Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

is not a valid Win 32 application [RESOLVED]

Started by Curtis Mayfield , May 05 2008 02:21 PM

This topic is locked

#1
Curtis Mayfield

Posted 05 May 2008 - 02:21 PM

Member

Member
33 posts

Nearly every program I try to run gets the following error ," ie. whatever program I'm trying to run " is not a valid Win 32 application.

Can't run HJT because of this problem, and my Embarq online security has all but dissappeared. Ran the online Kaspersky scan and it found 5 viruses that had already been renamed by Embarq security. I manually deleted these.

Can't run Combo fix either. Not even in safe mode.

I have XP1. I've never been able to upgrade to 2. Everytime I tried My computer messed up and ran like crap. So I gave up on that.

Before the problem started, my Embarq Security detected a couple of viruses while I was online and SUPPOSEDLY took care of'em. When I rebooted is when the problem started.

I've ran a search here at G2Go for this same problem and read the posts. Looks like it could be a pain in the butt of a problem.

Tried running msconfig from the run box and the same message appears. Can't even run programs like Audacity and stuff like that.

#2
Essexboy

Posted 05 May 2008 - 02:27 PM

GeekU Moderator

Retired Staff
69,964 posts

OK lets try this then. Firstly delete your current copy of Combofix and then read the following instructions carefully before downloading

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#3
Curtis Mayfield

Posted 05 May 2008 - 02:54 PM

Member

Topic Starter
Member
33 posts

Followed your instructions, but when I click on Combo-Fix I get the message "Combo-Fix exe. is not a valid Win32 application".

Also the same type message when I try to run HijackThis.

#4
Essexboy

Posted 05 May 2008 - 03:06 PM

GeekU Moderator

Retired Staff
69,964 posts

OK redownload combofix but this time name it gotcha ( the malware writers may have cottoned on to the hyphenated name )

If that should fail

THEN

Please Download Avast Rootkit Cleaner to your desktop

Close all running programmes

Run the ASWAR file and select Scan Now

On completion of the scan you will then have this screen up

Now close the programme and on the desktop will be a text file called ASWAR please post that. Do not fix anything yet

The programme will take from 3 to 5 minutes to run.

#5
Curtis Mayfield

Posted 05 May 2008 - 03:16 PM

Member

Topic Starter
Member
33 posts

Re downloaded the Combofix and renamed as gotcha. Still can't run it and getting the same message.
The same with the Avastrootcleaner. They both downloaded fine but can't run either.

FYI, I am currently running in Safe mode.

#6
Essexboy

Posted 05 May 2008 - 03:20 PM

GeekU Moderator

Retired Staff
69,964 posts

OK this sounds like the latest bagel

Lets try silent runners and see if I can locate and stop the main file. It is probably srosa/hddlr. I imagine that task manager is unavailable as well

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
- Do you want to skip supplementary searches?
  click NO
If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

#7
Curtis Mayfield

Posted 05 May 2008 - 03:28 PM

Member

Topic Starter
Member
33 posts

Interestingly, task manager does work, although I didn't see the file you mentioned in the processes.

I keep getting this below when I run Silent Runners.

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

FATAL ERROR!
------------

"Silent Runners" cannot use WMI to identify the operating system.
This is caused by corruption of the WMI installation.

WMI is complex and it is recommended that you use a Microsoft
tool, "WMIDiag.vbs," to diagnose WMI on your system.

It can be downloaded here:

http://go.microsoft....k/?LinkId=62562

#8
Essexboy

Posted 05 May 2008 - 03:33 PM

GeekU Moderator

Retired Staff
69,964 posts

OK I am off to look out for another tool to use on this. Unfortunately this malware has a list of programmes that it will block. I need to find one not on that list

#9
Essexboy

Posted 06 May 2008 - 11:49 AM

GeekU Moderator

Retired Staff
69,964 posts

Could your try to run this programme in safe mode

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - Reg - MountPoints2
- Reg - File - Lop Check
- Reg - Approved Shell Extensions
- Reg - BotCheck
- Reg - File Associations
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#10
Curtis Mayfield

Posted 06 May 2008 - 09:15 PM

Member

Topic Starter
Member
33 posts

I could not run it, or any type of application at first. Anything with an .exe extension could not be run. The error message would always appear. Apparently the malware caused this to occur. But I have fixed that problem.
I got curious and went to "folder options" under "tools", went to "file types", and there was no exe listed under "registered file types". So I went to "New" and made an exe extension for "application" . And it worked. I can run everything again. The malware must have removed the exe extension from the list, if that's possible.

My Embarq Online Security is back up and running also. I have not run a scan with it yet.

