Could Not Remove C:\WINNT\Temp\bca4e2da.$$$

Discussion in 'Malware Help (A Specialist Will Reply)' started by CapnScott, Jul 28, 2008.

  1. CapnScott

    CapnScott Private E-2

    Hi Forum:
    How did I get this monster, and why does ZA anti virus fail to see it. Realizing something was very wrong I went looking and found this thing. C:\WINNT\Downloaded Program Files\{535AC98D-C942-4C87-9275-09C9C43EF2C1} Looking it up in Google I'm told it's a Trojan redirect. Also I was using a credit card and up pops a window from Visa with the card number on it, asking for the expiration date and three digit code for security verification.

    More than one thing is happening in my system. Searching some Forums experts say to:

    Download SDFix and save it to your Desktop.
    Double click SDFix.exe
    Reboot your computer in Safe Mode.
    Open the extracted SDFix folder and double click RunThis.bat

    Here are the results:
    ================

    ============

    How can I get rid of (C:\WINNT\Temp\bca4e2da.$$$ and C:\WINNT\Temp\fa56d7ec.$$$) At least one of these appears to be the Visa popup. I see this problem is being dealt with in the Forum, would the same advice apply to me running Win2000
    Sincerely, Scott Duncan
     

    Attached Files:

    Last edited by a moderator: Jul 28, 2008
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide


    Note: If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    Starting your computer in Safe mode
     
  3. CapnScott

    CapnScott Private E-2

    When using IE 6.0.2800.1106 on Windows 2000 [Version 5.00.2195] and imputing credit card info. then clicking submit, up will pop a Visa or MasterCard logo'ed window the credit card number already filled in and asking for expiration date, three digit code number, bank account number and pin number. SDFix: Version 1.207 Could Not Remove C:\WINNT\Temp\bca4e2da.$$$ and C:\WINNT\Temp\fa56d7ec.$$$ so I ran the recommended software. However the malicious pop up is sill there so I am attaching the following information:
    SASlog.txt log from SuperAntiSpyware.
    Malwarebytes Anti-Malware log

    And in a second message:
    ComboFix.txt
    MGlogs.zip

    Hope you can help and THANKS you folks due a tremendous public service!! I'm a fan for life.
     

    Attached Files:

    Last edited: Aug 9, 2008
  4. CapnScott

    CapnScott Private E-2

    Second message in order to attach: ComboFix.txt and MGlogs.zip
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't attach the MalwareBytes log.

    Let's start with this:

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it(Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    {DEF85C80-216A-43AB-AF70-1665EDBE2780}
    
    Folder::
    C:\WINNT\Temp\bca4e2da.$$$ 
    C:\WINNT\Temp\fa56d7ec.$$$
    C:\WINNT\SnVsaWFuIENvbmRl
    C:\Temp
    C:\WINNT\system32\modtrux01
    
    Registry::
    [-HKLM\SYSTEM\CurrentControlSet\Enum\Root\ LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}]
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix and then also the log from a new run of MalwareBytes
     
  6. CapnScott

    CapnScott Private E-2

    Dear TimW:
    My apologies for failing to include the MalwareBytes log from the first processes and for taking so long to accomplish your instruction. I was assigned a rush job and was unable to get back to my machine untill now.
    Thank you for your invaluable help, you folks are awesome!

    This might be a separate issue, if you want I will start a new thread. How do I keep this from happening again?
    Scott
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is not much left to do, so let's just have at it:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run ATF Cleaner again and then we will clean up some of Cobo's junk:

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now tell me what issues you are having before we do the final clean up.
     
  8. CapnScott

    CapnScott Private E-2

    :confused Sorry to take so long! I ran all the tasks you detailed smoothly without incident. Unfortunately after logging into my PayPal account with Internet Explorer 6.0.2800.1106 the first window I see follows and clicking any link it contains just goes around in circles, I did not clock SUBMIT:



    The form in the window is the same one as before and asks for every bit of account information as well as all bank account information including my PIN # and is obviously not from PayPal. I logged in several times, the same result, but a different URL each time and going to them is a blank. In order to conduct my business I switched over to FireFox and have had no problem, however It's spooky to have this thing persist like this and I would like to have a clean IE and system. Thanks again for your help and patience!

    The best, Scott
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see what this turns up:

    Go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would also like you to run SpyBot S&D and check your hosts file. Make sure it all points to your local machine.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds