Bugs!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments. HJT logs must not be posted until the READ & RUN ME has been completed. You must also attach the logs from the two required online scanning tools (BitDefender and PandaActiveScan). You should also be describing your problems. What you did is like dropping a car off at a car dealer and not telling them what is wrong.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

I don't understand what you mean. Just click on the links in the READ & RUN ME for these scanners. They take you right to the pages to run them.

 

The instructions for step 6 state (and I'll highlight in bold RED A FEW KEY WORDS):

 

I'm going to have you download a tool that is better at finding and deleting files than Windows Explorer.

Download and install: ExplorerXP

Now reboot into safe mode and use ExplorerXP to delete all the below files if found:

C:\WINDOWS\system32\insurance.bmp
C:\WINDOWS\system32\close.bmp
C:\WINDOWS\system32\spyware.bmp
C:\WINDOWS\system32\xxx.bmp
C:\WINDOWS\system32\pharmacy.bmp
C:\WINDOWS\system32\gambling.bmp
C:\WINDOWS\system32\dating.bmp
C:\WINDOWS\system32\idesk.conf
C:\WINDOWS\system32\rdt.ini
C:\WINDOWS\system32\ie2cltr.dll
C:\WINDOWS\system32\idemlog.exe
C:\WINDOWS\system32\howiper.exe
C:\WINDOWS\system32\sphlp32.exe
C:\WINDOWS\system32\favset.exe
C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\system32\pppcgm.exe
C:\WINDOWS\system32\fran-hot.exe
C:\WINDOWS\system32\qurrv.dll
C:\WINDOWS\system32\filesafer23.exe
C:\WINDOWS\system32\logo_big.exe
C:\WINDOWS\rdt.ini


Now reboot in normal mode. How is everything working now?

 

In message number three you made references to the below two folders:

C:\Winnt\system32 and C:windows\system32

Why do you have both a C:\winnt and a c:\windows folder? Did you have multiple versions of Windows installed? I would suspect that the c:\windows folder is the active one?

 

After doing the previous steps continue with the below so we can be sure we got all of this.

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html
O4 - HKCU\..\Run: [qwe] corrida.exe
O4 - HKCU\..\Run: [DCC_send] MNTP.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5A9FC2C-7954-4EBF-972C-FE5480643F99}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119

After click Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Now please attach the contents of the logfile C:\fixwareout\report.txt
Also attach a new HijackThis log.

 

Okay! Are you working thru all the other steps now?

 

That's strange! May or may not be related. But you should not be able to login to a domain if there is no cable connected. It should not be able to verify your login with the domain server with no cable.

Can you connect the cable afterwards? Do you get connectivity?

 

Did you have HJT fix the below lines as in my instructions:
O4 - HKCU\..\Run: [qwe] corrida.exe
O4 - HKCU\..\Run: [DCC_send] MNTP.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5A9FC2C-7954-4EBF-972C-FE5480643F99}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E3CD446-7E6B-4E43-8D51-DEF2499569F6}: NameServer = 85.255.113.134,85.255.112.119

They are still in your log and another baddie showed up:
O4 - HKLM\..\Run: [dmrvh.exe] C:\WINDOWS\system32\dmrvh.exe

You need to fix these lines and then boot into safe mode and find and fix the below files:
C:\WINDOWS\system32\dmrvh.exe
C:\WINDOWS\system32\corrida.exe
C:\WINDOWS\system32\MNTP.exe

Then reboot to normal mode and tell me what you found. Also attach a new HJT log? If any of the O4 baddies have come back, we will need to run the below:

Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Watch your O4 lines closely! You will see another new one popped up. Actually the same problem but it renamed itself. See:

O4 - HKLM\..\Run: [dmhqo.exe] C:\WINDOWS\system32\dmhqo.exe

Fix it the same way and then run the WinPfind program I gave to you and attach the log.
Also do the steps in the following link and attach the Ewido log:

Running Ewido Security Suite

Also please run the WinPfind tool and post its log.

Note: you must always attach HJT logs from normal boot mode unless otherwise specified.

 

If that file name is correct, I never heard of it. Looks like Ewido fix a bunch of things, includine the O4 file I mentioned. You forgot the WinPfind log. Also you should attach a new HJT log from normal boot mode so we can see if that reappearing trojan is gone or has renamed itself again.

 

Looks like you are finally clean. But there are two other files you need to delete. I forgot to mention these. Delete:
C:\WINDOWS\SYSTEM32\CSEVW.EXE
C:\WINDOWS\SYSTEM32\DMRVH.EXE

After wards, it is time to work through the below link:

How to Protect yourself from malware!