Jump to content

Rogue File ?

MrWiggly

By MrWiggly
in Technical Help Forum

 Share

Recommended Posts

MrWiggly Member

MrWiggly

Posted
Posted

When I run "Evidence Elliminator" it hangs on a file that it lists as C:/mzE`. EE then stops and does not complete.

 

I have tried to delete this file using both EE and windows. Both show "cannot read file"

 

I dont know what this file does, and I cannot associate it with any programmes. Properties shows it as no name and 0 bytes.

 

Any ideas on how to get rid off it ?

The Older I get .. The better I was.

Link to comment
Share on other sites
Newt Member

Newt

Posted
Posted

See the response I gave to Peter about using MoveOnBoot.

" My choices in life were either to be a piano player in a whore house or a politician. And to tell the truth, there's hardly any difference!" - Harry Truman, 33rd US President

Link to comment
Share on other sites
Newt Member

Newt

Posted
Posted

It may not be anything that falls within the type files (virus/trojan for AVG, spyware/trojan for Spybot & Ad-aware) they are set to look for.

 

When you finish, also download Hijackthis v1.98.2 and put it in a normal folder. I have one named c:antispyware but any will do as long as not on or in the desktop and not in a temp folder of any sort.

 

Run it, do a scan, click to create a log and after the log file opens in notepad, copy and paste a copy here. There may be other trash that is causing you problems and your other apps aren't seeing.

 

HJT does not attempt to sort good stuff from bad stuff but simply shows a list of what is running and leaves it to the user (or someone helping) to sort good from bad and get rid of bad.

 

I can probably sort things out and tell you what needs to go away but if not, I can tell you where to post the log for some serious expert help.

 

[ 15. December 2004, 07:24 PM: Message edited by: Newt ]

" My choices in life were either to be a piano player in a whore house or a politician. And to tell the truth, there's hardly any difference!" - Harry Truman, 33rd US President

Link to comment
Share on other sites
MrWiggly Member

MrWiggly

Posted
  • Author
Posted

Hi Newt ..

 

HiJackThis scan here.

 

--------------------------------------------------

 

 

Logfile of HijackThis v1.99.0

Scan saved at 19:08:43, on 15/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:PROGRA~1GrisoftAVG6avgserv.exe

C:Program FilesCommon FilesEPSONEBAPIeEBSVC.exe

C:Program FilesCommon FilesEPSONEBAPISAgent2.exe

C:WINDOWSSystem32nvsvc32.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSExplorer.EXE

C:PROGRA~1GrisoftAVG6avgcc32.exe

C:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

C:WINDOWSSystem32rundll32.exe

C:PROGRA~1DAPDAP.EXE

C:Program FilesQuickTimeqttask.exe

C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe

C:PROGRA~1COMMON~1ADAPTE~1CreateCDCREATE~1.EXE

C:Program FilesMessengermsmsgs.exe

C:WINDOWSSystem32RUNDLL32.EXE

C:Program FilesEvidence Eliminatoree.exe

C:Program FilesFinePixViewerQuickDCF.exe

C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe

C:Program FilesInternet Exploreriexplore.exe

C:Program FilesHijackThisHijackThis.exe

 

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://anglersnet.co.uk/cgi-bin/ubb/ultimatebb.cgi

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSSYSTEMblank.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll (file missing)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSsystem32msdxm.ocx

O4 - HKLM..Run: [systemTray] SysTray.Exe

O4 - HKLM..Run: [AVG_CC] C:PROGRA~1GrisoftAVG6avgcc32.exe /STARTUP

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [mmtask] c:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

O4 - HKLM..Run: [DownloadAccelerator] C:PROGRA~1DAPDAP.EXE /STARTUP

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [AdaptecDirectCD] "C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe"

O4 - HKLM..Run: [CreateCD50] C:PROGRA~1COMMON~1ADAPTE~1CreateCDCREATE~1.EXE -r

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU..Run: [delmsbb] C:WINDOWSdelmsbb.exe

