0.20 log created on 02252008_015632


................................................................................
........


The Malwarebytes log -


Malwarebytes' Anti-Malware 1.05
Database version: 403

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 202523
Time elapsed: 1 hour(s), 59 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\New Folder\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\New Folder\svchost2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\svchost.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\svchost2.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\qda.0xe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP1\A0000005.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP1\A0000006.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP3\A0001438.0XE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comctl32h.dll (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\devmgrm.dll (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dispexv.dll (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_164658\New Folder\syspfpb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\brent\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



WOW !!! My computer was sick!!

Do I need to delete these items from quarantine?

Edited by Curtis Mayfield, 25 February 2008 - 03:54 AM.

[kahdah]

PLease go ahead and delete this file >colbact(3 as otmove it did not see it.
=====================================================
Go Here and download CCleaner.
Double click on it to install it.
Click on your language then Next then I agree then next again.
When you come to the Installation options window (the next window after clicking next)
Uncheck all but Create a Desktop Shortcut.
Then Click on Install.

After it is installed double click on the icon on your desktop to run it.
Choose Run Cleaner then yes at the prompt to permanently delete files.
It may take a while so let it finish.

After that Click on the icon to the left called Registry
Then click on scan for issues.
Then click on Fix selected issues.
And then yes to making a backup.
It will save it in your MY Documents Folder.
Then Click on Fix all selected issues and yes that you really want to do it.
After that is done then exit out of CCleaner.

You can uninstall it if you want to but I would keep it as this will replace disk cleanup and it does a better job.
================================================================================
========
After that let me know how things are running?

[Curtis Mayfield]

Sorry it took so long for me to re-post. My online service has been down.

Deleted the colbact file.

Ran the CCleaner. The computer is running smoother.
My CPU fan stopped working a couple of weeks back, so it's still a little slow from that, but I've noticed a considerable improvement since youv'e helped me with the malware.

My defrag doesn't work either. Does this program available here-
http://www.filehippo...oad_defraggler/
work well in place of the windows defrag ?

[kahdah]

Never tried it but it is worth a shot

We still have a bit to clean up on what we used and then you will be on your way
======================================================
Uninstall Malware Bytes antimalware <doing this will remove the quarantine as well

then Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  [list]
• 

The above procedure will delete and do the following:

• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
=============================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

Edited by kahdah, 27 February 2008 - 07:17 PM.

[Curtis Mayfield]

Well I performed the ComboFix procedure and removed the tools used ,except for the CCleaner. I also liked the malwarebytes program, although I deleted it. I may have to dowmload it again in the future, to check for hard to find viruses.

Thanks a lot for the help.

[kahdah]

ou are welcome


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.