My first time here - Have you heard of this?

If you have run ALL the steps in the READ ME FIRST, follow the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

First you must disable Spybot's Teatimer because it could get in the way of making the fixes we need to do.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

You must remember to exit browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before running HijackThis. Not doing so can make it difficult to impossible to repair certain problems.

Do you have any idea what the below two processes are for? The seem questionable to me.
C:\WINDOWS\GAWTDLL.EXE
C:\WINDOWS\GAWTENC.EXE


We need to stop, disable and remove a few bad services. They show in your HijackThis log as:

O23 - Service: ilaxrjiiaaexw - Unknown owner - C:\WINDOWS\system32\iiaaexw\ilaxrj.exe (file missing)
O23 - Service: lkdvsngrdeyo - Unknown owner - C:\WINDOWS\system32\sngrdeyo\lkdv.exe (file missing)
O23 - Service: njbprhmxxfpvsqex - Unknown owner - C:\WINDOWS\system32\xfpvsqex\njbprhmx.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: syaufgcicm - Unknown owner - C:\WINDOWS\system32\cicm\syaufg.exe (file missing)


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for the below services:
ilaxrjiiaaexw
lkdvsngrdeyo
njbprhmxxfpvsqex
syaufgcicm

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

System Startup Service

If that does not work, try using the short name of the service: SvcProc

Now repeat the HijackThis step to delete the other NT services:
ilaxrjiiaaexw
lkdvsngrdeyo
njbprhmxxfpvsqex
syaufgcicm

Now exit HijackThis and then move on to my next message.

 

After completing the steps in my previous message continue with these steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system\iqiqaa.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [njbprhmx] C:\WINDOWS\system32\xfpvsqex\njbprhmx.exe
O4 - HKLM\..\Run: [blgugj] C:\WINDOWS\system32\wycpv\blgugj.exe
O4 - HKLM\..\Run: [ilaxrj] C:\WINDOWS\system32\iiaaexw\ilaxrj.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O23 - Service: ilaxrjiiaaexw - Unknown owner - C:\WINDOWS\system32\iiaaexw\ilaxrj.exe (file missing)
O23 - Service: lkdvsngrdeyo - Unknown owner - C:\WINDOWS\system32\sngrdeyo\lkdv.exe (file missing)
O23 - Service: njbprhmxxfpvsqex - Unknown owner - C:\WINDOWS\system32\xfpvsqex\njbprhmx.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: syaufgcicm - Unknown owner - C:\WINDOWS\system32\cicm\syaufg.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system\iqiqaa.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\xfpvsqex <-- the whole folder
C:\WINDOWS\system32\wycpv <-- the whole folder
C:\WINDOWS\system32\iiaaexw <-- the whole folder
C:\WINDOWS\system32\sngrdeyo <-- the whole folder
C:\WINDOWS\system32\cicm <-- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please do not post requests for help in a thread that is not yours. Just wait for your thread to be answered. This is a very busy forum but we will get to you eventually.

 

You're welcome. Your log is clean but I still wonder about what I asked in message # 4:

 

Hmmm! Do you see anything in Add/Remove programs that you do not recognize?

How large are those two files? What kind of PC brand do you have?

 

It may be okay to enable system restore but I would like to find out more info on these to files. Can you put them into separate ZIP files and then upload them here? Do you know how to do that?

Is your PC a Gateway PC? Could these be Gateway processes?


As far as the Sentinel program, does the below look familar.

http://www.safenet-inc.com/support/tech/sentinel.asp

 

Do you have WinZip installed? If not, then download and install it.

Then all you have to do is run Windows Explorer and right click on the file and select Add to Zip it will create the zip file for you using the name from the file itself.

Then just repeat for the other file. Then upload both of them as attachments.

 

I'm not sure what they are but they do seem strange. Are there anymore files around with the same old creation dates?

 

You're welcome George. Make sure you complete the steps in the below thread to help keep you clean:

How to Protect yourself from malware!