Tech Support banner

Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter #1
:4-dontkno
We own a 70 gig computer, all of which is showing as used! There is NO way we are using it all, we only have basic MS Office programs and a few minor programs. We dont have any games loaded, nor do we have movies or other harddrive sucking programs (or so we think LOL). When we run our virus program (shaw secure right now) it spends nearly a full 24 hours reading the System32 files, so there must be a boat load of them, but we cant find them or identify them! I ran Hijack this as a last resort before I go sit in the corner and sulk (ha). The logfile is below, I am a technical drop-out but I can follow instructions :).
Also, on a totally different topic but since I am typing already, my CD drivers dont work. I have 2 on my computer, and I have changed out both trying to get one to work (trying to get a burner working so I can get my important files off just in case I need to reformat). The drive will warm up (you can hear it rev up) then stops, then revs..stops etc etc. It has done this on all the CDs we have tried.
I thank you for any help you can give me.
S.
Logfile of HijackThis v1.99.1
Scan saved at 3:09:16 PM, on 19/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fnopmi\hotl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\xckthsb\vjquuw.exe
C:\WINDOWS\system32\fsgkof\tdbivvoy.exe
C:\WINDOWS\system32\lbrasyl\lvmr.exe
C:\WINDOWS\system32\jifhccv\ercrxag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\coijie\dnhp.exe
C:\WINDOWS\system32\wlahvv\ubjxpfgx.exe
C:\WINDOWS\system32\omjy\qvkvdn.exe
C:\WINDOWS\system32\vsthpep\tlihekwd.exe
C:\WINDOWS\system32\lcshvemc\xhmiljc.exe
C:\WINDOWS\system32\aoqach\asnxropi.exe
C:\WINDOWS\system32\uelgma\lhjypgfl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34C507DC-32D2-B3B6-AE11-6264B70B97EE} - C:\WINDOWS\system32\mrxrelgx\nwcwlcvr.dll (file missing)
O2 - BHO: (no name) - {975C972D-CE4F-89AD-F009-9874D2BC3302} - C:\WINDOWS\system32\krdxrurj\psqxrdia.dll (file missing)
O2 - BHO: (no name) - {9D6207E8-10AB-4E7E-204B-C0B579E46A38} - C:\WINDOWS\system32\xgaakfwd\inbknost.dll (file missing)
O2 - BHO: (no name) - {D162F0F9-12E6-F0C6-A939-AF9D56C612AC} - C:\WINDOWS\system32\dkeepdfk\gqhqrnos.dll (file missing)
O2 - BHO: (no name) - {ED04CA94-A41B-4FDC-E814-386876F5CB8D} - C:\WINDOWS\system32\exrxsciu\dndkoiyr.dll (file missing)
O2 - BHO: (no name) - {F3A3F867-A9CD-628A-DA69-ADA8C78C1AB9} - C:\WINDOWS\system32\wvxsbfjt\yxkevjfr.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gfva] C:\WINDOWS\system32\yftco\gfva.exe
O4 - HKLM\..\Run: [nncekffm] C:\WINDOWS\system32\obuwyp\nncekffm.exe
O4 - HKLM\..\Run: [qxovv] C:\WINDOWS\system32\eeyy\qxovv.exe
O4 - HKLM\..\Run: [qlsupg] C:\WINDOWS\system32\trhekb\qlsupg.exe
O4 - HKLM\..\Run: [ylumrrc] C:\WINDOWS\system32\fpmw\ylumrrc.exe
O4 - HKLM\..\Run: [jqvql] C:\WINDOWS\system32\suuhe\jqvql.exe
O4 - HKLM\..\Run: [lvmr] C:\WINDOWS\system32\lbrasyl\lvmr.exe
O4 - HKLM\..\Run: [ehkcbqj] C:\WINDOWS\system32\abwdw\ehkcbqj.exe
