Spyware? Trojans? Problems?...heck yes

shields19 · Dec 22, 2004

First, Great, Great site. You folks that reply to a dumb@$$ like me, are the frickin' best!!

I have numerous problems and any help would be greatly appreciated. I'm running XP-sp2, IE v6.0 sp2, HJT v1.99, and all the current software suggestions listed in the "spy, trojan, virus removal" post (Although I just added them yesterday). Currently, I have three logins (mine, wife, child). When we try to open IE, most of the time nothing happens. When we try to open Windows Explorer, most of the time nothing happens. Every once in awhile, IE will open, but say can't find site. We have had the "blank" and "search....." hijack, the NEO toolbar. In the past I've always been able to run Ad-Aware and it would allow me access to the internet. 2 wks ago, when I would select IE, it would open a ms-dos screen and try to run "run.exe". I would select ignore and it would open. Then, I deleted some files, it went away, IE worked for a week, now...squat. I also get the "win min" message when I shut down.

In safe mode (logged on as Adm.), Under "getting prepared", I was able to follow the steps (1-4). Question, I know I've had the blank and home search hijack, but the "exact" files listed were not found when I followed step 2, should I be looking for something else?
Under the "scanning" section, I was able to scan (found/deleted numerous Trojans/worms/viruses) and run Stinger. I then completed steps 2-4. Most of these scans found/deleted/fixed numerous files (my computer was/is jacked up).

Now for the Dumb@$$ questions. IE and Win Explorer work in safe mode, but only in safe mode. If a file is not on the desktop, I have trouble accessing it in normal mode. Sometimes, after about 10 minutes of selecting IE or WE, WE will open, but there is no ryhme or reason (e.g. I can't do anything with IE or WE in normal mode...99% of the time). Plus when I'm in safe mode, the only logins that show up are Adm, and mine (child and wife gone), does that matter?. The only way I can run HJT is in safe mode, is that okay? Do I have to go through the "spyware, trojan, virus removal" steps for each user? and how do I do this if they don't show in safe mode?

Thanks and appreciate ANY help!

Byron

chaslang · Dec 22, 2004

Welcome to MGs Byron!

First to answer a couple of your questions:
1) Yes each user account will have to be checked for problems
2) HJT in safe mode is not typically going to provide us as much info as we will need. But it could be better than nothing.

Did you run HSremove and About:Buster?
Although we do not like to do this normally, get HijackThis onto your Desktop and see if you can run it from normal boot mode. If so, post the log. If you cannot get it to work in normal mode, post a log from safe mode. Don't forget to tell me which it is from.

shields19 · Dec 23, 2004

chaslang- you are one bad mofo (that's a good thing). I don't know how the hell you do it, but man I appreciate the help. Think I'm gonna start calling you Dr. C (like Dr. J of the Philly 76'ers, who took people to school on the basketball court...only you take people to school on the information hwy).

I went back and re-ran "getting prepard steps" and "the scanning cleaning" steps, from start to finish on the "spy, trojan, virus removal page" (including the two you asked about).

Still no luck. But on the good side, it took quite some time and I'm tired as hell. Here is what I know. I have 2 user accounts, mine and my wife's (deleted a third one). In safe mode, I still only see Adm (not mine), and my wife's. There is no way to choose my account (damn women. Anyway, ran everything for both of the logins I could see.

After trial and error, I disconnected my cable modem and was able to run HJT in normal mode, in her account login and mine as well. I have attached both logs. I noticed if attached to the cable box, bad things happened and I had a hell of time opening windows explorer, but once disconnected, windows explorer ran smooth as butter.

One last thing, no matter how or where I change my wife's home page, it always tries to open, http://www.searchportal.info/100391. Also when I installed SP2 about two weeks ago, it allowed me to add sites I wanted to block access to, I believe I added the above site to the list. But now I can't find how I did it (quit your laughing man, it's late as hell).

Anyway, thanks for any help possible. I will be out of town Friday through next Wed. If I don't hear from you tomorrow, I will check back next Wed. Happy Holidays Dr. C!!

chaslang · Dec 23, 2004

Byron's Logfile

Question:
You have WinXP SP2 which has a built-in firewall but you also have install ZoneAlarm's firewall. You should only use one software firewall. So either the WinXP SP2 firewall must be disabled or you must uninstall ZoneAlarm (which can be a pain to completely uninstall).