O4 - HKCU..Run: [TClockEx] C:Program FilesTClockExTCLOCKEX.EXE

O4 - HKCU..Run: [Evidence Eliminator] C:Program FilesEvidence Eliminatoree.exe /m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

O4 - Global Startup: Exif Launcher.lnk = C:Program FilesFinePixViewerQuickDCF.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Download with &DAP - C:PROGRA~1DAPdapextie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol013.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLMSystemCCSServicesTcpip..{7DEB01A6-97AA-446A-9C71-9430B747D08B}: NameServer = 213.120.62.98 213.120.62.103

O23 - Service: AVG6 Service - GRISOFT s.r.o - C:PROGRA~1GrisoftAVG6avgserv.exe

O23 - Service: EpsonBidirectionalService - Unknown - C:Program FilesCommon FilesEPSONEBAPIeEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:Program FilesCommon FilesEPSONEBAPISAgent2.exe

O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:WINDOWSsystem32ImapiRox.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

The Older I get .. The better I was.

Link to comment
Share on other sites
Newt Member

Newt

Posted
Posted

Interesting to see the 1.99 version. I like it but you should note a couple of cautions (and the reason I still suggest using a copy of 1.98.2 at times - although that wasn't the case here)

quote:

Updates:

* Added O23 method: NT Services, which lists all (non-disabled, non-Microsoft) services, like Msconfig. (NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it.)

* Added 'Action taken' info to 'More info on this item' dialog.

* Integrated ADS Spy into HijackThis, 'Misc Tools' section.

* Added Spybot-like intro frame for first-time users with access to common tasks. A checkbox is in the first Config screen to re-enable it.

* Added /autolog commandline parameter to automatically scan, save a logfile and open it.

* Fixed bug when item with IP in a Trusted Zone entry (O15) wasn't fixed.

* Added 'Trusted IP ranges' to O15 method.

* Updated Ignorelist, Backups list and Process manager to allow multiple selected items.

* Fixed bug where a hosts file with inproper linebreaks would hang HijackThis.

* Added checkbox in 'Misc Tools' section to include a few environment variables in the logfile, for automatic analysis purposes.

 

I've attached the zip to this email, and the new version is also available from:

 

(The last URL is a Winzip Self-extracting archive, default path set to

C:Program FilesHijackThis)

 

Note: Beware of the Ms4Hd parasite, which will crash HijackThis when it reaches the new O23 (NT Services) section. This parasite deliberately crashes most apps that query any regkeys/files it owns, and I haven't found a way around this. For now I'm keeping a copy of HJT 1.98.2 online (which shouldn't crash with Ms4Hd) at
http://www.merijn.org/files/hijackthis1982.zip
for such cases.

I'm off to the post office and then to work so it will be a few hours before I have time to take a careful look at the log.

" My choices in life were either to be a piano player in a whore house or a politician. And to tell the truth, there's hardly any difference!" - Harry Truman, 33rd US President

Link to comment
Share on other sites
MrWiggly Member

MrWiggly

Posted
  • Author
Posted

Hi Newt ..

 

HijackThis 198 version follows.

-----------------------------------------------

 

Logfile of HijackThis v1.98.2

Scan saved at 19:53:31, on 15/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:PROGRA~1GrisoftAVG6avgserv.exe

C:Program FilesCommon FilesEPSONEBAPIeEBSVC.exe

C:Program FilesCommon FilesEPSONEBAPISAgent2.exe

C:WINDOWSSystem32nvsvc32.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSExplorer.EXE

C:PROGRA~1GrisoftAVG6avgcc32.exe

C:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

C:WINDOWSSystem32rundll32.exe

C:PROGRA~1DAPDAP.EXE

C:Program FilesQuickTimeqttask.exe

C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe

C:PROGRA~1COMMON~1ADAPTE~1CreateCDCREATE~1.EXE

C:Program FilesMessengermsmsgs.exe

C:WINDOWSSystem32RUNDLL32.EXE

C:Program FilesEvidence Eliminatoree.exe

C:Program FilesFinePixViewerQuickDCF.exe

C:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exe

C:Program FilesInternet Exploreriexplore.exe

C:Program FilesHijackThis2HijackThis.exe

 

