Author Topic: cab archive is corrupted  (Read 42154 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #15 on: March 10, 2008, 09:11:19 PM »
Hi, I was hoping that DSS would run. We'll use a diffent one.

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


windward

  • Guest
Re: cab archive is corrupted
« Reply #16 on: March 11, 2008, 02:17:19 AM »
I tried to attach the Combo fix and Hijack logs however the rtx format was refused. Here they are again as txt files.
Thanks!
Jim

Note: I am not using the affected machine because I don't want to go to the Internet until this problem is fixed. I.e., it wasn't hooked to the Internet when either of these programs were run.

Note 2: I tried to download Spyware Doctor yesterday and the machine went crazy. After throwing myself of the 18th story lanai, I uninstalled it and the machine came back to life. Yea!  :)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #17 on: March 11, 2008, 07:30:55 AM »
My,my there was some stuff hiding in there. Dss does go on line for file verification, perhaps that was the problem. Regardless, let's carry on.

You have at least one remote access critter on your computer. So good choice in staying off the net. Please use a cd if possible to transfer programs to the infected computer. After running the following two fixes, you should be able to go on the net to post the logs/results.

* Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log



* Open HJT, run a system scan only, check mark these lines if present

O20 - Winlogon Notify: yayvssr - yayvssr.dll (file missing)

Close all other browsers/windows, click fix, close HJT.


Please follow all previous instructions regarding security programs.


* Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\system32\dnaetsjx.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\whmaxusn.exe
C:\WINDOWS\system32\cehoeu.exe
C:\WINDOWS\system32\dxysktqf.exe
C:\WINDOWS\system32\fcpftfn.exe
C:\1.vbs
C:\WINDOWS\system32\amaw.exe
C:\WINDOWS\system32\oayac.exe
C:\WINDOWS\system32\cxupaguk.exe
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\fwbfxsei.dll
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\eksr.exe
C:\WINDOWS\system32\kltwcqo.exe
C:\WINDOWS\system32\hszvrs.exe
C:\WINDOWS\system32\jwdy.exe
C:\WINDOWS\system32\gbfv.exe

DirLook::
C:\e9907a5f6dfc19d5f1d6

Regisrty::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\jwdy.exe"=-



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.



Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS\.compaq.bak
C:\WINDOWS\nsreg.dat


scroll down a bit and click "send file", wait for the results and post then in your next reply.

* Please try to turn on the windows firewall before going on the internet. If you are unable to do so, please follow these instructions.

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:(copy and paste is fine).

EnableFirewall

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Try to turn the firewall on.


In your next reply, I will need the SDfix results, the combofix.txt, virustotal results, firewall fix results(if used), and a new HJT log(ran after everything else).

Thanks

ps: at least the 02 lines are visible now.

windward

  • Guest
Re: cab archive is corrupted
« Reply #18 on: March 11, 2008, 09:00:13 AM »
Here are four of the files you wanted. More coming.
Aloha,
Jim  :)

windward

  • Guest
Re: cab archive is corrupted
« Reply #19 on: March 11, 2008, 09:02:58 AM »
Boy! I hope I did everything OK. Here is the latest Hijack log and SDFix results.
Thanks again for your help!!!!!
Jim  :)

PS - If I missed sending something, please let me know.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #20 on: March 11, 2008, 09:08:59 AM »
Wrong combofix log. It's the same one you posted earlier. It should be located at C:\combofix. They will have a .txt extention,  a number and a time date stamp. CF kinda does things backwards. The older log will have the highest number.

I must say you surprized with your speed. Any inprovement?

I take it you got the firewall turned on?

Thanks
« Last Edit: March 11, 2008, 10:10:18 AM by oldman »

windward

  • Guest
Re: cab archive is corrupted
« Reply #21 on: March 11, 2008, 07:43:19 PM »
Aloha!
I did indeed get the Windows Firewall up and running and will install one of the suggested ones as soon as you give the OK. Spyware Doctor seems to conflict with Avast. Do you have a suggestion on which spyware program to use? I noticed www.virustotal.com reported a possible Ghost infection?

I ran a new ComboFix this a.m. and it is attached.


Thankks again for all your help!
Aloha,
Jim  :)
Honolulu, HI

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re: cab archive is corrupted
« Reply #22 on: March 11, 2008, 07:56:59 PM »
Spyware Doctor seems to conflict with Avast.
Do you have a suggestion on which spyware program to use?
It shouldn't... But if you want another one, I suggest SUPERantispyware and/or Spyware Terminator.
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #23 on: March 11, 2008, 08:37:41 PM »
Hi, things improving?