O4 - HKLM\..\Run: [ufkxmuh] C:\WINDOWS\system32\tcybew\ufkxmuh.exe
O4 - HKLM\..\Run: [glqmxmdx] C:\WINDOWS\system32\mqatfbx\glqmxmdx.exe
O4 - HKLM\..\Run: [llmh] C:\WINDOWS\system32\fylp\llmh.exe
O4 - HKLM\..\Run: [cvipaht] C:\WINDOWS\system32\gwxxcs\cvipaht.exe
O4 - HKLM\..\Run: [sqcseyuo] C:\WINDOWS\system32\kbvxig\sqcseyuo.exe
O4 - HKLM\..\Run: [ubjxpfgx] C:\WINDOWS\system32\wlahvv\ubjxpfgx.exe
O4 - HKLM\..\Run: [hdacl] C:\WINDOWS\system32\gdfwpk\hdacl.exe
O4 - HKLM\..\Run: [hgti] C:\WINDOWS\system32\vpimj\hgti.exe
O4 - HKLM\..\Run: [wonypikn] C:\WINDOWS\system32\evilk\wonypikn.exe
O4 - HKLM\..\Run: [lqst] C:\WINDOWS\system32\oaem\lqst.exe
O4 - HKLM\..\Run: [qvkvdn] C:\WINDOWS\system32\omjy\qvkvdn.exe
O4 - HKLM\..\Run: [gqid] C:\WINDOWS\system32\gyqwokmw\gqid.exe
O4 - HKLM\..\Run: [gejd] C:\WINDOWS\system32\yelcovvf\gejd.exe
O4 - HKLM\..\Run: [wyrxkqjq] C:\WINDOWS\system32\hpuvhxs\wyrxkqjq.exe
O4 - HKLM\..\Run: [hcrcsc] C:\WINDOWS\system32\ckne\hcrcsc.exe
O4 - HKLM\..\Run: [klauae] C:\WINDOWS\system32\igrchl\klauae.exe
O4 - HKLM\..\Run: [wnxil] C:\WINDOWS\system32\ramgynn\wnxil.exe
O4 - HKLM\..\Run: [tlihekwd] C:\WINDOWS\system32\vsthpep\tlihekwd.exe
O4 - HKLM\..\Run: [ahdacws] C:\WINDOWS\system32\pepvq\ahdacws.exe
O4 - HKLM\..\Run: [mdpjs] C:\WINDOWS\system32\ysge\mdpjs.exe
O4 - HKLM\..\Run: [rgiumgyt] C:\WINDOWS\system32\ogyuadh\rgiumgyt.exe
O4 - HKLM\..\Run: [teurlcoa] C:\WINDOWS\system32\shsjvv\teurlcoa.exe
O4 - HKLM\..\Run: [bimcn] C:\WINDOWS\system32\srdexpl\bimcn.exe
O4 - HKLM\..\Run: [xhmiljc] C:\WINDOWS\system32\lcshvemc\xhmiljc.exe
O4 - HKLM\..\Run: [asnxropi] C:\WINDOWS\system32\aoqach\asnxropi.exe
O4 - HKLM\..\Run: [ihoxcnhr] C:\WINDOWS\system32\xxknuc\ihoxcnhr.exe
O4 - HKLM\..\Run: [hotl] C:\WINDOWS\system32\fnopmi\hotl.exe
O4 - HKLM\..\Run: [tdbivvoy] C:\WINDOWS\system32\fsgkof\tdbivvoy.exe
O4 - HKLM\..\Run: [vjquuw] C:\WINDOWS\system32\xckthsb\vjquuw.exe
O4 - HKLM\..\Run: [ercrxag] C:\WINDOWS\system32\jifhccv\ercrxag.exe
O4 - HKLM\..\Run: [dnhp] C:\WINDOWS\system32\coijie\dnhp.exe
O4 - HKLM\..\Run: [lhjypgfl] C:\WINDOWS\system32\uelgma\lhjypgfl.exe
O4 - HKLM\..\Run: [xgrk] C:\WINDOWS\system32\friiv\xgrk.exe
O4 - HKLM\..\Run: [pcbkeq] C:\WINDOWS\system32\vnmawxkh\pcbkeq.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: cvipahtgwxxcs - Unknown owner - C:\WINDOWS\system32\gwxxcs\cvipaht.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: hotlfnopmi - Unknown owner - C:\WINDOWS\system32\fnopmi\hotl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lqstoaem - Unknown owner - C:\WINDOWS\system32\oaem\lqst.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: qlsupgtrhekb - Unknown owner - C:\WINDOWS\system32\trhekb\qlsupg.exe
O23 - Service: sqcseyuokbvxig - Unknown owner - C:\WINDOWS\system32\kbvxig\sqcseyuo.exe
O23 - Service: wnxilramgynn - Unknown owner - C:\WINDOWS\system32\ramgynn\wnxil.exe
O23 - Service: xgrkfriiv - Unknown owner - C:\WINDOWS\system32\friiv\xgrk.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