Comment:
Before we start fixing things with HJT you need to get it into a proper directory so that backups can be saved.
You are currently running it from the ZIP file and will not get backups. Please extract the executable file from the ZIP file and put it int a new folder called c:\Program Files\HJT You must do this before continuing with the fixes. If you have a problem figuring out how to do that, let me know before you start fixing anything.

The Fixes:
Click Start, Run and enter services.msc into the box and click OK.
That will bring up the services. Look for a service that says ISEXEng, if running, right click and click stop. Thhen double click on it and change start up type from Automatic to Disable.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\searchbar2.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u c:\program files\partypoker\IEExtension.dll
then click OK. If a dialog box confirming this action appears, click OK.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\System32\??rss.exe
C:\windows\pnhsuqe.exe
C:\windows\xjdntdh.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll
O2 - BHO: (no name) - {C9ACA819-45A2-4A89-B020-9DD34ADFAE40} - (no file)
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe"
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\BYRON\Application Data\amee.exe
O4 - HKCU\..\Run: [Qyt] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [nvrsfi] C:\WINDOWS\System32\nvrsfi.exe
O4 - HKCU\..\Run: [elqwiem] c:\windows\snmesuk.exe
O4 - HKCU\..\Run: [camlvtd] c:\windows\mfgjlum.exe
O4 - HKCU\..\Run: [tmdnhcv] c:\windows\acklqqd.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [dyajijp] c:\windows\wvmemoi.exe
O4 - HKCU\..\Run: [hrtjove] c:\windows\pnhsuqe.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [ijqjjsl] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [whjwdfq] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [fnqfsil] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [fssmcbo] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [fdjxcrt] c:\windows\sgajeps.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O19 - User stylesheet: (file missing)
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\??rss.exe
C:\windows\pnhsuqe.exe
C:\windows\xjdntdh.exe
C:\WINDOWS\System32\searchbar2.dll
C:\WINDOWS\inetdata <--- the whole directory
C:\WINDOWS\System32\tss.exe
C:\Documents and Settings\BYRON\Application Data\amee.exe
C:\WINDOWS\System32\nvrsfi.exe
c:\windows\snmesuk.exe
c:\windows\mfgjlum.exe
c:\windows\acklqqd.exe
C:\WINDOWS\System32\winpack.exe
c:\windows\wvmemoi.exe
c:\windows\tinafnm.exe
c:\program files\partypoker <--- the whole directory

If you have a problem finding or deleting any of these let me know. If the problem is in deleting them, run Task Manager right now and look for any of those executable files to be running. If so, end them and then try the delete.

Empty your Recycle Bin. Also go to c:\windows\Prefetch and delete any file you see there contain pieces of those files we are deleting.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

chaslang · Dec 23, 2004

Beth's Logfile

Comment:
Same comment about where HijackThis is being run from.

The Fixes:
Click Start, Run and enter services.msc into the box and click OK.
That will bring up the services. Look for a service that says ISEXEng, if running, right click and click stop. Thhen double click on it and change start up type from Automatic to Disable.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\searchbar2.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u c:\program files\partypoker\IEExtension.dll
then click OK. If a dialog box confirming this action appears, click OK.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10039/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll
O2 - BHO: (no name) - {C9ACA819-45A2-4A89-B020-9DD34ADFAE40} - (no file)
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Boot into safe mode and use Windows Explorer to delete (these may already be gone due to Byron's being fixed)
C:\WINDOWS\System32\searchbar2.dll
C:\WINDOWS\inetdata <--- the whole directory
C:\WINDOWS\System32\tss.exe
c:\program files\partypoker <--- the whole directory

If you have a problem finding or deleting any of these let me know. If the problem is in deleting them, run Task Manager right now and look for any of those executable files to be running. If so, end them and then try the delete.

Empty your Recycle Bin. Also go to c:\windows\Prefetch and delete any file you see there contain pieces of those files we are deleting.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

shields19 · Dec 23, 2004

Dr. C

Thanks for the help!! After I leave work, I will try your fixes tonight and let you know how it turns out.

