When i run virus scan i get message: c:\windows software distribution\download …unable to scan: CAB archive is corrupted. I tried system restore, windows repair an even reinstalled windows OS. Every time i download updates AVAST reports corrupted files. Any ideas? :-\
Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
It just can’t be scanned by avast. Maybe corrupted, maybe just packed in a different way that avast can’t unpack.
Hey, but they should can be scanned. This happens with me, (and all btw I suppose) when I make boot scanning. And I think I have a clue of the reason. Igor, please look here. In my case, it usually happens with cabs and zips of driver files. Avast says many of them are corrupted with different message codes. And I verify and none of them is. It seems that when Avast tries to unpack them, if DLLs, VXDs and the like actually exists, Avast doesn’t manage to unpack because it would cause a replacement of them, so thereby Windows stops its operation.
Well, I may be talking an ammount of bulls**t, but it deserves to be investigated.
Long live (cycle) to Avast!
Well, there’s nothing to say without more information (such as the list of full filenames and corresponding error codes).
In any case, avast! certainly doesn’t unpack archives into the system folder - that would be rather strange ;D
So no, the content is irrelevant.
Normally if you have archive-checking active, avast will unpack each archive (assuming it can) into avast’s own temp folder so the contents can be scanned.
And while there are rare exceptions, normally avast will delete the temp copies from that folder once the scanning’s done.
I commonly get these errors when I scan inside compressed files… I never really thought twice about it, assuming avast just couldn’t unpack the files.
I’ve got the same problemwhen I scan: CAB archive is corrupted. The Action box doesn’t give an action (all choices are grayed out.)
The files are: dxdiagn.dll, dxdiagn.dl_, dsg.sy_, dsmasf.dl_, dstrans.dl_, earl.ac_, efsadu.dl_, els.dl_, encapi.dl_, encdec.dl_, ep9res.dl_.
When I boot my computer, a black command like box comes up with different headings on each boot. The heading that came up just now is: c:\windows\system32\gbfv.exe and then a message saying that “file encountered a problem and needs to close. We are sorry for the inconvenience.” : )
Strange… you seem to be infected. I suggest:
- Disable System Restore and reenable it after step 3.
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on.
- Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
- Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
- Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
- Immunize your system with SpywareBlaster or Windows Advanced Care.
- Check if you have insecure applications with Secunia Software Inspector.
You shouldn’t take any action as it isn’t reporting the file is infected, just that it couldn’t be scanned.
The command window entry is because you the file has been removed or is missing, probably malware as a google search for gbfv.exe returns only one hit (suspicious if it is a legit file) and that is in relation to another suspect file that has an association with gbfv.exe. See http://spywarefiles.prevx.com/RRFJDJ9325501/AESY.EXE.html.
So somewhere in the registry there is a run command which can’t find the file and that is why the command window remains open.
You could search for gbfv.exe in the registry and remove the entry but it is probably best to use another program, HiJackThis) if you don’t like tinkering in the registry.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial.
Post the contents of the HJT log here, you may need to split it over two or more posts if it is too large.
Here is my Hijack log. Now the computer will allow me onto the Internet once and then even though I can ping sites it won’t display the pages…
The scan shows nothing…
Thanks for your help!
Jim ???
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:03 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Isass.exe
C:\WINDOWS\System32\jwdy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\COMPAQ\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [DDCM] “C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe” -Background
O4 - HKLM..\Run: [DDCActiveMenu] “C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe” -boot
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe
O4 - HKLM..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\jwdy.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [9836a9fd] rundll32.exe “C:\WINDOWS\System32\ypqgudaa.dll”,b
O4 - HKLM..\Run: [BM9b059a61] Rundll32.exe “C:\WINDOWS\System32\evjgsyrj.dll”,s
O4 - HKLM..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205011171833
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205021643420
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
–
End of file - 6538 bytes
You need a firewall that provides outbound protection and the XP firewall doesn’t cut it (zero outbound protection).
Fix:
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
O4 - HKLM..\Run: [DDCM] “C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe” -Background
O4 - HKLM..\Run: [DDCActiveMenu] “C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe” -boot
See, http://www.liutilities.com/products/wintaskspro/processlibrary/ddcman/ probable adware/spyware “This process monitors your browsing habits and distributes the data back to the author’s servers for analysis.”
C:\WINDOWS\system32\Isass.exe
O4 - HKLM..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe
Note the spelling ‘I’ not ‘l’ (Lsass.exe) and there is already a correct entry for (C:\WINDOWS\system32\lsass.exe already), see http://www.liutilities.com/products/wintaskspro/processlibrary/isass/
Suspect:
O4 - HKLM..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\jwdy.exe - Zero hits on google for the file name, suspicious in its own right.