UnHookExec.inf
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • DNS

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - cvipahtgwxxcs
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button
Answer NO if prompted to reboot
Repeat steps 1-4 for the following services :-
  • greenstdsystem32
    hotlfnopmi
    lqstoaem
    qlsupgtrhekb
    sqcseyuokbvxig
    wnxilramgynn
    xgrkfriiv

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {34C507DC-32D2-B3B6-AE11-6264B70B97EE} - C:\WINDOWS\system32\mrxrelgx\nwcwlcvr.dll (file missing)
O2 - BHO: (no name) - {975C972D-CE4F-89AD-F009-9874D2BC3302} - C:\WINDOWS\system32\krdxrurj\psqxrdia.dll (file missing)
O2 - BHO: (no name) - {9D6207E8-10AB-4E7E-204B-C0B579E46A38} - C:\WINDOWS\system32\xgaakfwd\inbknost.dll (file missing)
O2 - BHO: (no name) - {D162F0F9-12E6-F0C6-A939-AF9D56C612AC} - C:\WINDOWS\system32\dkeepdfk\gqhqrnos.dll (file missing)
O2 - BHO: (no name) - {ED04CA94-A41B-4FDC-E814-386876F5CB8D} - C:\WINDOWS\system32\exrxsciu\dndkoiyr.dll (file missing)
O2 - BHO: (no name) - {F3A3F867-A9CD-628A-DA69-ADA8C78C1AB9} - C:\WINDOWS\system32\wvxsbfjt\yxkevjfr.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [gfva] C:\WINDOWS\system32\yftco\gfva.exe
O4 - HKLM\..\Run: [nncekffm] C:\WINDOWS\system32\obuwyp\nncekffm.exe
O4 - HKLM\..\Run: [qxovv] C:\WINDOWS\system32\eeyy\qxovv.exe
O4 - HKLM\..\Run: [qlsupg] C:\WINDOWS\system32\trhekb\qlsupg.exe
O4 - HKLM\..\Run: [ylumrrc] C:\WINDOWS\system32\fpmw\ylumrrc.exe
O4 - HKLM\..\Run: [jqvql] C:\WINDOWS\system32\suuhe\jqvql.exe
O4 - HKLM\..\Run: [lvmr] C:\WINDOWS\system32\lbrasyl\lvmr.exe
O4 - HKLM\..\Run: [ehkcbqj] C:\WINDOWS\system32\abwdw\ehkcbqj.exe
O4 - HKLM\..\Run: [ufkxmuh] C:\WINDOWS\system32\tcybew\ufkxmuh.exe
O4 - HKLM\..\Run: [glqmxmdx] C:\WINDOWS\system32\mqatfbx\glqmxmdx.exe
O4 - HKLM\..\Run: [llmh] C:\WINDOWS\system32\fylp\llmh.exe
O4 - HKLM\..\Run: [cvipaht] C:\WINDOWS\system32\gwxxcs\cvipaht.exe
O4 - HKLM\..\Run: [sqcseyuo] C:\WINDOWS\system32\kbvxig\sqcseyuo.exe
O4 - HKLM\..\Run: [ubjxpfgx] C:\WINDOWS\system32\wlahvv\ubjxpfgx.exe
O4 - HKLM\..\Run: [hdacl] C:\WINDOWS\system32\gdfwpk\hdacl.exe
O4 - HKLM\..\Run: [hgti] C:\WINDOWS\system32\vpimj\hgti.exe
O4 - HKLM\..\Run: [wonypikn] C:\WINDOWS\system32\evilk\wonypikn.exe
O4 - HKLM\..\Run: [lqst] C:\WINDOWS\system32\oaem\lqst.exe
O4 - HKLM\..\Run: [qvkvdn] C:\WINDOWS\system32\omjy\qvkvdn.exe
O4 - HKLM\..\Run: [gqid] C:\WINDOWS\system32\gyqwokmw\gqid.exe
O4 - HKLM\..\Run: [gejd] C:\WINDOWS\system32\yelcovvf\gejd.exe
O4 - HKLM\..\Run: [wyrxkqjq] C:\WINDOWS\system32\hpuvhxs\wyrxkqjq.exe
O4 - HKLM\..\Run: [hcrcsc] C:\WINDOWS\system32\ckne\hcrcsc.exe
O4 - HKLM\..\Run: [klauae] C:\WINDOWS\system32\igrchl\klauae.exe
O4 - HKLM\..\Run: [wnxil] C:\WINDOWS\system32\ramgynn\wnxil.exe
O4 - HKLM\..\Run: [tlihekwd] C:\WINDOWS\system32\vsthpep\tlihekwd.exe
O4 - HKLM\..\Run: [ahdacws] C:\WINDOWS\system32\pepvq\ahdacws.exe
O4 - HKLM\..\Run: [mdpjs] C:\WINDOWS\system32\ysge\mdpjs.exe
O4 - HKLM\..\Run: [rgiumgyt] C:\WINDOWS\system32\ogyuadh\rgiumgyt.exe
O4 - HKLM\..\Run: [teurlcoa] C:\WINDOWS\system32\shsjvv\teurlcoa.exe
O4 - HKLM\..\Run: [bimcn] C:\WINDOWS\system32\srdexpl\bimcn.exe
O4 - HKLM\..\Run: [xhmiljc] C:\WINDOWS\system32\lcshvemc\xhmiljc.exe
O4 - HKLM\..\Run: [asnxropi] C:\WINDOWS\system32\aoqach\asnxropi.exe
O4 - HKLM\..\Run: [ihoxcnhr] C:\WINDOWS\system32\xxknuc\ihoxcnhr.exe
O4 - HKLM\..\Run: [hotl] C:\WINDOWS\system32\fnopmi\hotl.exe
O4 - HKLM\..\Run: [tdbivvoy] C:\WINDOWS\system32\fsgkof\tdbivvoy.exe
O4 - HKLM\..\Run: [vjquuw] C:\WINDOWS\system32\xckthsb\vjquuw.exe
O4 - HKLM\..\Run: [ercrxag] C:\WINDOWS\system32\jifhccv\ercrxag.exe
O4 - HKLM\..\Run: [dnhp] C:\WINDOWS\system32\coijie\dnhp.exe
O4 - HKLM\..\Run: [lhjypgfl] C:\WINDOWS\system32\uelgma\lhjypgfl.exe
O4 - HKLM\..\Run: [xgrk] C:\WINDOWS\system32\friiv\xgrk.exe
O4 - HKLM\..\Run: [pcbkeq] C:\WINDOWS\system32\vnmawxkh\pcbkeq.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O23 - Service: cvipahtgwxxcs - Unknown owner - C:\WINDOWS\system32\gwxxcs\cvipaht.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: hotlfnopmi - Unknown owner - C:\WINDOWS\system32\fnopmi\hotl.exe
O23 - Service: lqstoaem - Unknown owner - C:\WINDOWS\system32\oaem\lqst.exe
O23 - Service: qlsupgtrhekb - Unknown owner - C:\WINDOWS\system32\trhekb\qlsupg.exe
O23 - Service: sqcseyuokbvxig - Unknown owner - C:\WINDOWS\system32\kbvxig\sqcseyuo.exe
O23 - Service: wnxilramgynn - Unknown owner - C:\WINDOWS\system32\ramgynn\wnxil.exe
O23 - Service: xgrkfriiv - Unknown owner - C:\WINDOWS\system32\friiv\xgrk.exe



