cknrmjfrviszvhgopmqphz.exe

VTP360 · Aug 8, 2013

Hi,

I've been solving malware problems by using this site for a long time but this is my first time creating my own thread.

I had a browser redirect issue which was solved after completing all of the READ & RUN ME FIRST steps but I have a question about something Hitman Pro found. The instructions were to remove nothing that Hitman Pro found but one of the items it listed was this: cknrmjfrviszvhgopmqphz.exe. It's current path on my pc is: C:\Documents and Settings\NetworkService\cknrmjfrviszvhgopmqphz.exe. Can I now use Hitman Pro to remove it or should I use a different method. Should I remove it at all?? My research shows that it is a trojan.

I have attached all of my logs. I actually have two TDSKiller logs since I first followed the instructions on "Fixing Google Redirection/Hijacking Problems" but I only attached the second one made during the "Windows XP Malware Removal/Cleaning Procedure."

Thanks for taking the time to help!

Todd

VTP360 · Aug 8, 2013

Here are the remaining logs.

chaslang · Aug 8, 2013

Welcome to Major Geeks!

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 6
Java(TM) 7 Update 2
Now install the current version of Sun Java from: Sun Java Runtime Environment Make sure that when you see the form asking about installing Ask Toolbar that you uncheck this.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKUS\S-1-5-21-3701367985-4044162562-1234922526-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'ASPNET')
O4 - HKUS\S-1-5-21-3701367985-4044162562-1234922526-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')

After clicking Fix, exit HJT.

Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe

:Files
C:\Documents and Settings\NetworkService\cknrmjfrviszvhgopmqphz.exe
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\n.
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\n.
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\n
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\@
C:\RECYCLER\S-1-5-21-3701367985-4044162562-1234922526-1007\$20cab85dc6f1f8794254552775e5e0ec\@
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\U
C:\RECYCLER\S-1-5-21-3701367985-4044162562-1234922526-1007\$20cab85dc6f1f8794254552775e5e0ec\U
C:\RECYCLER\S-1-5-18\$20cab85dc6f1f8794254552775e5e0ec\L
C:\RECYCLER\S-1-5-21-3701367985-4044162562-1234922526-1007\$20cab85dc6f1f8794254552775e5e0ec\L
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\Documents and Settings\HP_Administrator\Templates\2n2320tm5t8410e24wkf6fj771tb2247138j07j054g7aa
C:\Documents and Settings\HP_Administrator\Templates\edl3w23oj3p"
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\HP_Administrator\Local Settings\TEMP\*.*
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

the JRT.TXTlog

C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

cknrmjfrviszvhgopmqphz.exe

VTP360 Private E-2

Attached Files:

GooredFix.txt

HitmanPro_20130807_1508.log

mbam-log-2008-12-03 (10-25-30).txt

MBRCheck_08.07.13_11.53.36.txt

MGlogs.zip

VTP360 Private E-2

Attached Files:

RKreport[0]_S_08072013_124052.txt

TDSSKiller.2.8.16.0_07.08.2013_14.24.57_log.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member