Hijack this log, need help on what to remove.

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run this and the do the logs again (sorry):

Run this Prevx1

* Please download and install and get any updates recommend for Prevx1 DO NOT SCAN YET!!!!
* Then physically unplug you cable that connects you to the internet! DO NOT plug it back in until I tell you to do so.
* Now run a full system scan with Prevx1 in normal boot mode. Save a log of what it finds and attach it later.
* Now reboot into normal mode.


Attach the Prevx1 logs as well as new logs for:
ShowNew
GetRun
HJT

 

Then lets try this:
Please download and install (make sure you update when it asks) the below:

SUPERAntiSpyware

And then run a Complete Scan (not a Quick Scan) on your system. When the scan finishes, save the log and attach the log here so we can see how effective it was. Please be patient as this can take quite awhile since it is running a very comprehensive scan. It would be best if you ran it and then did nothing else on the PC while the scan is running. Therefore try running it when you don't need the PC or even run it while you sleep.

Then attach new logs from ShowNew GetRun and HijackThis.

 

The HJT log has not been attached. Can you upload it?


Click Start > Run > Copy and paste the following lines exactly as they appear one at a time.. If you get any popup messages click OK. Let me know if you get any errors with this.

regsvr32 /u C:\WINDOWS\system32\svmsvqvy.dll
regsvr32 /u C:\WINDOWS\system32\rreottms.dll
regsvr32 /u C:\WINDOWS\system32\lfrkhcm.dll
regsvr32 /u C:\WINDOWS\system32\jrsljdst.dll
regsvr32 /u C:\WINDOWS\system32\grbqcdl.dll
regsvr32 /u C:\WINDOWS\system32\cyrjxce.dll

Since you are stuck in safe mode, navigate to all these files or folders and delete them:

C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\vxga1me4t1.exe
C:\WINDOWS\system32\vxga4m1et4.exe
C:\WINDOWS\system32\vxga5me3.exe
C:\WINDOWS\system32\vxga8me6.exe
C:\WINDOWS\system32\wapisvcc.exe
C:\123.tmp
C:\3731503.exe
C:\zx
C:\WINDOWS\system32\kywrsies.exe
C:\WINDOWS\system32\cwoqgi.sys
C:\WINDOWS\system32\idpoh.sys
C:\WINDOWS\system32\tuwxx.tmp
C:\WINDOWS\system32\smttoerr.ini
C:\WINDOWS\system32\tuwxx.ini
C:\WINDOWS\system32\tuwxx.ini2
C:\WINDOWS\system32\d3d9caps.dat
C:\Program Files\Common Files\qucam
C:\Program Files\Common Files\rteleb.html
C:\Program Files\Common Files\{3882DA87-05D8-1033-1014-051212200001}
C:\Program Files\Common Files\{4882DA87-05D8-1033-1014-051212200001}
C:\Program Files\??stem
C:\Documents and Settings\Wade Sloan\Application Data\Viewpoint
C:\Documents and Settings\Wade Sloan\Application Data\??curity
C:\Documents and Settings\Wade Sloan\Application Data\T?sks
C:\WINDOWS\Downloaded Program Files\AUTO_2N.exe
C:\WINDOWS\system32\svmsvqvy.dll
C:\WINDOWS\system32\rreottms.dll
C:\WINDOWS\system32\lfrkhcm.dll
C:\WINDOWS\system32\jrsljdst.dll
C:\WINDOWS\system32\grbqcdl.dll
C:\WINDOWS\system32\cyrjxce.dll

After doing the above, let me know if you can now get into safe mode and run the other scans.

 

Looking at your previous HJT (though things may have changed):
Exit all browsers (print these instructions first!!!)