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\DNS\
    C:\WINDOWSsystem32\mrxrelgx
    C:\WINDOWSsystem32\abwdw
    C:\WINDOWSsystem32\aoqach
    C:\WINDOWSsystem32\aoqach
    C:\WINDOWSsystem32\ckne
    C:\WINDOWSsystem32\coijie
    C:\WINDOWSsystem32\coijie
    C:\WINDOWSsystem32\dkeepdfk
    C:\WINDOWSsystem32\eeyy
    C:\WINDOWSsystem32\evilk
    C:\WINDOWSsystem32\exrxsciu
    C:\WINDOWSsystem32\fnopmi
    C:\WINDOWSsystem32\fnopmi
    C:\WINDOWSsystem32\fpmw
    C:\WINDOWSsystem32\friiv
    C:\WINDOWSsystem32\friiv
    C:\WINDOWSsystem32\fsgkof
    C:\WINDOWSsystem32\fsgkof
    C:\WINDOWSsystem32\fylp
    C:\WINDOWSsystem32\gdfwpk
    C:\WINDOWSsystem32\gwxxcs
    C:\WINDOWSsystem32\gwxxcs
    C:\WINDOWSsystem32\gyqwokmw
    C:\WINDOWSsystem32\hpuvhxs
    C:\WINDOWSsystem32\igrchl
    C:\WINDOWSsystem32\jifhccv
    C:\WINDOWSsystem32\jifhccv
    C:\WINDOWSsystem32\kbvxig
    C:\WINDOWSsystem32\kbvxig
    C:\WINDOWSsystem32\krdxrurj
    C:\WINDOWSsystem32\lbrasyl
    C:\WINDOWSsystem32\lbrasyl
    C:\WINDOWSsystem32\lcshvemc
    C:\WINDOWSsystem32\lcshvemc
    C:\WINDOWSsystem32\mqatfbx
    C:\WINDOWSsystem32\oaem
    C:\WINDOWSsystem32\oaem
    C:\WINDOWSsystem32\obuwyp
    C:\WINDOWSsystem32\ogyuadh
    C:\WINDOWSsystem32\omjy
    C:\WINDOWSsystem32\omjy
    C:\WINDOWSsystem32\pepvq
    C:\WINDOWSsystem32\ramgynn
    C:\WINDOWSsystem32\ramgynn
    C:\WINDOWSsystem32\shsjvv
    C:\WINDOWSsystem32\srdexpl
    C:\WINDOWSsystem32\suuhe
    C:\WINDOWSsystem32\tcybew
    C:\WINDOWSsystem32\trhekb
    C:\WINDOWSsystem32\trhekb
    C:\WINDOWSsystem32\uelgma
    C:\WINDOWSsystem32\uelgmal
    C:\WINDOWSsystem32\vnmawxkh
    C:\WINDOWSsystem32\vpimj
    C:\WINDOWSsystem32\vsthpep
    C:\WINDOWSsystem32\vsthpep
    C:\WINDOWSsystem32\wlahvv
    C:\WINDOWSsystem32\wlahvv
    C:\WINDOWSsystem32\wvxsbfjt
    C:\WINDOWSsystem32\xckthsb
    C:\WINDOWSsystem32\xckthsb
    C:\WINDOWSsystem32\xgaakfwd
    C:\WINDOWSsystem32\xxknuc
    C:\WINDOWSsystem32\yelcovvf
    C:\WINDOWSsystem32\yftco
    C:\WINDOWSsystem32\ysge
Locate and delete the following files:
  • C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
    C:\WINDOWS\system32\greenstd.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
5 Posts
Discussion Starter #3
OK this is try #3 to reply to this message. I am going to nix the log files for now just so I can get this one reply entered. In reply to "if you have any problems" comment, here is my major problem. I started all the scans at 6pm on Oct 19 and just completed them at 10am today (the 23rd). It took an average of 6 hours per scan and the major reason being there are hundreds, if not thousands, of files in my Windows/system32 folder - all .exe files. That can't be right!