Happy Holidays

Byron

chaslang · Dec 23, 2004

You're welcome Byron! Same to you ... Happy Holidays!

shields19 · Dec 23, 2004

Dr. C

Tried to make changes to my logfile like you suggested. I was able to do everything except the following:

regsvr32 /u c:\program files\partypoker\IEExtension.dll -Not Found (NF)

C:\WINDOWS\System32\??rss.exe -Found csrss.exe and deleted it
C:\windows\xjdntdh.exe -NF

O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing) - NF

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\??rss.exe -csrss.exe, access denied, but was not running in Task Mgr
C:\WINDOWS\System32\searchbar2.dll - access denied, but was not running in Task Mgr
C:\WINDOWS\System32\tss.exe -NF
C:\Documents and Settings\BYRON\Application Data\amee.exe -NFC:\WINDOWS\System32\nvrsfi.exe -NF, but found nvrsfi.dll
c:\windows\snmesuk.exe -NF
c:\windows\mfgjlum.exe - NF
c:\windows\acklqqd.exe -NF
C:\WINDOWS\System32\winpack.exe -NF
c:\windows\wvmemoi.exe -NF
None of these were running in Task Mgr.

I could only follow your instructions if I unplugged my cable box, otherwise it would sit there and do nothing. I also noticed after running HJT and selecting fix, I had problems with the "Win Min" message when trying to shut down.

After following your instructions and logging out of safe mode, I restarted in normal mode so I could run HJT the second time and see how the system was working (with cable box plugged in). I received the following messages:
Windows can't find "c:\windows\inetdata\services.exe"
Winows can't find "c:\windows\inetdata\services.exe specified in registry"

When I opened IE I received the following messages:
dimigha.exe encountered problems
hngyjsm.exe encountered problems
riwkbsg.exe encountered problems
I also noticed in Task Mgr, that there were numerous versions of all three running and making the processor run at 100%. Also, IE still tried to open "yoursearch.com". The only way I could run HJT was to unplug my cable box and reboot.

I have attached my latest log, and it looks like I must have jacked something up because I think it looks pretty close to the one I sent yesterday.

I will make the changes you suggested to Beth's login and let you know if I have any better luck (This may not be till next week...)

THANKS FOR ALL YOUR HELP AND Happy Hollidays

Byron

chaslang · Dec 24, 2004

A quick note before continuing to look at your post.

C:\WINDOWS\System32\??rss.exe is not the same thing as csrss.exe

You should not have deleted it. You need to get a copy back into your system32 folder.

csrss.exe - Process Information
Microsoft Client/Server Runtime Server Subsystem

Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

See if you really deleted it. If so, look in either c:\i386 or c:\windows\i386 for csrss.exe and copy it back to your system32 folder. If you see, csrss.ex_ , the underscore means it is a compressed version of the file that needs to be expanded first. Let me know what your find and can do.

chaslang · Dec 24, 2004

Okay we need to verify something first before continuing. Make sure you have the following setup properly.

- Right click Start and select Explore.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Files and Folders heading
- Make sure you put a check on Display the contents of system folders
- Under the Hidden files and folders heading put a check on Show hidden files and folders.
- Uncheck the Hide extensions for known file types option.
- Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Let me know if any (and which) of those were not set as a just gave you.

Damn! You spread those problems like a plague!
Did anything else go wrong during the procedure?
Did you have ALL browsers, email sessions etc closed while doing the steps? Basically it would be good if nothing was run except what I mention in the procedure.

chaslang · Dec 24, 2004

From now on make sure you do ALL fixes while your cable box is not connected.
So print these instructions so you can follow while offline.

Please download and unzip ProcessExplorer to your PC: ProcessExplorer for Win NT/2K/XP
Put it in a directory named c:\SysInternals

From now on run it instead of TaskManager. It is better at showing processes and it is better at killing them. Has some other great features too. Configure it like this:

Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on File and then Save As. And save the process list (we will upload it later).

Look for these DLL files in c:\windows\system32
msqsb.dll, msqsb6.dll

If found, delete them. If they will not delete, use the regsvr32 /u command to unregister them first and then delete.

We need to get a handle on all those O4 processes running. I'm not sure if this will work to reduce the number or not but boot in safe mode and do the below:
1) Run ProcessExplorer and have it kill (some are duplicates - they could be running more than once. Kill all instances)

C:\windows\fsfgieu.exe
C:\windows\tgtvaja.exe
C:\windows\hngyjsm.exe
C:\windows\tgtvaja.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\lvigbdl.exe
C:\windows\dimigha.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\dimigha.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\riwkbsg.exe
C:\windows\lvigbdl.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe

