infecection suspected: profile keeps getting corupted

dkvinnie · Apr 17, 2008

I'm suspecting something may belurking on my system. Twice one of the accounts on our XP system have become corrupted. When trying to logon it would take forever and then fijnhally get a message that the local profile could not be located and was in use by another anothter user.
Other reasons I think something is amuck is that the HD will start spinning at times when I know scheduled scans are not running.

I had been running SPybot and AD Aware, and windows defender for a long while before this occurred.

I have tried root kit revealer too but nothing seems to be found.

I've followed your process completely and none of the malware scans found anything. Maybe there is something in the HJT log orthe CF logs.

I 've attached all the logs except SAS since it didn't find anything.

Hoping you can provide some help to get to the botton of this.

TimW · Apr 18, 2008

Did you install this:
VPN Client

It may be the cause of your issues so I am going to give you a fix and want you to uninstall VPN Client first.

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to ADVYU
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Now do the same for:
CRYIM
EKAR
FICYHFBIFY
GRBBYOOP
HIZKZLMW
LQIGRWY
MJZKCIT
NVYCL
OENDIMDLT
POOQ
RSZLAGNO
VFG
XJ
YQVSAZCIGKO
* Click OK until you get back to Windows.

* Next, run C:\MGtools\analyse.exe, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste

ADVYU
CRYIM
EKAR
FICYHFBIFY
GRBBYOOP
HIZKZLMW
LQIGRWY
MJZKCIT
NVYCL
OENDIMDLT
POOQ
RSZLAGNO
VFG
XJ
YQVSAZCIGKO
Click to expand...

into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now re-Run C:\MGtools\analyse.exe and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://uroam.progress.com/vdesk/terminal/urxvpn.cab#version=6010,2007,0223,0327
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Kel\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://uroam.progress.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0223,0314
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://uroam.progress.com/vdesk/terminal/urxshost.cab#version=6010,2007,0223,0320
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://uroam.progress.com/vdesk/terminal/urxhost.cab#version=6010,2007,0223,0312
O23 - Service: ADVYU - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\ADVYU.exe (file missing)
O23 - Service: CRYIM - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\CRYIM.exe (file missing)
O23 - Service: EKAR - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\EKAR.exe (file missing) G
O23 - Service: FICYHFBIFY - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FICYHFBIFY.exe (file missing) G
O23 - Service: GRBBYOOP - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\GRBBYOOP.exe (file missing) G
O23 - Service: HIZKZLMW - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\HIZKZLMW.exe (file missing)
O23 - Service: LQIGRWY - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\LQIGRWY.exe (file missing) G
O23 - Service: MJZKCIT - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\MJZKCIT.exe (file missing) G
023 - Service: NVYCL - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\NVYCL.exe (file missing) G
O23 - Service: OENDIMDLT - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\OENDIMDLT.exe (file missing)
O23 - Service: POOQ - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\POOQ.exe (file missing)
O23 - Service: RSZLAGNO - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\RSZLAGNO.exe (file missing)
O23 - Service: VFG - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\VFG.exe (file missing) G
O23 - Service: XJ - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\XJ.exe (file missing) G
O23 - Service: YQVSAZCIGKO - Unknown owner - C:\DOCUME~1\MARCVI~1\LOCALS~1\Temp\YQVSAZCIGKO.exe (file missing)
Click to expand...

After clicking Fix, exit HJT.

Go back to services.msc and make sure those services are gone.....then tell me how things are running.

dkvinnie · Apr 20, 2008

Thanks for the quick response!
I sucessfully deleted all the services as listed. I did notice those after I sent off the logs.

WRT the VPN client; yes I did install that. One may have been the Cisco VPN client and the other was the F5 SSL VPN clinet. I can use both for access to our corporate network. I ran the uninstall for the Cisco one since I never use it. But I do use the F5 one associated to uroam.progress.com so I did not delete the O16 lines associated with the F5 except for the one for the user kel. I will be deleting that user since it was a tempoary fix when of the other user profiles became corrupt.

Things seem a bit better. I can logon using all the profiles and my logon doesn't seem to cause the disk to churn as it did before.

Do you haven any idea as to what was the specific issue was?

Are there things I did following your instructions to send you the initial post that I need to undo? e.g. Enable teatimer, reconfigure SAS?

TimW · Apr 20, 2008

No I don't....though I am leery of all those services and how they got there....you did check each profile, right?

Would you please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file so I can double check them.

dkvinnie · Apr 20, 2008

:confused
How do yo mean check each profile?
I've logged on tea each since the cleaning and I ran ccclaeaner ans SAS under each profile. But not the MGtools stuff.

TimW said: ↑

No I don't....though I am leery of all those services and how they got there....you did check each profile, right?

Also, is there any further undooing needed. For example my clock is still set to 24 hour time and I thought that would get rest back to 12 hr time after the tools were run.
Click to expand...

TimW · Apr 20, 2008

I've logged on tea each since the cleaning and I ran ccclaeaner ans SAS under each profile. But not the MGtools stuff.
Click to expand...

That was exactly what I meant .....and your system looks good. You can keep what you like as far as the anti-spyware programs are concerned. And re-enbale TeaTimer if you like.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2.
* Click START then RUN
* Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
* Note: The space between the cf and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
How to Protect yourself from malware!

Log in or Sign up

infecection suspected: profile keeps getting corupted

dkvinnie Private E-2

Attached Files:

ComboFix.txt

mbam-log-4-17-2008 (15-38-29).txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dkvinnie Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dkvinnie Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member