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://anglersnet.co.uk/cgi-bin/ubb/ultimatebb.cgi

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSSYSTEMblank.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll (file missing)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSsystem32msdxm.ocx

O4 - HKLM..Run: [systemTray] SysTray.Exe

O4 - HKLM..Run: [AVG_CC] C:PROGRA~1GrisoftAVG6avgcc32.exe /STARTUP

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [mmtask] c:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

O4 - HKLM..Run: [DownloadAccelerator] C:PROGRA~1DAPDAP.EXE /STARTUP

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [AdaptecDirectCD] "C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe"

O4 - HKLM..Run: [CreateCD50] C:PROGRA~1COMMON~1ADAPTE~1CreateCDCREATE~1.EXE -r

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU..Run: [delmsbb] C:WINDOWSdelmsbb.exe

O4 - HKCU..Run: [TClockEx] C:Program FilesTClockExTCLOCKEX.EXE

O4 - HKCU..Run: [Evidence Eliminator] C:Program FilesEvidence Eliminatoree.exe /m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

O4 - Global Startup: Exif Launcher.lnk = C:Program FilesFinePixViewerQuickDCF.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Download with &DAP - C:PROGRA~1DAPdapextie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol013.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLMSystemCCSServicesTcpip..{7DEB01A6-97AA-446A-9C71-9430B747D08B}: NameServer = 213.120.62.98 213.120.62.103

 

[ 15. December 2004, 07:56 PM: Message edited by: MrWiggly ]

The Older I get .. The better I was.

Link to comment
Share on other sites
Newt Member

Newt

Posted
Posted

Sorry if I wasn't clear. The 1.99 version is an improvement and is great to use in most cases. It's just that several pieces of the really nasty malware will cause it to crash and if that happens, you need to run the older version. I have both and am using 1.99 but do have a safety copy of 1.98.2 in case I need it.

 

Nothing that horrible running on your system but here are some suggestions:

 

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSSYSTEMblank.htm

If this entry points to an actual file on your PC named blank.htm and it is simply a blank page, that's a great idea. If it isn't something you intended to use, then it could be a problem.

 

These next three are a matter of your personal preference. DAP does speed up downloads but it is also known to inflict adverts on you and also to send information without asking you so it fits the meaning of spyware. If it were me I would remove these entries and then in Add/Remove I would get rid of the app altogether. But it is not harming your PC so ...

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

File Name: dapiebar.dll Name: DAP Bar. See Download Accelerator.

O4 - HKLM..Run: [DownloadAccelerator] C:PROGRA~1DAPDAP.EXE /STARTUP

Download Accelerator Plus is a commercial application used to speed up your Internet connection. Download Accelerator Plus installs and uses adware type adverts as well as sends private information and changes information on your computer. Were it me, I'd get rid of DAP since there are other download speedup products that aren't sypware and that also add less of a load to your PC.

O8 - Extra context menu item: &Download with &DAP - C:PROGRA~1DAPdapextie.htm

see above DAP entries

 

This next one is a nasty piece of trash that you don't need so use HJT to remove the entry and then delete the delmsbb.exe file from windows.

O4 - HKCU..Run: [delmsbb] C:WINDOWSdelmsbb.exe

spyware and adware named nCase produced by the company 180Solutions.

 

These are what I call sludgeware. Legit apps and not any sort of spyware. However, they are not needed every time you boot your PC and all the 'features' they provide are ones you'd get when you started an associated app so I'd get rid of them as well.

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

" My choices in life were either to be a piano player in a whore house or a politician. And to tell the truth, there's hardly any difference!" - Harry Truman, 33rd US President

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We and our partners use cookies on our website to give you the most relevant experience by remembering your preferences, repeat visits and to show you personalised advertisements. By clicking “I Agree”, you consent to the use of ALL the cookies. However, you may visit Cookie Settings to provide a controlled consent.

  I accept