Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.haxdoor.ja And More Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 Alex Powers

Alex Powers

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2006 - 08:39 AM

Here's my sad story. I got some help on the other boards but am still having problems. Anything you guys/gals can do to help would be much appreciated. :thumbsup:

Two versions of the story:

Short: A coworker's computer is infected with a number of different malwares. Ewido continually gives me warning messages, and repeated Ad-Aware and Spybot have removed many problems but made others worse.

Long: Start here.

Though I think SurfSidekick and BraveSentry are now gone, I have a number of other error messages popping up. Yesterday (Thursday) I ran CCleaner, then reset and ran Ad-Aware in Safe Mode, which caught plenty of things, even though it was the third time I'd run it. This scan also found the registry key that had been blocking my access to the Task Manager :flowers: I also ran BitDefender, which caught a lot as well. About this time I also saw a warning somewhere to disable System Restore as it could hide deleted malware, so I did. However, I am still getting a lot of error messages from Ewido, which is running in guard mode at all times now.

The most frequent Ewido warnings are for:

winm32.dll
Backdoor.Haxdoor.ja
- This one pops up very often, usually whenever I open a new program (run an .exe maybe?) and like with the others, telling Ewido to clean it just causes another warning

nydqlbm.dll
Downloader.Qoologic.bj

wucrtupd.dll
Adware.PurityScan


I still get occasional ad popups in Firefox and IE but they aren't as bad as they were before removing SurfSidekick.

I uninstalled Norton earlier in the week as part of cleaning, but now I have bought the new Norton 2006 and cannot install it. When I try to do so, it says it needs to update the Windows Installer, but the installer program gets stuck. McAfee Stinger didn't find anything. I have not updated to SP2. I also do not know exactly what kind of firewall our company has - it is a small business and my coworkers don't know much about computers. They have a client who set up their network but he is never available to help me fix anything. Once this problem is solved I plan to get SP2 and its firewall, and maybe another in addition.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:03 AM, on 6/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Cindy\MYDOCU~1\DOBE~1\nopdb.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\??mbols\msiexec.exe
C:\WINDOWS\TEMP\D6EC.tmp
c:\8bd2fa8f77e4309de6349170\UPDATE\update.exe
C:\Documents and Settings\Cindy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xbuuu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jvcyfxb.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C659711E-BCFE-ED59-A7FE-E03BF30023C0} - C:\WINDOWS\System32\xif.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hiiiuq] C:\WINDOWS\System32\hrequs.exe reg_run
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [jssvc23] jsssvc.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Cindy\MYDOCU~1\DOBE~1\nopdb.exe" -vt mt
O4 - HKCU\..\Run: [Tmtm] C:\PROGRA~1\MBOLS~1\msiexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm00696US
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aolcom.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDPass Class) - http://www.cdpass.com/cdkey/CDPass.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aolcom.ea.com/downloads/games/commo...py/iesnoopy.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio.../whlisten12.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wucrtupd.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: emldvc - C:\WINDOWS\SYSTEM32\emldvc.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\cukjyu32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: msjint40 - Unknown owner - C:\WINDOWS\System32\msjint40.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you all!

P.S. Something is wonky with SafeMode - all I get is a black screen with the white SafeMode letters. Not sure what's up, will continue trying to run Ad-Aware and Ewido since Spybot has stopped catching things it seems.

Edited by Alex Powers, 16 June 2006 - 08:42 AM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 16 June 2006 - 09:16 AM

Welcome aboard.. :thumbsup: And yes, you've got very infected PC there.

We'll need to start with Haxdoor.

Please download Haxfix.exe:
  • Save it to your desktop.
  • Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
  • Checkmark "Create a desktop icon".
  • Click "Next".
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
  • Click "Finish".
  • A red "dos window" (dos box) will open.
  • Select option 1. Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer. When it is finished a logfile will open.
  • Copy the contents of that logfile and paste it into this thread.

Hi there, stranger!

#3 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2006 - 10:00 AM

Rawe:

Wow! Thanks for the fast reply! I put Haxdoor on floppy from a working computer in the office, but when I went to install it on the buggy one I was unable to do anything. There's a problem with user logon. Windows seems to start up fine, but after choosing a login account I am hit with several Ewido messages and then a blank desktop (same in Safe Mode.)

Checking Task Manager I saw that winlogon.exe is running, which made me think the logon process was frozen. However a quick search suggest that this process should not show in Task Manager and that it does might indicate another Trojan. Any suggestions on resolving this? I have tried ignoring the Ewido messages instead of telling it to clean, but it makes no difference. Not sure how to proceed from here... :thumbsup:

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 16 June 2006 - 11:11 AM

Winlogon.exe does need to run in the task manager but.. Let me ask for some help with this :thumbsup:
Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 16 June 2006 - 11:28 AM

Hmm..

Couple options.

When you boot up and login, try accessing Task Manager immediately and kill ewidoguard.exe process.

Then you shouldn't get all those warnings.. Then post back with the log and we'll disable Ewido guard for good. :thumbsup:
Hi there, stranger!

#6 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2006 - 12:20 PM

When you boot up and login, try accessing Task Manager immediately and kill ewidoguard.exe process.