I ran combo fix and HJThis and will post those logs for you to study, before doing anything else.

One more thing that I noticed that may not mean anything. When I ran Hijack This, in the folder window, another icon briefly appeared, then quickly dissappeared. I've never noticed this before. The icon was labeled dummy~ What does this mean ?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:13 PM, on 5/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8run.exe
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF5\7\bin\ih8run.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4891 bytes

ComboFix 08-05-01.3 - Administrator 2008-05-06 20:37:22.12 - NTFSx86 MINIMAL

Running from: C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\gotcha.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 01:03 . 2008-05-06 01:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-06 01:03 . 2008-05-06 01:04 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 00:58 . 2008-05-05 02:18 5,120 --a------ C:\WINDOWS\system32\FTP34.0LL
2008-05-02 22:11 . 2008-05-02 22:57 <DIR> d-------- C:\Program Files\vixy.net
2008-05-02 21:34 . 2008-05-02 21:34 <DIR> d-------- C:\Documents and Settings\brent\Application Data\AVS4YOU
2008-05-02 21:33 . 2008-05-02 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-02 21:29 . 2008-05-02 21:41 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-02 21:29 . 2008-05-02 21:41 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-02 20:53 . 2008-05-02 20:53 <DIR> d-------- C:\Program Files\Freecorder
2008-05-02 20:53 . 2008-05-02 20:53 <DIR> d-------- C:\Program Files\Conduit
2008-05-02 20:52 . 2008-05-02 20:52 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2008-05-02 20:52 . 2008-05-02 20:52 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2008-05-02 20:51 . 2008-05-02 20:51 2,725,048 --a------ C:\Program Files\FLV PlayerFCSetup.exe
2008-05-02 20:48 . 2008-05-02 20:48 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-05-02 20:47 . 2008-05-02 20:49 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-05-02 20:46 . 2008-05-02 20:47 4,500,672 --a------ C:\Program Files\FLV PlayerRCATSetup.exe
2008-05-02 20:42 . 2008-05-02 20:46 <DIR> d-------- C:\Documents and Settings\brent\Application Data\GetRightToGo
2008-05-02 20:42 . 2008-05-02 20:42 411,248 --a------ C:\Program Files\FLV PlayerRCSetup.exe
2008-05-02 20:41 . 2008-05-02 20:41 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-05-02 20:41 . 2008-05-02 20:41 <DIR> d-------- C:\Program Files\FLV Player
2008-05-02 20:00 . 2008-05-03 04:17 <DIR> d-------- C:\Documents and Settings\brent\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 22:52 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-29 23:19 --------- d-----w C:\Program Files\HJT
2008-04-12 01:55 --------- d-----w C:\Documents and Settings\B\Application Data\IMVU
2008-04-11 22:17 --------- d-----w C:\Documents and Settings\Jenny\Application Data\IMVU
2008-04-11 19:31 --------- d-----w C:\Program Files\IMVU
2008-04-10 15:02 --------- d-----w C:\Program Files\CCleaner
2008-04-01 06:13 --------- d-----w C:\Program Files\New Folder
2008-03-30 00:09 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-03-29 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2008-03-29 08:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 07:26 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-03-15 01:43 1,044,480 ----a-w C:\WINDOWS\system32\Roboex32.dll
2008-03-15 01:43 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-03-13 12:38 --------- d-----w C:\Documents and Settings\brent\Application Data\Media Player Classic
2008-03-13 08:36 --------- d-----w C:\Program Files\MediaMonkey
2008-03-13 08:19 --------- d-----w C:\Program Files\CDex_170b2
2008-03-07 03:26 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-24 01:08 2,855 ----a-w C:\WINDOWS\cpu.PIF
2008-02-23 21:55 61,440 ----a-w C:\WINDOWS\system32\cleanmgr.exe
2007-02-11 10:24 26,344,024 ----a-w C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 08:48 1,025,312 ----a-w C:\Program Files\AOEPATCH.exe
2004-10-13 17:17 40,662 ----a-w C:\Program Files\readermain.htm
2007-03-25 00:00 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
2006-05-22 18:16 11,592 --sha-w C:\WINDOWS\system32\ospcont.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-04-16 11:06 1524760 --a------ C:\Program Files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "C:\Program Files\Freecorder\tbFree.dll" [2008-04-16 11:06 1524760]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe" [2007-03-23 16:59 190696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-11-01 06:42 182936]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 06:42 739936]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2002-09-03 11:44 145408]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [ ]
"autoload"="C:\Documents and Settings\LocalService\cftmon.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [ ]
"autoload"="C:\Documents and Settings\LocalService\cftmon.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 18:10:05 217088]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.IV41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update_0711_KB060653.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0711_KB060653.exe
backup=C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-15 10:36 61440 C:\Program Files\instant messenger\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
--a------ 2003-12-08 14:51 733184 C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-17 02:31 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)
"wuauservuploadmgr"=2 (0x2)
"iPodService"=3 (0x3)
"cmdService"=2 (0x2)
"VundoFixSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 05:00:07 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-05-04 22:00:03 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-01 08:01:31 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 20:46:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet006\Services\gylxqlxd]
"ImagePath"="system32\drivers\zkcdjxxw.dat"
.
Completion time: 2008-05-06 20:57:00
ComboFix-quarantined-files.txt 2008-05-07 01:56:43