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to each of these one at a time (If present):
Windows Overlay Components
KMCSIC SERVICE
Client IP-IPX

* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste Each of the above services (one at a time) into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
After all the services have been deleted exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {0E00CE40-2884-760E-A19B-07D5FC24B299} - C:\WINDOWS\system32\jxc.dll
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [{2D-DA-A8-87-ZN}] c:\windows\system32\dwdsregt.exe SKY001 G
O4 - HKLM\..\Run: [xjktgl] C:\WINDOWS\system32\xrgcgn.exe reg_run G
O4 - HKLM\..\Run: [rdeftraA] C:\WINDOWS\rdeftraA.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\rreottms.dll",setvm G
O4 - HKLM\..\Run: [euoai] C:\Documents and Settings\Wade Sloan\Application Data\faretoraci\sysvmtrs.exe
O4 - HKCU\..\Run: [Aitlq] "C:\Documents and Settings\Wade Sloan\Application Data\??curity\??chost.exe" 99001162
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe G
O4 - Startup: Z_Start.lnk = C:\Documents and Settings\Wade Sloan\Local Settings\Temp\stdrun1.exe
O15 - Trusted Zone: www.adslconnection.name
O15 - Trusted Zone: www.contentdiscount.info
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe G
O17 - HKLM\System\CCS\Services\Tcpip\..\{16E8E0D6-B982-42D0-A1C3-216ADDBA3126}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0EFC26-0276-4EB3-88D0-89C4D7A05BB0}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A78149-DA5C-4F78-8967-FC990B607307}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.27 85.255.112.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{16E8E0D6-B982-42D0-A1C3-216ADDBA3126}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.27 85.255.112.114
O17 - HKLM\System\CS4\Services\Tcpip\..\{16E8E0D6-B982-42D0-A1C3-216ADDBA3126}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.116.27 85.255.112.114
O17 - HKLM\System\CS5\Services\Tcpip\..\{16E8E0D6-B982-42D0-A1C3-216ADDBA3126}: NameServer = 85.255.116.27,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.27 85.255.112.114
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll G
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Enojcdfo.dll G
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: KMCSIC SERVICE (kmcsicsv) - Unknown owner - C:\WINDOWS\system32\kmcsicsv.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\rdeftra.exe

After clicking Fix, exit HJT.

Now attach new logs for:

* GetRunKey - please download the current version first!
* ShowNew
* HJT

Be sure to tell us how things are running.

 

We've made some progress.

Now

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run this Virtumonde aka Trojan Vundo Removal

You are running HJT from the wrong place. You were instructed to unzip it to its own folder and rename it. (C:\HJT\analysis.exe)
Now attach the below logs and tell me how the above steps went.

1. Combofix log
2. VundoFix log
3. new GetRunKey log
4. new ShowNew log
5. new HJT

Make sure you tell me how things are working now!

 

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

• Run Fixwareout.
• Click Next,
• then Install,
• make sure Run fixit is checked
• and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

• Go into Control Panel -->Network Connections.
• Right click on your connection
• and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.
• Restart the computer.
• Reconnect to the Internet using Internet Explorer.
• Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

Also a new:
ShowNew
GetRun
HJT

 

Run HijackThis and select the following lines (they may not all be there) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {277FFA57-7419-4F1D-AAA9-FD9C7DFEB60A} - (no file)
O2 - BHO: 0 - {3932A737-11F4-4255-50B7-809EA67C4129} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {5CCAC541-3389-BD0B-7584-06129AD6DC38} - C:\WINDOWS\system32\cyrjxce.dll
O2 - BHO: (no name) - {6E4B23EE-D412-48BD-B133-60574061E429} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\spthorlr.dll (file missing)
O2 - BHO: 0 - {83D5E002-EBE5-44DA-5285-8E97EC377AE3} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {AD1B4FD7-60B5-42BA-B626-36B638006B70} - \
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
O20 - Winlogon Notify: tuvusss - C:\WINDOWS\
O20 - Winlogon Notify: winwgl32 - winwgl32.dll (file missing)
O20 - Winlogon Notify: xxwut - C:\WINDOWS\

After clicking Fix, exit HJT.

 

Part Two:

Continue by downloading a tool we will need - Pocket KillBox.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Run this ViewpointKiller to remove Viewpoint Media software.

