Malware Mess

Should I just wipe out my drive?

 

Hi borntobefree,
Welcome to Major Geeks!

You should NOT wipe the drive! Your computer got SP3 with no problem, which means your computer was recently in a very good state, and I don't see glaring malware problems leaping out of your logs. What problems are you having? Please describe them. If it looks like you have malware, you should go through the instructions in the READ & RUN ME FIRST and attach the requested logs so we have the information we need to work with.

Thanks so much!
abri

 

Thanks for the quick response. I have only included the logs with issues, the others were totally clear. I'm pretty sure I have ran all the cleaning you requested.

The problem is that I am finding tons of my text and website files converted to zip files. And in the last 3 days the puter has slowed down for the first time. I use goulds cleanup and keep the caches clean etc. I'm not picking up viruses with ZA Pro.

Probably just wishful thinking that it is something as simple as malware.

Thanks again friend.

 

Hi borntobefree,

Please delete everything windows will allow you to delete from the following folder:

C:\Documents and Settings\HP_Owner\Local Settings\Temp\

Then I would like for you to run a rootkit scan to see if anything shows up:

Running GMER to detect rootkits


I checked your logs for changes on July 1st and 2nd and it looks like there might have been a failed Zone Labs update and there's a new entry for a text file regarding your modem. I don't know what would explain your txt files and website files being converted to zip files, but this sounds like the result of a tool. Have you added any tools recently or started using them for the first time when this started to occur? Any upgrades of software you'd been using?

There's one folder I would like to know more about. Please right-click on the folder and check properties for any information about this folder and then open the folder (but don't open any files) and tell me if there is anything in it:

C:\WINDOWS\system32\unknown

Then please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX: It is optional to fix these, so decide if you need for them to load at startup.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

After you click fix, just close hijackthis.


Did you install web design software from Mabry Software? Combofix deleted a file from this.

Please attach the GMER log when you're finished.

abri

 

Thanks again abri,

Deleted what I could from C:\Documents and Settings\HP_Owner\Local Settings\Temp\

Could not delete:
IADHIDE5.dll from BACKWEB
_hphtra07.log
DF83DC.tmp
hpodvd09.log

GMER Log attached.

The culprit that is changing the txt files to zips would be FZ (Free Zip). I removed it.

C:\WINDOWS\system32\unknown* was empty, I deleted it.

Ran MGtools\analyse.exe and removed them from startup.

I don't recall installing anything from Mabry Software. I have used Web Expression for some time. Just in case I will search regedit and remove any leftovers.

Thanks again amri. Have a great Evening

 

abri,

I responded to your last post but don't see it? Don't want to spam, so will upload again in the morning if it doesn't show.

Thanks,

 

Hi borntobefree,

Be careful about removing entries from the registry.

Looking at your slowness problems a bit:

Your desktop is very cluttered. Please delete or move any setup or installation programs you have there. It looks like your default download place is the desktop. If you are using Firefox as a browser, there is a setting in the tools / options where you can have it prompt you about the destination for downloads. That option is on the main ab under options. It helps to make a folder called Downloads so you know where to find things. It's not a good idea to install programs directly to the Desktop unless this has been specifically recommended by the software.

In your combofix log you have a file which was removed called MabryObj.dll. If you look at the following website from Symantec, you can see that it is added by a spyware program which does keylogging, screenshots, and other things. However, it is also listed as a file of "Mabry Software: Founded in 1992, Mabry Software, Inc. is a Seattle, Washington based vendor of reasonably priced Microsoft Windowsr programming components". There is a lot of inconsistent information about it. The following Symantec article has a description of what files are put on the computer, of which MabryObj.dll is one of them.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-070516-0957-99&tabid=2

I want to see if I can find anything more about it. The one file has been removed from your computer, and the question is more, what software you have that it was part of and if you put that software in your computer yourself. If you find any further files in your computer from the above list at the Symantec website, which are associated with this MabryObj.dll, I would like to know the date they were put on your computer as this would help most in identifying which piece of software they could be part of.

abri

 

Morning abri,

I found this file MabryObj.dll.vir in C:\QooBox\Quarantine\C\WINDOWS\system32
file is dated Sunday, April 29, 2007, 8:30:42 AM

I found the following in regedit:

HKEY_CURRENT_USER\Software\Mabry
FTPX 89FC-BLMQ085TP8XN

Mabry.FtpRecordset.1 under CLSID FtpRecordset OLE DB Provider. One of the folders in this string is inprocserver C:\WINDOWS\system32\FTPx.dll

Mabry InternetFTP/X COM Object
Mabry.FtpXObj.1
Mabry.FtpXObj
Mabry Internet FTP/X Control
Mabry.FtpXCtl.1
Mabry.FtpXCtl
Mabry.HttpXCom.1
Mabry.HttpXCom
FtpRecordset OLE DB Provider
CURVER Mabry.FtpRecordset.1
HKEY_CLASSES_ROOT\Mabry.FtpXCtl
HKEY_CLASSES_ROOT\Mabry.FtpXCtl.1
HKEY_CLASSES_ROOT\Mabry.FtpXObj
HKEY_CLASSES_ROOT\Mabry.FtpXObj.1
HKEY_CLASSES_ROOT\Mabry.HttpXCom
HKEY_CLASSES_ROOT\Mabry.HttpXCom.1
HKEY_CLASSES_ROOT\TypeLib\{AEBBD4A6-6992-11D3-B4CB-0020AFD69DE6} 1.0 Mabry StreamObjects Library

Checked all my programs and can not find any I use that are connected to this Mabry.

I also cleaned up my beautiful desktop LOL:-D

Thanks again for all the free professional help abri.

 

Thank you chaslang,

The fixme.reg worked fine. Also followed all the other directions. Everything is working great. What a chore this has been. Thanks to you and all involved.