Pre-Run: 5,621,399,552 bytes free
Post-Run: 5,711,073,280 bytes free

155

#11
Essexboy

Posted 07 May 2008 - 01:41 PM

GeekU Moderator

Retired Staff
69,964 posts

I got curious and went to "folder options" under "tools", went to "file types", and there was no exe listed under "registered file types". So I went to "New" and made an exe extension for "application" . And it worked. I can run everything again. The malware must have removed the exe extension from the list, if that's possible.

That was going to be my next port of call if OTScanit did not work as it was becoming more probable that you had a file corruption. Curious

But you do not have Bagel

What I would like to do now is run the OTScanit programme as there is a legacy registry key that looks a bit iffy, although it may be related to F-Secure

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - ControlSets
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - File Associations
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#12
Curtis Mayfield

Posted 07 May 2008 - 02:05 PM

Member

Topic Starter
Member
33 posts

When the problem first occurred (not being able to open exe files) was AFTER my Embarq Security (which is an F-Secure product) detected several viruses and malware trying to download to my system. It renamed most of these and I manually deleted them. Wish I remembered what the names of the viruses were. One may have been a variant of Bagel for all I know. The file extension may have been corrupted because of it or maybe it could have happened when I deleted the files.
I also normally will run a search after an infection or infection attempt and delete any files or programs that were downloaded at the time of the attack. That might not be a good practice but it has worked in the past. I could have caused the problem then.

I turned off the Embarq and downloaded Avast last night and had it run at boot up. It found several viruses and put them in the CHEST.
Is there a way to show a log file of what Avast found? I would like you to take a look at it. It may give some clue as to the root of the problem. If I can't get a log file, I'll just type up a notepad of what was found if you'd like.

In the meantime I'll run the OTScanit as asked.
It may be later this evening before I can do it though. I have to leave the computer for awhile, but I'll get on it ASAP.

Thanks for your help so far.

#13
Essexboy

Posted 07 May 2008 - 02:22 PM

GeekU Moderator

Retired Staff
69,964 posts

It just so happens that I use Avast so you will find the boot log at this location

C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot

#14
Curtis Mayfield

Posted 07 May 2008 - 04:01 PM

Member

Topic Starter
Member
33 posts

Here's the OTS log

OTScanIt.Txt 208.65KB 550 downloads

Heres the ASWboot log

aswBoot.txt 1.85KB 846 downloads

#15
Essexboy

Posted 08 May 2008 - 01:49 PM

GeekU Moderator

Retired Staff
69,964 posts

Looks like Avast caught some Win32:Delf-HPR on the boot scan

OK I see you still have a lot of elements from Embarq. Do you intend keeping it or would you like me to remove them ?

During this fix I will also be resetting some of your associations to default

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Win32 Services - Non-Microsoft Only]
YY -> (wuauservuploadmgr) Automatic Updates wuauservuploadmgr [Win32_Own | Disabled | Stopped] -> %SystemRoot%\System32\2052k.exe
[Registry - Non-Microsoft Only]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: URLSearchHooks\\{C8D1A46C-E60D-2C7C-7E2D-84A7A266EF23} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-484763869-261903793-1801674531-1004\] > -> 
YN -> HKEY_USERS\S-1-5-21-484763869-261903793-1801674531-1004\: Main\\Start Page -> http://www.myembarq.com/index.php
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-484763869-261903793-1801674531-1004\] > -> HKEY_USERS\S-1-5-21-484763869-261903793-1801674531-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> ntuser hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\system32\drivers\spools.exe
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .bat [@ = batfile] -> 
YN -> .cmd [@ = cmdfile] -> 
YN -> .com [@ = comfile] -> 
YN -> .exe [@ = exefile] -> 
YN -> .pif [@ = piffile] -> 
YN -> .scr [@ = scrfile] -> 
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

If you could then run MBAM for me (Instructions here include the download but I see you have it allready)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTScanit report and MBAM report Plus how is your computer now ?