If this is not something you use or recognize, remove it with HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.bluedawnsolutions.com/

Let me know how things are running.

 

We missed one.
Re-run PocketKillBox and add this file to be deleted:

[qoute]
C:\WINDOWS\system32\jrsljdst.dll
[/quote]

Then lets see the logs for:
ShowNew
HJT

 

Your logs are looking clean.

A few final steps:

uninstall you old versions of Java:
Java 2 Runtime Environment, SE v1.4.2_05

Reboot and install the current version:

Java Runtime Version 6


Uninstall one of these as you should only have one Anti-virus running:
eTrust or McAfee.

Run CCleaner and empty out all your temp folders.

Turn off system restore, reboot and re-enable system restore.

Then read this thread:
How to Protect Yourself from Malware

 

Let's see if we can't get these deleted:

Use Windows Explorer to delete the below (use PocketKillBox if you have problems deleting these):

Then run HJT and have it fix this item:
O4 - HKLM\..\Run: [lfrkhcm.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Wade Sloan\Local Settings\Application Data\lfrkhcm.dll",vvbnxeg

Now tell me how things are running.

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated
C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from
your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix
Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the
C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or
any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you
extracted from the ZIP files. You can also delete the C:\newfiles.txt and
C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which
will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore
Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

How rude!!

Please attach new logs for:
ShowNew
GetRun
HJT

 

Lets run Pest Patrol and see what it finds.
Attach the log from it as well as new scan logs form the other three.

 

The first question that should be addressed is why the steps in message # 32 were not followed.

 

It does not look like it to me. If you did, your would have had an antivirus, a firewall and other protection installed like SpywareBlaster. I don't see a properly runnig antivirus or firewall even though your log mentions something about CA eTrust Internet Security Suite. From what I can tell it does not appear to be installed properly.

 

Uninstall PestPatrol! It will not fix anything anyway.


Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Now run Spybot S&D and run "Immunize" again because deldomains will remove all of the sites Spybot adds to your Restricted Zone.




Attach a new HJT log now.

 

You still have some of McAfee trying to load too and that should be removed. Did you purchase CA eTrust?

 

Are you going too?

Also did you purchase Prevx1? If not, are you going to?

Did you add the below back to your Trusted Zone?
O15 - Trusted Zone: www.adslconnection.name
O15 - Trusted Zone: www.softlab.name
O15 - Trusted Zone: www.xxx-content.name

 

You cannot run without protection and CA eTrust and Prevx1 are only trials that will expire if they have not already. The Microsoft One Care stuff is not highly recommended but that's up to you and you boss if you want to spend/waste the money on it.


Is this something you installed? C:\Program Files\EverythingAccess.com

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\WADESL~1\LOCALS~1\Temp\20072184226_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\WADESL~1\LOCALS~1\Temp\20072184222_mcinfo.exe /insfin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [euoai] C:\Documents and Settings\Wade Sloan\Application Data\faretoraci\sysvmtrs.exe
O15 - Trusted Zone: www.adslconnection.name
O15 - Trusted Zone: www.softlab.name
O15 - Trusted Zone: www.xxx-content.name
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.softlab.name/closer/close.exe

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\wapisvcc.exe
C:\WINDOWS\system32\xrgcgn.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Documents and Settings\Wade Sloan\Application Data\faretoraci

Now run the procedure with DelDomains again. Make sure to re-run Spybot and re-Immunize immediately.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Did you apply the registy patch? It does not look like it? Try again and make sure you receive a success message. SHUTDOWN Prevx1 before trying to add the patch.

Also have Killbox delete the below file:
C:\WINDOWS\Downloaded Program Files\AUTO_2N.exe



Attach a new log from GetRunKey.

I see you uninstall CA eTrust. What are you going to do with Prevx1 and what are you going to do for an antivirus and a firewall? Are you going to install what we suggested in the How to protect thread? Running for even as little as a 5 minutes with out this protection software can lead to serious infections if your PC gets detected on the internet.