6 replies to this topic

[S99]

Hi
I came across your software whilst fixing an AV360 infected machine for a friend and was impressed with the quick easy way it cleaned it. I decided to install it on my machine which it appeared to do fine. But for some unknown reason I cannot run the software, every time I do nothing happens. I've tried safe mode, renaming exe file but no luck. I do not believe I am infected with any virus or malware as I have seen no signs of this. I have also completed a scan with Avast AV ok. Any help appreciated.

[AdvancedSetup]

Were there any errors during install? Please start here if there were no errors during the install and all program files appear to be there.


Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[S99]

Hi thanks for your reply. It appears to have installed ok and no errors are displayed. After the dialogue with update and run tick boxes appear I click yes and nothing happens. I try running the program and nothing. I've tried to install Hi Jack this and the same thing is happening which is starting to worry me now! Also Windows defender wont run. Is something stopping them from running? Surely they should work in safe mode if this is the case?

[S99]

Can this topic get moved to the malware removal forum or do I have to start a new topic? I'm not even sure I'm infected yet as I can't get anything to run!

[AdvancedSetup]

I've moved your post into the HJT forum. Please try to download and run this program.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[S99]

Hi I did a scan with combofix and couldn't see anything harmfull myself but I'll leave it to the experts to decide...

ComboFix 09-03-06.02 - The Prophet 2009-03-09 18:09:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1382 [GMT 0:00]
Running from: c:\documents and settings\The Prophet\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090308-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-08 18:20 . 2009-03-08 18:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 18:19 . 2009-03-08 18:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 18:19 . 2009-03-08 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 18:19 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 18:19 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-04 22:19 . 2009-03-04 22:19 <DIR> d-------- c:\program files\Windows Defender
2009-02-24 21:03 . 2008-06-17 19:02 8,461,312 --------- c:\windows\system32\dllcache\shell32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 18:11 --------- d-----w c:\documents and settings\The Prophet\Application Data\Skype
2009-03-09 17:35 --------- d-----w c:\documents and settings\The Prophet\Application Data\skypePM
2009-02-08 21:05 --------- d-----w c:\documents and settings\The Prophet\Application Data\Winamp
2009-02-08 18:36 --------- d-----w c:\program files\GoldWave
2009-02-01 14:00 --------- d-----w c:\program files\TVAnts
2009-01-24 19:20 --------- d-----w c:\program files\Crown Software
2009-01-16 16:24 3,596,288 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 17:38 --------- d-----w c:\documents and settings\The Prophet\Application Data\Azureus
2009-01-11 20:44 --------- d-----w c:\program files\USB Safely Remove
2009-01-11 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\USBSRService
2009-01-11 20:31 --------- d-----w c:\documents and settings\The Prophet\Application Data\USBSafelyRemove
2009-01-11 19:46 --------- d-----w c:\program files\Azureus
2009-01-11 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-01-10 13:54 --------- d-----w c:\program files\MIDI Rules Prototype 2007-08-09
2008-12-28 13:00 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-26 15:21 361,600 ----a-w c:\windows\system32\dllcache\TCPIP.SYS
2008-12-20 23:56 827,904 ----a-w c:\windows\system32\wininet.dll
2008-12-20 23:56 827,904 ------w c:\windows\system32\dllcache\wininet.dll
2008-12-19 09:41 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:41 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:24 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-02-01 17:02 313,344 ----a-w c:\program files\hjsplit.exe
2008-08-29 18:56 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-08-29 18:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-08-29 18:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
2008-08-29 18:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-02-29 03:47 360832 ce3ec03c9f65302e44af5c452d20a86f c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-12-26 15:21 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-12-26 15:21 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSN Webcam Recorder"="c:\program files\MSN Webcam Recorder\ml20gui.exe" [2006-01-31 131072]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"USB Safely Remove"="c:\program files\USB Safely Remove\USBSafelyRemove.exe" [2008-12-15 1100048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"BCD2000"="c:\windows\system32\bcd2kcpan.exe" [2008-08-25 532480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1024000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Toshiba Controls Utility"="c:\program files\TOSHIBA\Controls\VolumeIndicator.exe" [2008-02-01 77824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"SmAudio"="c:\program files\Conexant\SmartAudio\SmAudio.exe" [2008-02-05 2737480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"muBlinder"="c:\program files\mublinder\muBlinder.exe" [2008-10-08 1463808]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-20 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"= mapledxp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\Icecast2 Win32\\Icecast2win.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-23 114768]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [2008-08-25 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-23 20560]
R2 Icecast-trunk;Icecast-trunk Streaming Media Server;c:\program files\Icecast2 Win32\icecastService.exe [2008-09-18 417792]
R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-12-08 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-12-08 233472]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-12-08 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-12-08 368640]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2009-01-11 208144]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2008-08-25 732160]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-12-08 1302528]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-09-07 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-05-29 6912]
S3 BCD2000;Behringer BCD2000 V1.1.1.0;c:\windows\system32\drivers\BCD2000.SYS [2008-08-25 42400]
S3 BCD2000WDM;Behringer BCD2000WDM V1.1.1.0;c:\windows\system32\drivers\BCD2000WDM.SYS [2008-08-25 21632]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2008-11-25 15104]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2006-04-03 14032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6598d7e-8a16-11dd-bd9e-001e685d57f1}]
\Shell\AutoRun\command - I:\TPPlayer.exe /t
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = socks=
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll
FF - ProfilePath - c:\documents and settings\The Prophet\Application Data\Mozilla\Firefox\Profiles\gmd0doc7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\The Prophet\Application Data\Mozilla\Firefox\Profiles\gmd0doc7.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 18:11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-09 18:13:03
ComboFix-quarantined-files.txt 2009-03-09 18:12:56

Pre-Run: 17,771,864,064 bytes free
Post-Run: 17,915,379,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

186 --- E O F --- 2009-03-08 18:22:31

[AdvancedSetup]

Well I'm sorry but since you have evidence of cracked or pirated software you're using on the system I have no choice but to close this thread now.
If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.

HiJack This! Forum Policy
[indent]

Quote

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

[/indent]

This computer is not running a legal version of Windows.