Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor Trojan


  • This topic is locked This topic is locked
95 replies to this topic

#1 dgyoung40

dgyoung40

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 03 February 2009 - 01:41 AM

Thanks in advance for any help you can provide!!

My first post was on the "Am I infected? What do I do?" forum: http://www.bleepingcomputer.com/forums/t/199006/im-pretty-sure-im-infectedwhat-do-i-do/

Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:40 AM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\jqjk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tcim.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\internat.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\svchest.exe
C:\Documents and Settings\Deirdre\My Documents\Temp\HiJackThis\HijackThis.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=1027232
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wbem\internat.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\PushWare\cpush.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\XWatDog.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [vmdetdhc.exe] C:\WINDOWS\system32\vmdetdhc.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\drivers\TXPlatform.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [svchest.exe] C:\WINDOWS\system32\svchest.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKLM\..\Policies\Explorer\Run: [llajyn_df] C:\WINDOWS\system\lljyn090113.exe
O4 - HKLM\..\Policies\Explorer\Run: [zhqbastart] rundll32.exe C:\WINDOWS\system\zhnahsdf090101c.dll a16zhqb
O4 - HKLM\..\Policies\Explorer\Run: [ming9astart] C:\WINDOWS\system\ming9a090110.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - https://myvpn.ford.com/vminet_images/vmi660...6tQu76,CT=java+
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://investools.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: McAfee Application Installer Cleanup (0318751232209181) (0318751232209181mcinstcleanup) - Unknown owner - C:\DOCUME~1\Deirdre\LOCALS~1\Temp\031875~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jqjk - Unknown owner - C:\WINDOWS\system32\jqjk.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - Unknown owner - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: taklq - Unknown owner - C:\WINDOWS\system32\taklq.exe (file missing)
O23 - Service: ci (tcim) - Unknown owner - C:\WINDOWS\system32\tcim.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9432 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 05 February 2009 - 05:10 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 05 February 2009 - 10:34 PM

I haven't been able to run in Safe Mode. I receive a blue screen...is it OK to run this in normal mode?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 06 February 2009 - 03:29 AM

Skip SDFix and proceed with ComboFix step.. If ComboFix failed to start, rename it to ComboFix and run it.. Post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 08 February 2009 - 06:03 PM

I have attached the ComboFix log and the HijackThis log to this post. I haven't been able to get my internet connection set up again so as you'll see in the log, I don't have the Recovery Console. Please let me know if I need to load it separately. Thanks again for all your assistance!!

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 08 February 2009 - 10:56 PM

Do this first to get internet connection back to the computer..


Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will ask you to restart your computer in attempt to fix the internet connection. Please do so..





NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=200266&view=findpost&p=1127293

KillAll::

NetSvc::
wowsystemcode123

Driver::
bjuyj
jqjk
taklq
wowsystemcode123

Collect::
c:\windows\pspa.exe.exe
C:\­­­­­­.exe
c:\documents and settings\Deirdre\NkbMonitor.exe.exe
c:\documents and settings\Deirdre\backWeb-8876480.exe.exe
c:\documents and settings\Deirdre\iTunesHelper.exe.exe
c:\documents and settings\Deirdre\MwlGui.exe.exe
c:\windows\taskman.com
c:\documents and settings\Darryl\LDMConf.exe.exe
c:\documents and settings\Darryl\QTTask.exe.exe
c:\documents and settings\Darryl\scrapremind.exe.exe
c:\documents and settings\Deirdre\AdobeUpdateManager.exe.exe
c:\documents and settings\Deirdre\McMWLWarn.exe.exe
c:\documents and settings\Deirdre\mcshell.exe.exe
c:\documents and settings\Deirdre\mcuninst.exe.exe
c:\documents and settings\Deirdre\McAfeeDataBackup.exe.exe
c:\documents and settings\Deirdre\McENUI.exe.exe
c:\documents and settings\Deirdre\LDMConf.exe.exe
c:\documents and settings\Deirdre\QTTask.exe.exe
c:\documents and settings\Deirdre\scrapremind.exe.exe
c:\documents and settings\Deirdre\ManifestEngine.exe.exe
c:\windows\system32\jqjk.exe
c:\windows\system32\svchest.exe
c:\windows\system32\qq2.bmp
c:\windows\system32\wow737_750.dll
c:\windows\syscheck
C:\ˇˇˇˇˇˇ.exe
c:\windows\system32\drivers\xkk.sys
c:\windows\system32\jqjk.exe
c:\windows\system32\taklq.exe
c:\windows\system32\drivers\pdehqluw.bak
c:\windows\system\lljyn090113.exe
c:\windows\system\zhnahsdf090101c.dll
c:\windows\system\ming9a090110.exe