Yes, we are going to remove that one right now. It's too bad you didn't find the combofix lod, as I had a command in it to show the contents os a folder. No matter, I will include it in this one also, so hang onto this log.  ;)

Did you uninstall/disable compaq monitoring tool?

There is another file/folder I'm checking out, just because of it time stamp.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS\system32\Isass.exe

DirLook::
C:\e9907a5f6dfc19d5f1d6


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

windward

  • Guest
Re: cab archive is corrupted
« Reply #24 on: March 11, 2008, 10:58:12 PM »
Boy! You folks get an A+++++ in my book! Here is the latest ComboFix file.
Shall I go to www.virustotal.com and submit those files again, or no need?
Thanks,
Jim  :)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #25 on: March 11, 2008, 11:43:05 PM »
No, no need to re submit the files. We turffed one and the other two showed clean.

Can I get you to give DSS another go?

So far it looks good. What about this ?
"Did you uninstall/disable compaq monitoring tool?"

I asked because you have a legit service with a missing file. If you've removed it we can take care of the redundant service.

windward

  • Guest
Re: cab archive is corrupted
« Reply #26 on: March 12, 2008, 12:03:16 AM »
Hi again!
fyi - DSS wouldn't run so I downloaded it again. It ran fine after downloading to the same computer. The other version I downloaded to another computer and then transferred via removable drive. Anyway...here it is:

I don't know anything about the Compaq tool you are mentioning. Perhaps the virus disabled it or something?

Aloha,
Jim

Deckard's System Scanner v20071014.68
Run by Richard T on 2008-03-11 12:52:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: cab archive is corrupted
« Reply #27 on: March 12, 2008, 12:44:17 AM »
This looks good. I f you want to remove that service here's the instructions.

Open HJT, run a system scan only, check mark these lines if present

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

Click the start button, click run. In the run box copy and paste these lines, one at a time, hitting enter after each.

sc stop msCMTSrvc
sc delete msCMTSrvc



You also removed some legitamate HJT entries

backup-20080309-151052-359 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dl
backup-20080309-151053-191 O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
backup-20080309-151053-213 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
backup-20080309-151053-756 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
backup-20080309-151054-364 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll


You can restore those. Open HJT click the view backup button. Check mark them, click restore.

As for Wildtangent, they have cleaned up their act alot. It will come bundled with some Games/movies. It does not have to run at start up. You can leave those line out. Or you can just uninstall it via add/remove.


I just have to comment. I don't think I've ever seen java that old.
JavaSoft\JRE\1.3.1 We'll take care of that duriing the clean up.

So do what you have do with the above, then procede with the clean up of the tools.



* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u


* Please download
 OTMoveIt2 by OldTimer.



Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml


* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

* DavidR gave you links for firewalls.

* Check if you have insecure applications with Secunia Software Inspector

windward

  • Guest
Re: cab archive is corrupted
« Reply #28 on: March 12, 2008, 02:44:13 AM »
I think I did everything correctly up until installing Java. I keep getting the message that the "Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode (I'm not) or if Installer is not correctly Installed."
This is the file on my Desktop I am trying to install: jre-6u5-windows-i586-p.exe.
I deleted all Java, Sun, etc. from the computer. Neither of the files you mentioned were in the Program Files directory.
I did download the "Sun Download Manager" but deleted it.
Jim  ???

windward

  • Guest
Re: cab archive is corrupted
« Reply #29 on: March 12, 2008, 02:57:04 AM »
I did a boot scan using Avast and this is the report. Don't know if it'll be a help or not:

03/08/2008 07:05
Scan of all local drives
File C:\WINDOWS\system32\msCMTsrvc.exe is infected by Win32:Trojan-gen {VC}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Deleted

Number of searched folders: 3035
Number of tested files: 39507
Number of infected files: 1

----------------------------------------
03/09/2008 09:13
Scan of all local drives
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_\dxdiagn.dll Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_ Error 42127 {CAB archive is corrupted.}

Number of searched folders: 3388
Number of tested files: 183176
Number of infected files: 0

----------------------------------------
03/09/2008 12:08
Scan of all local drives
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_\dxdiagn.dll Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_ Error 42127 {CAB archive is corrupted.}

Number of searched folders: 3487
Number of tested files: 227063
Number of infected files: 0

----------------------------------------
03/11/2008 13:26
Scan of all local drives

Number of searched folders: 4904
Number of tested files: 268783
Number of infected files: 0