By Quazze ยท 42 replies
Apr 8, 2008
  1. Greetings,

    I read a similar thread regarding this infection, but due to my lack of understanding [and finding specific items in my HiJackThis log] I am going to require additional assistance from anyone willing to help. I've ran my Trend Micro AntiVirus but it was not helpful [either was ComboFix since I am running Windows Vista].

    My log is attached and thank you in advance for your assistance.
  2. kritius

    kritius TS Guru Posts: 2,084

    Why did you run ComboFix? You shouldnt have done so unless asked to by someone.

    Ill look over your log and advise back later.
  3. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    FYI: I ran ComboFix only because of specific forums I found doing a Google search [since I have less than 5 posts, I cannot post links].

    I had attempted to follow the same cleanup, but things became a bit hairy. I do look forward to your assistance kritius and can only hope you can assist me in this endeavor. It is an ugly situation.
  4. kritius

    kritius TS Guru Posts: 2,084

    What instructions exactly did you follow for ComboFix, when people are using ComboFix the instructions are tailored for their specific computer and are not mean to be followed by anyone else.

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Unistall your version of Combofix.
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  5. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    Continuation ...

    Note: When I first tried to run ComboFix before contacting TechSpot, it never game me options to run it. When I clicked on ComboFix.exe [which I saved to my Desktop], it simply had a small window saying ComboFix that filled up (as if loading). Once the window was filled, a blue screen quickly flashed and says something like the program cannot be ran. It is hard to explain because the blue screen flashes so quickly. All in all, it appears I cannot run ComboFix.

    1) I successfully ran Malwarebytes Anti-Malware. It took a few times due to some computer glitches, but it finally completed. I followed your instructions and have attached the log.

    2) I cannot uninstall ComboFix. I tried your easy-to-follow command in the run section of Windows Vista [ComboFix /u], but Windows gives me an execute command and nothing more. I tried the execute command, but nothing seems to happen when I try to run ComboFix. I looked into my Control Panel to see if I could remove the program, but ComboFix was not located there.

    I haven't done anything else to my PC as of yet. I graciously appreciate all your kind efforts in helping me move past these problems and I certainly look forward to your next response on what I need to do.
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    To access the Run prompt -> hold down your windows key and press R

    Right click the combofix Icon on your desktop and select run as administrator

    You also need to disable real time protection from your anti-malware software

    Close all other windows and browsers, and make sure your firewall allows it access to your files
  7. Quazze

    Quazze TS Rookie Topic Starter Posts: 23


    I have closed my browser and turned off my Firewall and anti-virus program(s). However, again when I try to run ComboFix this is what happens.

    Using Windows Button and R, I type in ComboFix /u. Then a new windows opens and states the following:

    Open File - Security Warning
    The publisher could not be verified. Are you sure you want to run this software?
    Name: C:\Users\David\Desktop\ComboFix.exe
    Publisher: Unknown Publisher
    Type: Application
    From: C:\User\David\Desktop\ComboFix.exe

    My options then are Run or Cancel. When I click Run, the previous window closes and a new window opens stating "User Account Control" ... An unidentified program wants access to your computer. My options are Cancel or Allow. When I click on Allow, a very small ComboFix window appears and a bar begins to fill up. Once the bar is filled, it disappears and a new blue window opens up and quickly flashes a message stating that the program cannot be found or located or ran ... something in this nature [it goes by so fast I can barely make out words].

    The same process happens when I right click on ComboFix and Run As Administrator.

    I sincerely appreciate all your efforts in helping me ... and at this point in time I am deathly confused. Please continue to assist me.
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let's try this, I downloaded combofix through our link and had the same thing happen but easily got it to work, by playing with some windows settings.

    Turn off UAC
    Click on Start -> Control Panel -> User Accounts -> click Turn user account control on or off -> uncheck the box -> click ok

    Try again (I had to try twice in a row for it to work, but had UAC on the whole time)
  9. Quazze

    Quazze TS Rookie Topic Starter Posts: 23


    Thank you for your quick response.

    Using Windows Vista, I go to Start --> Control Panel --> ? [I have User Accounts and Family Safety with two options underneath (Set up parental control for any user and Add or remove user accounts).

    I do use a password for my computer and I am currently logged on as Administrator [since the other option I assume is for guests ... if that means anything].

    Please advise.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    switch to classic view in the left pane
  11. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    Thank you Blind Dragon.

    I switched to Class View and was able to turn off [unchecked the box] of the UAC. However, I still cannot get ComboFix to work/load.

    I was finally able to read the wording on the blue window that pops up after I try to open up ComboFix. It reads as follows: The sytem cannot find message text number 0x8 in the message file or system.

    When I unchecked the box in the UAC, I also had my firewall down, Trend Micro AntiVirus 2007 off and I had all my web browsers closed. And yet I still cannot seem to get ComboFix to work appropriately. I had tried ComboFix /u and Run as Administrator. It just seems hopeless. I also fiddled around with the UAC like you suggested Blind Dragon but after several reboots from my system, I was unsuccessful. :(
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, that's enough messing with it.

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
  13. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    Main.txt & Extra.txt

    Since the text is too long to Copy and Paste (21822 characters for Main.txt), I have attached the log instead. I also will include the Extra.txt log as well.

