c:windows system32 cmd.com is not a valid win32 application

[ramp1028]

This is all I'm getting once Windows XP loads.

I've seen this question asked several times, so I wasn't going to re-ask it, but I've been instructed to do so.

I have NOT followed all the first steps because I don't know how to get past this error message.

I had recently installed Spybot remover and had removed some malware. I possibly removed some things I wasn't supposed.

Is there any hope for me?

THanks...

[sUBs]

Closing the error message should do the trick. Doesn't it work?

[ramp1028]

Quote:

Originally Posted by sUBs

Closing the error message should do the trick. Doesn't it work?

No, sir. When I press ok, it has a dos screen for about 2 seconds and then pops right back up.

[sUBs]

Are you able to bring up the task manager by pressing Ctrl+Alt+Delete ?

If so, from task manager do this ....

Click File > New Task (Run..)

In the ensuing box, type these in

Cmd.exe /k del /a/s/f %systemroot%\cmd.com

Then click the OK button

[ramp1028]

Ok,

I did that and then a dos screen pops up and says

Parameter format not correct - "fc:\windows\cmd.com".

C:\Documents and Settings\Owner>

[tetonbob]

Hello -

Not sure when sUBs will be back online, but that message indicates there's an improper format to the command

Cmd.exe /k del /a/s/f %systemroot%\cmd.com

not:

Cmd.exe /k del /a/s/f%systemroot%\cmd.com

Ensure there is a space between the "f" and the "%" and the command should work. I don't know what sUBs has planned next, but that should get you going.

[ramp1028]

Thanks,

Now it says

Deleted file - C:\WINDOWS\system32\cmd.com

I guess I'm screwed.

[tetonbob]

You should now be able to close that command window. Does Windows load?

[ramp1028]

No, now a dos box with

C:Windows\system32\command.com

and

C:\Windows\System32\cmd.exe

are flashing over and over one after the other. each one lasting about 1/4 of a second....

[sUBs]

Let if flash till it finishes. I believe you have previously ran SpyBot S&D. That is it's way of deleting files.

[ramp1028]

Ok, I did,

it said something about the parameters not being right, and I pushed ok.

It started the flashing again. But this time, my windows has opened up.

As of now, I'm back to normal, but the flashing is still going on.

After it stops, can I continue the steps in the first steps to completely clean my computer on this page, or do I need to start over?

Oh and thanks so much for your help thus far

[sUBs]

LOL ... Don't run SpyBot S&D again until we say it's okay.

Please follow the instructs from this webpage (sticky):

http://www.techsupportforum.com/secu...oval-help.html

You shall have a proper set of logs for us after that

[ramp1028]

ok im ready, Ive attached the two zip files. What else do you need from me.

[sUBs]

You need to post DDS.txt. :)

[sUBs]

Quote:

C: is FIXED (NTFS) - 37 GiB total, 2.064 GiB free.

You also need to free up some disk space on the machine. The lack of space is choking the OS & this shall hamper it's performance. The bare minimal should be 15% of total hard disk space. This approximates to 5.5 GB

[ramp1028]

DDS (Version 1.0) - NTFSx86
Run by Owner at 13:49:01.14 on Tue 12/09/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.102 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {0BB5EFF9-98E0-46BC-9377-3EFE2F6D1828} - c:\windows\system32\opnnomLe.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {82b7e9a1-ccc4-4436-a9c5-1342f3360594} - c:\windows\system32\jbtmzh.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\ssqOHxuS.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [outlook] c:\program files\outlook\outlook.exe /auto
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {1C28FF43-EB53-4558-8FC1-65FDA62F2EBE} = 69.78.96.14 66.174.92.14
Notify: igfxcui - igfxsrvc.dll
Notify: ssqOHxuS - ssqOHxuS.dll
AppInit_DLLs: jbtmzh.dll
SEH: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\ssqOHxuS.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnnomLe

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-9 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-9 394952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]