AWF::
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\CyberLink\PowerDVD\bak\Desktop_1.ini
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Dell\AccessDirect\bak\dadapp.exe
c:\program files\Dell\AccessDirect\bak\Desktop_1.ini
c:\program files\Dell\Media Experience\bak\Desktop_1.ini
c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
c:\program files\Dell\QuickSet\bak\Desktop_1.ini
c:\program files\Dell\QuickSet\bak\quickset.exe
c:\program files\DellSupport\bak\Desktop_1.ini
c:\program files\Hewlett-Packard\HP Share-to-Web\bak\Desktop_1.ini
c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
c:\program files\iTunes\bak\Desktop_1.ini
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.5.0_10\bin\bak\Desktop_1.ini
c:\program files\Java\jre1.5.0_10\bin\bak\jusched.exe
c:\program files\McAfee\MHN\bak\Desktop_1.ini
c:\program files\McAfee\MHN\bak\McENUI.exe
c:\program files\McAfee\MSK\bak\Desktop_1.ini
c:\program files\McAfee\MSK\bak\MskAgent.exe
c:\program files\McAfee\MWL\bak\Desktop_1.ini
c:\program files\McAfee\MWL\bak\MWLGuiSt.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\Desktop_1.ini
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
c:\program files\QuickTime\bak\Desktop_1.ini
c:\program files\QuickTime\bak\qttask.exe
c:\program files\SiteAdvisor\6172\bak\Desktop_1.ini
c:\program files\Synaptics\SynTP\bak\Desktop_1.ini
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe
c:\program files\XGI\bak\Desktop_1.ini
c:\program files\XGI\bak\XWatDog.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\dla\bak\tfswctrl.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchest.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"llajyn_df"=-
"zhqbastart"=-
"ming9astart"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Edited by fenzodahl512, 08 February 2009 - 10:58 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 12:47 AM

My apologies for the delay...unfortunately my time is limited this week.

To add insult to injury...I could not get winsockxpfix to run. I receive the error "Run-time error '52'. Bad file name or number". Please let me know what you would like to do next. Thanks in advance!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 12 February 2009 - 01:01 AM

Do the CFScript step first.. Then post me the log.. reboot your computer then if you still couldn't get the internet connection, tell me about it :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 01:53 AM

I ran CFScript step and I don't see a log?? Its should be C:/ComboxFix.txt...correct? At the end of the run of the script, I received an error with notepad...stating access denied. I received that the first time I ran ComboFix but I could still find my log. This time I did not find it.

Is it OK to just run it again?? I'm sure I lost info but I'm guessing it would still be a benefit??

Also, just to make you aware, every time I load up, I get several pop ups for different executibles that can't run...ie...ManifestEngine.exe.exe, qttask.exe.exe, etc. I just received one that I don't recall seeing..."Error loading C:\windows\system\zhnahsdf090101c.dll".

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 12 February 2009 - 02:04 AM

Try run CFScript step in Safe Mode then post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 03:01 AM

Still not successful...
I was able to get into SafeMode, Yeh!! I ran ComboFix with the script. When it rebooted, it came up in normal mode. It finished but didn't create a log. I received the same error message...access denied. I tried to run it again in safe mode. This time I forced it back into safe mode when it rebooted...however combofix didn't continue to run. Is there something I can do manually to continue after the reboot at the appropriate spot?? Thanks!

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 12 February 2009 - 03:16 AM

Lets do this instead...


Please restart your computer. Before running a new scan let's clean out the temporary folders.

Please download CleanUp! by stevengould.org and save it to your Desktop.
  • Double-click CleanUp452.exe and install CleanUp! to your computer
  • Open CleanUp! and click on Options.. button.
  • Under General tab, choose Standard CleanUp! and then click Ok
  • Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  • Let your Windows rebooted (or do it manually) and continue with the next step


Now download OTScanIt2.exe and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - IE Explorer Bars
      Reg - NetSvcs
      Reg - Tcpip Persistent Routers
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 09:02 PM

I have attached the OTScanIt log.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 13 February 2009 - 03:20 AM

Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Processes - Safe List]
YY -> txplatform.exe -> %SystemRoot%\system32\drivers\TXPlatform.exe
[Win32 Services - Safe List]
YY -> (0318751232209181mcinstcleanup) McAfee Application Installer Cleanup (0318751232209181) [Win32_Own | Auto | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3755539540-2405715546-2519215950-1006\] > -> 
YY -> HKEY_USERS\S-1-5-21-3755539540-2405715546-2519215950-1006\: URLSearchHooks\\"{4D25F926-B9FE-4682-BF72-8AB8210D6D75}" [HKLM] -> %ProgramFiles%\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll []
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \run\\"llajyn_df" -> %SystemRoot%\system\lljyn090113.exe [C:\WINDOWS\system\lljyn090113.exe]
YN -> \run\\"zhqbastart" -> %SystemRoot%\system\zhnahsdf090101c.DLL [rundll32.exe C:\WINDOWS\system\zhnahsdf090101c.dll a16zhqb]
YN -> \run\\"ming9astart" -> %SystemRoot%\system\ming9a090110.exe [C:\WINDOWS\system\ming9a090110.exe]
< IFEO [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
YN -> 360Safe.xe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> aluschedulersvc.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> ArSwp.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> AST.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avadmin.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avcenter.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avconfig.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avconsol.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avgas.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avgnt.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avguard.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avnotify.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> avscan.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> EGHOST.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> egui.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> ekrn.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Frameworkservice.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> FTCleanerShell.e -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> FWMon.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> FYFireWall.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> guard.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> guardgui.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> JMPPWallUI.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> KAVPF.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> kissvc.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> kvprescan.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> KVScan.kxp -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> KvXP_1.kxp -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> licmgr.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> McShield.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> naPrdMgr.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Navapsvc.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Navapw32.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Navw32.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> navwnt.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> nmapapp.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> nod32.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> NPFMntor.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> OCSCtl.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> PFWLiveUpdate.ex -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> QQKav.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> rfwstub.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> RSTray.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> rstrui.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> sfctlcom.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> sffnup.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> shstat.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Tbmon.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> TrojanDetector.e -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> ufseagnt.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> ufupdui.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> uiStub.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> UlibCfg.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> UmxAttachment.ex -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> UpdaterUI.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> upiea.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> USBCleaner.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> vsstat.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> Vstskmgr.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> webscanx.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> wmain.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> WSCStub.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> wsctool.exe -> %SystemRoot%\system32\migpwd.exe [Debugger]
YN -> xe -> %SystemRoot%\system32\migpwd.exe [Debugger]
[Files/Folders - Created Within 90 Days]
NY -> ˇˇˇˇˇˇ.exe -> %SystemDrive%\ˇˇˇˇˇˇ.exe
NY -> backWeb-8876480.exe.exe -> %UserProfile%\backWeb-8876480.exe.exe
NY -> dadtray.exe.exe -> %UserProfile%\dadtray.exe.exe
NY -> quickset.exe.exe -> %UserProfile%\quickset.exe.exe
NY -> DMXLauncher.exe.exe -> %UserProfile%\DMXLauncher.exe.exe
NY -> SynTPEnh.exe.exe -> %UserProfile%\SynTPEnh.exe.exe
NY -> SynTPLpr.exe.exe -> %UserProfile%\SynTPLpr.exe.exe
NY -> RecordNow.exe.exe -> %UserProfile%\Desktop\RecordNow.exe.exe
NY -> ming9df32.ini -> %AllUsersProfile%\ming9df32.ini
NY -> {3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> %AllUsersProfile%\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[Files/Folders - Modified Within 90 Days]
NY -> NkbMonitor.exe.exe -> %UserProfile%\NkbMonitor.exe.exe
NY -> backWeb-8876480.exe.exe -> %UserProfile%\backWeb-8876480.exe.exe
NY -> quickset.exe.exe -> %UserProfile%\quickset.exe.exe
NY -> dadtray.exe.exe -> %UserProfile%\dadtray.exe.exe
NY -> DMXLauncher.exe.exe -> %UserProfile%\DMXLauncher.exe.exe
NY -> SynTPEnh.exe.exe -> %UserProfile%\SynTPEnh.exe.exe
NY -> SynTPLpr.exe.exe -> %UserProfile%\SynTPLpr.exe.exe
NY -> TXPlatform.exe -> %SystemRoot%\System32\drivers\TXPlatform.exe
NY -> ˇˇˇˇˇˇ.exe -> %SystemDrive%\ˇˇˇˇˇˇ.exe
NY -> RecordNow.exe.exe -> %UserProfile%\Desktop\RecordNow.exe.exe
NY -> ming9df32.ini -> %AllUsersProfile%\ming9df32.ini
NY -> ming9df16.ini -> %AllUsersProfile%\ming9df16.ini
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[File - Lop Check]
NY -> {3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[CatchMe Rootkit Scan by GMER]
NY -> C:\Documents and Settings\Deirdre\Local Settings\Temp\0$$.bat 305 bytes -> 
NY -> C:\Documents and Settings\Deirdre\Local Settings\Temp\0318751232209181mcinst.exe 315264 bytes executable -> 
NY -> C:\Documents and Settings\Deirdre\Local Settings\Temp\1$$.bat 441 bytes -> 
NY -> C:\Documents and Settings\Deirdre\Local Settings\Temp\10$$.bat 405 bytes ->

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here. I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.





NEXT


Try run ComboFix normally.. Then post these logs in your next reply..

1. OTScanIt2
2. ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 dgyoung40

dgyoung40
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 14 February 2009 - 12:45 PM

I received an error when trying to run The_Comedian..."The_Comedian.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

Should I continue with the OTScanIT2?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users