    Thank you for taking the time to help me.
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I have studied this infection quite a bit over the last few weeks and I am going to include some files that weren't shown in your log, if there please let me know as we will have additional steps to remove.

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\David\AppData\Local\Temp\efcCuSmj.dll,#1
    O4 - HKCU\..\Run: [fdyvqvum] C:\ProgramData\fdyvqvum\sdolidmh.exe
    O4 - HKCU\..\Run: [PfJnvj0FDZ] C:\ProgramData\gdsvyjyp\kzmfgder.exe
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll,c
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldes-es.cab

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following folder:

    C:\C:\Users\All Users\gdsvyjyp<-This folder
    C:\Users\All Users\fdyvqvum <-This folder
    C:\ProgramData\fdyvqvum<-This folder
    C:\ProgramData\gdsvyjyp<-This folder

    C:\Users\David\DesktopFWebdEditor.exe<-This file
    C:\Users\David\Desktopfwebd.exe<-This file
    C:\Users\David\Desktopfilemanagerclient.exe<-This file
    C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll<-This file
    C:\Users\David\AppData\Local\Temp\efcCuSmj.dll<-This file

    Also look for the following which weren't shown in your log, delete if there (also let me know if there):
    C:\Documents and Settings\David\Desktopblackbird.jpg
    C:\Documents and Settings\David\DesktopEditorFKWP1.5.exe
    C:\Documents and Settings\David\DesktopEditorFKWP2.0.exe
    C:\Documents and Settings\David\Desktopfilemanagerclient.exe
    C:\Documents and Settings\David\Desktopfkwp1.5.exe
    C:\Documents and Settings\David\Desktopfkwp2.0.exe
    C:\Documents and Settings\David\Desktopfwebd.exe
    C:\Documents and Settings\David\DesktopFWebdEditor.exe
    C:\Documents and Settings\David\DesktopTrojan.Win32.BlackBird.exe

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
  15. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    New HiJackThis log

    Hello Blind Dragon,

    I had difficulties locating the Tool Menu in Windows Explorer while in Safe Mode. After 20 minutes of fiddling around, I finally gave up and restarted my computer in Normal Mode and Tool Menu was easily found and accessible.

    But before that, under Safe Mode and running HiJackThis (System Scan Only) as you suggested, I was able to place a check mark next to half of the entries you had listed. The other entries were not found/located. I then selected Fix and closed HiJackThis.

    This was when I was not able to find Tool Menu under Windows Exlporer and had to result in running in Normal Mode to access this option. While in Normal Mode, I was able to delete/locate 0 of the Folders you had mentioned. These folders were not found:

    Folder Not Located:
    C:\C:\Users\All Users\gdsvyjyp
    C:\Users\All Users\fdyvqvum

    I was about to locate and delete 3 of the 5 files you mentioned. The files not found were as follows:

    Files Not Located:

    In addition, you asked me to look for additional files that were not in my log. I was not able to locate any of the 9 folders/files you had mentioned.

    In conclusion, I restarted my computer and ran a new HiJackThis System Can Only and have attached the log for your review.
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Well the entries wont show in the log now because the registry entries are gone. That doesn't mean all of the files are gone for sure.

    As a 2nd opinion to what we have done, please do the following online scan.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  17. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    I was able to perform all of your requests, with the exception of being able to Save the log. I ran Kaspersky Online Scanner and then went to work. When I came back, this is what I saw on my screen:

    Selected target: My Computer
    Source: C:\; D:\; E:\;

    Report is empty.
    Please note: The free Kaspersky Online Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times.

    Please wait, this process may take a long time depending on the selected target. If you want to continue browsing, open a new window.

    Scan Progress [99%]:

    Total number of scanned objects: 131759
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:57:12

    It looked as if the scan stopped at 99% for some odd reason. I will rerun scan and post log as you requested.
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, well that is a good sign, but a complete log would definitely be ideal
  19. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    Scan Complete

    Note: Background on Desktop is black and most of my pictures will not automatically display when my picture folder is open.

    I have attached the Kaspersky Online Scanner log for your review. Please advise.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you change your desktop background by right clicking it -> personalize -> desktop background?
  21. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    I cannot. I've been playing around with it, but there certainly seems to be an internal error happening. Although I never received any error messages, I definitely can tell that something is amiss. Just looking at my pictures and also pictures in my desktop background [right clicking it --> personalize --> desktop background], everything seems a blur.

    Despite that, and after reading my logs, how am I looking?

    Edit: I have yet to run my normal Trend Micro Anti-Virus. Although I am sure this matters not at this point, the good news is that the virus flash window that kept popping up with its Security Update (c:\windows\wml.exe), that has vanished.
  22. Quazze

    Quazze TS Rookie Topic Starter Posts: 23


    Is there something I can do (possibly www.paypal.com) where I can make a donation to TechSpot? The help of this team is tremendous and certainly deserves something. Without writing such info on this site, please e-mail me at zekthepeddler@aol.com.
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Start -> all programs -> windows update -> view available updates

    is there anything listed?
  24. Quazze

    Quazze TS Rookie Topic Starter Posts: 23

    Downloading 1 update for 66.9 MB.
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do this

    Go to start -> control panel -> administrative tools -> Event viewer -> look for errors in last few hours -> post the event ID and source for each

    not info or warnings only errors. right click them and select show all instances then properties
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...