=============== Created Last 30 ================

2008-12-09 13:48 <DIR> --d-h--- c:\windows\PIF
2008-12-08 23:13 0 ---sh--- c:\windows\system32\regedit.com
2008-12-08 23:13 0 ---sh--- c:\windows\system32\cmd.com
2008-12-06 09:38 873,046 a--sh--- c:\windows\system32\eLmonnpo.ini2
2008-12-06 00:38 1,479,822 ---sh--- c:\windows\system32\jkqhlscx.ini
2008-12-06 00:38 75,776 a------- c:\windows\system32\xcslhqkj.dll
2008-12-06 00:35 124,416 a------- c:\windows\system32\jbtmzh.dll
2008-12-06 00:35 124,416 a------- c:\windows\system32\nvgnbxjf.dll
2008-12-05 22:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 22:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-05 09:02 75,776 a------- c:\windows\system32\cotkhiok.dll
2008-12-05 08:59 124,416 a------- c:\windows\system32\ntjqpq.dll
2008-12-05 08:59 124,416 a------- c:\windows\system32\mrkkiywg.dll
2008-12-04 08:58 123,904 a------- c:\windows\system32\rcxkpe.dll
2008-12-04 08:58 123,904 a------- c:\windows\system32\qfokkngd.dll
2008-11-29 23:52 <DIR> --d----- C:\Makena
2008-11-20 22:42 0 a------- c:\windows\system32\mcrh.tmp
2008-11-20 17:30 75,776 a------- c:\windows\system32\ooehalwh.dll
2008-11-20 17:27 120,832 a------- c:\windows\system32\lnbfbc.dll
2008-11-20 17:27 120,832 a------- c:\windows\system32\unlwgliw.dll
2008-11-20 17:27 <DIR> --d----- c:\program files\Enlight
2008-11-20 10:58 63,488 a------- c:\windows\xobglu16.dll
2008-11-20 10:58 23,552 a------- c:\windows\xobglu32.dll
2008-11-20 10:57 <DIR> --d----- c:\windows\DISNEY
2008-11-20 10:57 <DIR> --d----- c:\program files\Disney Interactive
2008-11-19 19:03 120,832 a------- c:\windows\system32\ywkirk.dll
2008-11-19 19:03 120,832 a------- c:\windows\system32\ahinhaxg.dll
2008-11-18 19:02 120,832 a------- c:\windows\system32\isobqw.dll
2008-11-18 19:01 120,832 a------- c:\windows\system32\dwnlelkv.dll
2008-11-17 06:55 120,832 a------- c:\windows\system32\khowplgj.dll
2008-11-17 06:55 120,832 a------- c:\windows\system32\camogu.dll
2008-11-16 01:21 75,264 a------- c:\windows\system32\dbvyurur.dll
2008-11-16 01:18 120,832 a------- c:\windows\system32\wylszt.dll
2008-11-16 01:18 120,832 a------- c:\windows\system32\ggjmcoel.dll
2008-11-16 00:16 120,832 a------- c:\windows\system32\okugbb.dll
2008-11-16 00:16 120,832 a------- c:\windows\system32\eslxnlrn.dll
2008-11-14 23:18 120,832 a------- c:\windows\system32\dkpngq.dll
2008-11-14 23:18 120,832 a------- c:\windows\system32\braewdet.dll
2008-11-14 00:50 120,832 a------- c:\windows\system32\btkgnx.dll
2008-11-14 00:50 120,832 a------- c:\windows\system32\hiayekna.dll
2008-11-14 00:47 873,046 a--sh--- c:\windows\system32\eLmonnpo.ini
2008-11-14 00:47 307,200 a------- c:\windows\system32\opnnomLe.dll
2008-11-13 21:30 32,768 a------- c:\windows\system32\yayxwtTJ.dll
2008-11-13 21:30 32,768 a------- c:\windows\system32\wvUMdEVl.dll
2008-11-13 21:18 113,235 a------- C:\Nancy Drew Ghost Dogs of Moon Lake.zip
2008-11-13 21:18 115,989 a------- C:\Nancy Drew - The Creature of Kapu Cave iSO.zip
2008-11-13 21:12 115,989 a------- C:\Nancy Drew The Phantom of Venice.zip
2008-11-13 21:04 62,464 a------- c:\windows\system32\bszip.dll
2008-11-13 21:04 175,104 a------- C:\onoes.exe
2008-11-13 21:04 <DIR> --dsh--- c:\program files\outlook
2008-11-13 21:04 0 ---sh--- c:\windows\system32\tracert.com
2008-11-13 21:04 0 ---sh--- c:\windows\system32\tasklist.com
2008-11-13 21:04 0 ---sh--- c:\windows\system32\taskkill.com
2008-11-13 21:04 0 ---sh--- c:\windows\system32\ping.com
2008-11-13 21:04 0 ---sh--- c:\windows\system32\netstat.com
2008-11-13 20:55 147,456 a------- c:\windows\system32\vbzip10.dll
2008-11-13 20:51 <DIR> --d----- c:\windows\system32\sX3i02
2008-11-13 20:51 <DIR> --d----- c:\temp\PRE45
2008-11-13 20:51 <DIR> --d----- C:\Temp
2008-11-13 20:51 32,768 a------- c:\windows\system32\ssqOHxuS.dll
2008-11-13 20:51 32,768 a------- c:\windows\system32\geBrqnOi.dll