I will attempt to attach my hijackthis scan from this morning and maybe if I could try emailing the rest to someone (I would hate to put anyone out though - its the only other way I can think to send it). I keep getting "cannot find server" errors when I try sending a post with all the files pasted in it.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:50 AM, on 23/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please use Winzip to achieve/zip the files.

Then place them as an attachment in your next post.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #5
Wow, you are fast! I dont think I have ever zipped anything before, so I hope I did this right. Also, the Panda scan was stopped by my son. Gotta love him... He stopped it under windows/system32/tw* so its really only a report from about t - z under system32. Before it was stopped, the last time I checked, it had disinfected just over 95,000 files.

Thanks again for taking this time to help a stranger!
 

Attachments

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I had a quick glance at your logs.

You werent exagerating when you said you had pleanty of malware. The ActiveScan report alone is 1114 pages long. It's a regular encylopedia :laugh:

I'll need some time with it.

Please subscribe to this thread so that you'll be notified when I make a reply.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #8
And that active scan one, isnt that the one my son stopped, its only a PORTION of what was there, I didnt print a log from A-N...
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download the file I have attached to this post - mmd.zip

Then reboot to Safe Mode.

From within mmd.zip, double-click on mmd.bat & allow it to run it's full course. It will create a resultant log located at C:\sUBs.txt for you to post back to me.

** mmd.bat is a large batch file which would delete a lot of malware folders created on your computer.
It may take some time for it to complete. Please advise me how long it took.
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top