I could not run it, or any type of application at first. Anything with an .exe extension could not be run. The error message would always appear. Apparently the malware caused this to occur. But I have fixed that problem.
I got curious and went to "folder options" under "tools", went to "file types", and there was no exe listed under "registered file types". So I went to "New" and made an exe extension for "application" . And it worked. I can run everything again. The malware must have removed the exe extension from the list, if that's possible.
My Embarq Online Security is back up and running also. I have not run a scan with it yet.
I ran combo fix and HJThis and will post those logs for you to study, before doing anything else.
One more thing that I noticed that may not mean anything. When I ran Hijack This, in the folder window, another icon briefly appeared, then quickly dissappeared. I've never noticed this before. The icon was labeled dummy~ What does this mean ?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:13 PM, on 5/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8run.exe
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF5\7\bin\ih8run.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myembarq.com/index.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) -
http://support.f-sec...m/ols/fscax.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoft...s/as2stubie.cabO23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
--
End of file - 4891 bytes
ComboFix 08-05-01.3 - Administrator 2008-05-06 20:37:22.12 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\gotcha.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-06 01:03 . 2008-05-06 01:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-06 01:03 . 2008-05-06 01:04 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 00:58 . 2008-05-05 02:18 5,120 --a------ C:\WINDOWS\system32\FTP34.0LL
2008-05-02 22:11 . 2008-05-02 22:57 <DIR> d-------- C:\Program Files\vixy.net
2008-05-02 21:34 . 2008-05-02 21:34 <DIR> d-------- C:\Documents and Settings\brent\Application Data\AVS4YOU
2008-05-02 21:33 . 2008-05-02 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-02 21:29 . 2008-05-02 21:41 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-02 21:29 . 2008-05-02 21:41 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-02 20:53 . 2008-05-02 20:53 <DIR> d-------- C:\Program Files\Freecorder
2008-05-02 20:53 . 2008-05-02 20:53 <DIR> d-------- C:\Program Files\Conduit
2008-05-02 20:52 . 2008-05-02 20:52 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2008-05-02 20:52 . 2008-05-02 20:52 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2008-05-02 20:51 . 2008-05-02 20:51 2,725,048 --a------ C:\Program Files\FLV PlayerFCSetup.exe
2008-05-02 20:48 . 2008-05-02 20:48 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-05-02 20:47 . 2008-05-02 20:49 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-05-02 20:46 . 2008-05-02 20:47 4,500,672 --a------ C:\Program Files\FLV PlayerRCATSetup.exe
2008-05-02 20:42 . 2008-05-02 20:46 <DIR> d-------- C:\Documents and Settings\brent\Application Data\GetRightToGo
2008-05-02 20:42 . 2008-05-02 20:42 411,248 --a------ C:\Program Files\FLV PlayerRCSetup.exe
2008-05-02 20:41 . 2008-05-02 20:41 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-05-02 20:41 . 2008-05-02 20:41 <DIR> d-------- C:\Program Files\FLV Player
2008-05-02 20:00 . 2008-05-03 04:17 <DIR> d-------- C:\Documents and Settings\brent\dwhelper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 22:52 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-29 23:19 --------- d-----w C:\Program Files\HJT
2008-04-12 01:55 --------- d-----w C:\Documents and Settings\B\Application Data\IMVU
2008-04-11 22:17 --------- d-----w C:\Documents and Settings\Jenny\Application Data\IMVU
2008-04-11 19:31 --------- d-----w C:\Program Files\IMVU
2008-04-10 15:02 --------- d-----w C:\Program Files\CCleaner
2008-04-01 06:13 --------- d-----w C:\Program Files\New Folder
2008-03-30 00:09 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-03-29 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2008-03-29 08:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 07:26 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-03-15 01:43 1,044,480 ----a-w C:\WINDOWS\system32\Roboex32.dll
2008-03-15 01:43 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-03-13 12:38 --------- d-----w C:\Documents and Settings\brent\Application Data\Media Player Classic
2008-03-13 08:36 --------- d-----w C:\Program Files\MediaMonkey
2008-03-13 08:19 --------- d-----w C:\Program Files\CDex_170b2
2008-03-07 03:26 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-24 01:08 2,855 ----a-w C:\WINDOWS\cpu.PIF
2008-02-23 21:55 61,440 ----a-w C:\WINDOWS\system32\cleanmgr.exe
2007-02-11 10:24 26,344,024 ----a-w C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 08:48 1,025,312 ----a-w C:\Program Files\AOEPATCH.exe
2004-10-13 17:17 40,662 ----a-w C:\Program Files\readermain.htm
2007-03-25 00:00 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
2006-05-22 18:16 11,592 --sha-w C:\WINDOWS\system32\ospcont.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-04-16 11:06 1524760 --a------ C:\Program Files\Freecorder\tbFree.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "C:\Program Files\Freecorder\tbFree.dll" [2008-04-16 11:06 1524760]
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe" [2007-03-23 16:59 190696]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-11-01 06:42 182936]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 06:42 739936]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2002-09-03 11:44 145408]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [ ]
"autoload"="C:\Documents and Settings\LocalService\cftmon.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [ ]
"autoload"="C:\Documents and Settings\LocalService\cftmon.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 18:10:05 217088]
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.IV41"= ir41_32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update_0711_KB060653.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0711_KB060653.exe
backup=C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-15 10:36 61440 C:\Program Files\instant messenger\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
--a------ 2003-12-08 14:51 733184 C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-17 02:31 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)
"wuauservuploadmgr"=2 (0x2)
"iPodService"=3 (0x3)
"cmdService"=2 (0x2)
"VundoFixSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 05:00:07 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-05-04 22:00:03 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-01 08:01:31 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-06 20:46:29
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet006\Services\gylxqlxd]
"ImagePath"="system32\drivers\zkcdjxxw.dat"
.
Completion time: 2008-05-06 20:57:00
ComboFix-quarantined-files.txt 2008-05-07 01:56:43
Pre-Run: 5,621,399,552 bytes free
Post-Run: 5,711,073,280 bytes free
155