==================== Find3M ====================

2008-12-09 13:24 9,031,712 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-07 02:22 102,356 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-11-18 22:27 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-11-10 15:28 2,478 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-10-24 05:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 05:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-07-28 20:16 0 a------- c:\program files\temp01
2007-01-10 12:15 282,639 ---sh--- c:\windows\fonts\svchost.exe

============= FINISH: 13:51:26.03 ===============

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

DDS::
BHO: {0BB5EFF9-98E0-46BC-9377-3EFE2F6D1828} - c:\WINDOWS\system32\opnnomLe.dll
BHO: {82b7e9a1-ccc4-4436-a9c5-1342f3360594} - c:\WINDOWS\system32\jbtmzh.dll
BHO: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\WINDOWS\system32\ssqOHxuS.dll
mRun: [outlook] c:\program files\outlook\outlook.exe /auto
Notify: ssqOHxuS - ssqOHxuS.dll
AppInit_DLLs: jbtmzh.dll
SEH: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\WINDOWS\system32\ssqOHxuS.dll
FILE::
c:\windows\system32\regedit.com
c:\windows\system32\cmd.com
c:\windows\system32\eLmonnpo.ini2
c:\windows\system32\jkqhlscx.ini
c:\windows\system32\xcslhqkj.dll
c:\windows\system32\jbtmzh.dll
c:\windows\system32\nvgnbxjf.dll
c:\windows\system32\cotkhiok.dll
c:\windows\system32\ntjqpq.dll
c:\windows\system32\mrkkiywg.dll
c:\windows\system32\rcxkpe.dll
c:\windows\system32\qfokkngd.dll
c:\windows\system32\ooehalwh.dll
c:\windows\system32\lnbfbc.dll
c:\windows\system32\unlwgliw.dll
c:\windows\system32\ywkirk.dll
c:\windows\system32\ahinhaxg.dll
c:\windows\system32\isobqw.dll
c:\windows\system32\dwnlelkv.dll
c:\windows\system32\khowplgj.dll
c:\windows\system32\camogu.dll
c:\windows\system32\dbvyurur.dll
c:\windows\system32\wylszt.dll
c:\windows\system32\ggjmcoel.dll
c:\windows\system32\okugbb.dll
c:\windows\system32\eslxnlrn.dll
c:\windows\system32\dkpngq.dll
c:\windows\system32\braewdet.dll
c:\windows\system32\btkgnx.dll
c:\windows\system32\hiayekna.dll
c:\windows\system32\eLmonnpo.ini
c:\windows\system32\opnnomLe.dll
c:\windows\system32\yayxwtTJ.dll
c:\windows\system32\wvUMdEVl.dll
c:\windows\system32\bszip.dll
C:\onoes.exe
c:\windows\system32\tracert.com
c:\windows\system32\tasklist.com
c:\windows\system32\taskkill.com
c:\windows\system32\ping.com
c:\windows\system32\netstat.com
c:\windows\system32\ssqOHxuS.dll
c:\windows\system32\geBrqnOi.dll
c:\Program Files\temp01
c:\windows\fonts\svchost.exe
FOLDER::
c:\Program Files\outlook
c:\windows\system32\sX3i02
c:\temp\PRE45

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[ramp1028]

Im running combofix now. It's been running for almost 45 minutes and for the last 20 it has been stuck on a dos screen that says completed stage 3.

Other then the dos window, the rest of the screen is blank.

I'm assuming this is normal.

[sUBs]

Not it's not. Press Ctrl+Alt+Del on your keyboard to bring up the Task Manager.
Under the processes tab, look for processes with the name of ...

* VFind
* FindStr
* MTEE
* SED
* GREP
* or any other file that has the file extension cfexe.

End process on them. ComboFix should be able to continue after that

[ramp1028]

Ive let it run, because I havn't seen what you said, and right now its' Completed Stage_5.

Should I go ahead with your above post.