I tried a few times, it's too fast for me :thumbsup: My meagre human reflexes are no match for the machine.

I am able to access Task Manager fine, and can use the run function from there...although, I tried running "explorer" directly and it fails. I did get msconfig to pull up, not sure if that helps.

What were those other options? :flowers:

Edited by Alex Powers, 16 June 2006 - 12:21 PM.


#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 16 June 2006 - 12:25 PM

Try this.. On the task manager, use the Run function and put Services.msc up..

In the services window find service; ewido security suite guard

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok".

Now reboot the machine.. And try again. If it doesn't work..

although, I tried running "explorer" directly and it fails

Did you type explorer in the field or explorer.exe ? :thumbsup:
Hi there, stranger!

#8 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2006 - 12:57 PM

I had to do it a few times but ewido is now disabled. I'm not getting any alerts but my desktop is still blank, and neither "explorer" nor "explorer.exe" work. I can run "Firefox" but I run into trouble trying to download/install the Haxfix file from floppy. I think I have managed to download two iterations of the haxfix.exe on the computer, but I can't get them to install. Need me to relay those error messages? Or do you have any other ideas for getting explorer to work?

Thanks for all the help!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 16 June 2006 - 01:58 PM

Try this.. http://support.microsoft.com/kb/307852/en

And sure, let me know what those error messages are saying. :thumbsup:
Hi there, stranger!

#10 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2006 - 03:09 PM

Followed the instructions in the link, but there was no difference. When I try to download a:\haxfix.exe to the c: I end up with a 4kb file instead of the 405 kb file on the floppy. I'm going to try it on CD now...

Edit: That worked! Here's the results:

HAXFIX logfile - by Marckie
--------------
version 2.44
Fri 06/16/2006 16:17:42.23

checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
winm

checking for matching services....
matching services found
winm64
DM9102

checking for matching safeboot services....
no matching safeboot services found

----

Still can't see the start menu/desktop, but hopefully we can restore that later.

Edited by Alex Powers, 16 June 2006 - 03:26 PM.


#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 17 June 2006 - 05:04 AM

Well finally :thumbsup:

Option 3 Manual fix:
  • Open the following folder: C:\Program Files\Haxfix\
  • Double-click on Fix.bat.
  • Close all other open windows since this step requires a reboot.
  • Select option 3. Run manu fix by typing 3 and then pressing Enter.
This message will appear:

echo Insert the haxdoorkey,
and then press Enter:

  • Type the following: winm
    When this is a valid choice, the key will be added to delete.
  • There is the possibility to add a new key: Yes (type Y) or No (type N).
    Followed by this message:

    Haxdoorkey winm added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:

  • Type N for No and press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of the logfile together with a new HijackThis log. :flowers:

Hi there, stranger!

#12 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 June 2006 - 08:20 AM

Ran haxfix, but after reboot no log popped up, so I ran the clean utility and got this:

--------------
HAXFIX logfile - by Marckie
--------------
version 2.44
Mon 06/19/2006 9:10:20.93

Manual Haxdoorfix

Adding haxdoorkeys to delete...
winm


haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor key: winm
searching for services....
services not found

checking if files are found.....
winm32.dll
winm32.sys
winm64.sys

deleting files.....

checking if files are deleted.....


checking for other files.....
qy.sys
qz.dll
qz.sys
klogini.dll
p3.ini
ps.a3d

deleting other files.....

checking if the files are deleted.....


Finished
-------------------

Looks like it worked! :thumbsup: What's next? Any ideas on restoring explorer?

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 19 June 2006 - 08:38 AM

There's still a lot of infections on your PC but we'll still need to try and get your explorer up and running again..

Lets try sfc /scannow

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. If this happens please make sure that you can view protected files (if you are able to access My Computer):My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Please reboot, and let me know if anything has changed.
Hi there, stranger!

#14 Alex Powers

Alex Powers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 June 2006 - 09:03 AM

Rawe thank you for the fast replies!

Unfortunately this did not seem to do anything. The scan window "Please wait while Microsoft verifies that all protected Windows files are intact and in their original versions." came up and finished, and did not ask for the CD. After reboot though nothing noticeable has changed.

Side note: Not to sound impatient, but the reason I am trying to get explorer/taskbar/desktop icons working again is because there is data on this computer that is not backed up and which my company needs to access. If I can manage to back it up onto an external hard drive they will hopefully be able to use another computer while we work on this one. Is it possible to do this without explorer? If there's not an easy workaround then we should just continue with whatever you think is best overall.

Thank you so much for your help!

Edit: oops doubled up

Edit2: I wonder if maybe something caught by Adaware or Spybot could have disabled explorer? I will look through their deleted/quarantine log...

Edited by Alex Powers, 19 June 2006 - 09:27 AM.


#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 PM

Posted 19 June 2006 - 09:47 AM

Looks like there's not much to be done at this situation..

Windows unpatched, log full of infections, no A/V nor Firewall.

An expert said that those explorer/taskbar problems are coming from Haxdoor because it filters explorer.exe and reinstalls itself anyway if Windows is unpatched.

Guess format is the choise here.

Edited by Rawe, 19 June 2006 - 09:48 AM.

Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users