O4 - HKLM..\Run: [9836a9fd] rundll32.exe “C:\WINDOWS\System32\ypqgudaa.dll”,b
O4 - HKLM..\Run: [BM9b059a61] Rundll32.exe “C:\WINDOWS\System32\evjgsyrj.dll”,s
I have to admit I am like a child with a loaded gun. I know enough to be dangerous as they say. Anyway, I tried to do everything you asked although I couldn’t get online.
At least the computer rebooted after I did what I did. At least now I seem to be able to get online. I ran Ccleaner and go rid of some opening startup entries.
What do you suggest for a firewall?
Here is the new hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:54 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\COMPAQ\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
–
End of file - 4809 bytes
Thanks for your time!
Jim
You had signs of some nasty infections. HJt will only remove the reg keys, not the files. Your log doesn’t look quite right. We can have a deeper look with this scanner if you like.
DavidR can handle your firewall solution.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
As far as firewalls go, the most common ones being used by forum members are Comodo Firewall Plus, PC Tools firewall, Zone Alarm free. I don’t feel ZA is as good as the other two as it restricts the strength of its outbound (anti-leak) function. This may possibly be in the hope of your purchasing the Pro version, there are then some things you need to do to get ZA Pro and avast Web Shield to work together.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.
I downloaded DSS.exe but it keeps crashing. It goes through the whole process and is about to end when I get the message “dss.exe has encountered a problem and needs to close.” The technical information is:
Error signature AppName dss.exe AppVer 3.2.8.1 ModName ntdll.dll
ModVer 5.1.2600.2180 Offset: 0001012b
Don’t know whether this will help, but here is the txt file that was going to accompany the report sent to Microsoft about the crash:
<?xml version="1.0" encoding="UTF-16"?>Hi, I was hoping that DSS would run. We’ll use a diffent one.
Please download ComboFix from Here or Here to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
I tried to attach the Combo fix and Hijack logs however the rtx format was refused. Here they are again as txt files.
Thanks!
Jim
Note: I am not using the affected machine because I don’t want to go to the Internet until this problem is fixed. I.e., it wasn’t hooked to the Internet when either of these programs were run.
Note 2: I tried to download Spyware Doctor yesterday and the machine went crazy. After throwing myself of the 18th story lanai, I uninstalled it and the machine came back to life. Yea!
My,my there was some stuff hiding in there. Dss does go on line for file verification, perhaps that was the problem. Regardless, let’s carry on.
You have at least one remote access critter on your computer. So good choice in staying off the net. Please use a cd if possible to transfer programs to the infected computer. After running the following two fixes, you should be able to go on the net to post the logs/results.
- Download SDFix and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
- Open HJT, run a system scan only, check mark these lines if present
O20 - Winlogon Notify: yayvssr - yayvssr.dll (file missing)
Close all other browsers/windows, click fix, close HJT.
Please follow all previous instructions regarding security programs.
- Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File:: C:\WINDOWS\system32\dnaetsjx.exe C:\WINDOWS\imsins.BAK C:\WINDOWS\system32\whmaxusn.exe C:\WINDOWS\system32\cehoeu.exe C:\WINDOWS\system32\dxysktqf.exe C:\WINDOWS\system32\fcpftfn.exe C:\1.vbs C:\WINDOWS\system32\amaw.exe C:\WINDOWS\system32\oayac.exe C:\WINDOWS\system32\cxupaguk.exe C:\WINDOWS\system32\exurhklj.exe C:\WINDOWS\system32\fwbfxsei.dll C:\WINDOWS\system32\exurhklj.exe C:\WINDOWS\system32\eksr.exe C:\WINDOWS\system32\kltwcqo.exe C:\WINDOWS\system32\hszvrs.exe C:\WINDOWS\system32\jwdy.exe C:\WINDOWS\system32\gbfv.exeDirLook::
C:\e9907a5f6dfc19d5f1d6Regisrty::
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\jwdy.exe”=-
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
Please submit these files for analysis
To submit a file to virustoal, please click om this link
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
[b]C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS.compaq.bak
C:\WINDOWS\nsreg.dat
[/b]
scroll down a bit and click “send file”, wait for the results and post then in your next reply.
- Please try to turn on the windows firewall before going on the internet. If you are unable to do so, please follow these instructions.
Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)
In the dialog that opens enter the following:(copy and paste is fine).
EnableFirewall
Press ‘OK’
The search will run for a while then alert you when it is finished.
Press ‘OK’ and copy the contents of the WordPad window and post in this thread.
Try to turn the firewall on.
In your next reply, I will need the SDfix results, the combofix.txt, virustotal results, firewall fix results(if used), and a new HJT log(ran after everything else).
Thanks
ps: at least the 02 lines are visible now.
Here are four of the files you wanted. More coming.
Aloha,
Jim
Boy! I hope I did everything OK. Here is the latest Hijack log and SDFix results.
Thanks again for your help!!!
Jim
PS - If I missed sending something, please let me know.