2) try simply having HJT fix the below:
O4 - HKCU\..\Run: [mevnuln] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [ksnomho] c:\windows\tinafnm.exe
O4 - HKCU\..\Run: [kkyjfol] c:\windows\fsfgieu.exe
O4 - HKCU\..\Run: [dawijre] c:\windows\tgtvaja.exe
O4 - HKCU\..\Run: [hrdihrt] c:\windows\hngyjsm.exe
O4 - HKCU\..\Run: [vvxqawk] c:\windows\hngyjsm.exe
O4 - HKCU\..\Run: [qgacpiw] c:\windows\tgtvaja.exe
O4 - HKCU\..\Run: [jhaqwsr] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [qiinsuv] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [dcpwkhh] c:\windows\eciglpt.exe
O4 - HKCU\..\Run: [mdnxmcu] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [twsdytn] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [chtrfdh] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [pjklrgr] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [gtekcuq] c:\windows\dimigha.exe
O4 - HKCU\..\Run: [ijdocfm] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [rkinksi] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [jiogttd] c:\windows\eciglpt.exe
O4 - HKCU\..\Run: [ncphcxn] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [bdfimtb] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [tepepnw] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [hkrtmgb] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [hcwgedm] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [kxcqcke] c:\windows\dimigha.exe
O4 - HKCU\..\Run: [nvvmqeo] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [ryyyrvp] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [jmuxjis] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [srkdxrq] c:\windows\eciglpt.exe
O4 - HKCU\..\Run: [gwkpmxr] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [mrqkkvp] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [edqmovp] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [ovehfys] c:\windows\dimigha.exe
O4 - HKCU\..\Run: [hjfrdfc] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [twqtrgg] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [wnjytfg] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [imptter] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [gyteoxj] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [vpbwnpp] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [svkbife] c:\windows\dimigha.exe
O4 - HKCU\..\Run: [olsxacy] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [tdhxlqc] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [fjmernh] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [ghfngsa] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [xkhtocy] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [gxysdwj] c:\windows\eciglpt.exe
O4 - HKCU\..\Run: [ijsaeqy] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [ebkmtwu] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [bdllnbo] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [cwgsbco] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [tlgwvtk] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [sbqrfhy] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [kndabif] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [vjyrryb] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [leybnnv] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [hcisoxg] c:\windows\eciglpt.exe
O4 - HKCU\..\Run: [nydcdlx] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [hfhosqd] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [ovakipy] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [rkkpkdt] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [bsjerbk] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [xufaeos] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [srgtxfe] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [ksbgdga] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [mnrlfhv] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [gkcahkx] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [avipdnb] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [lmcbult] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [ueadqhs] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [dcinkrb] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [ctadylw] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [oiigeqe] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [mqdnqxp] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [wjvlojs] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [hipdete] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [pivttnc] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [vhssibd] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [lqelsdl] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [yhfnssw] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [sbvblda] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [nhvitpc] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [nwkjcsu] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [wtqgcua] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [uchtoak] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [bltctwb] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [tllrwxe] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [rbhvyra] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [gainqky] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [vjkkgjr] c:\windows\ecnwdft.exe
O4 - HKCU\..\Run: [ffhqcpu] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [lsyhlkl] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [uktauli] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [aeabfid] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [pmaklvo] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [mmjagdf] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [iwktlnx] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [xptgwcw] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [bfuqcsg] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [ripcbed] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [svkbcxs] c:\windows\vjeebkj.exe
O4 - HKCU\..\Run: [fwaxrlk] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [qxkepsw] c:\windows\pmfopbn.exe
O4 - HKCU\..\Run: [mynngoc] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [mrlkfat] c:\windows\mmtewtf.exe
O4 - HKCU\..\Run: [occglud] c:\windows\xdqtyqy.exe
O4 - HKCU\..\Run: [wtwlkwk] c:\windows\lvigbdl.exe
O4 - HKCU\..\Run: [xlfambu] c:\windows\hciqeog.exe
O4 - HKCU\..\Run: [ycvtjtr] c:\windows\agskbgo.exe
O4 - HKCU\..\Run: [dgiwnoy] c:\windows\riwkbsg.exe
O4 - HKCU\..\Run: [qvgoopu] c:\windows\jqxcpyt.exe
O4 - HKCU\..\Run: [ctaegsf] c:\windows\rpkypsb.exe
O4 - HKCU\..\Run: [fcrsjrn] c:\windows\vcbdpqk.exe
O4 - HKCU\..\Run: [ishqcnx] c:\windows\bgxeedf.exe
O4 - HKCU\..\Run: [xbjvnpj] c:\windows\ivrpsdw.exe
O4 - HKCU\..\Run: [ioyhgvj] c:\windows\htmmijy.exe
O4 - HKCU\..\Run: [qyxjpci] c:\windows\fdxnhxn.exe
O4 - HKCU\..\Run: [cufvdjn] c:\windows\ykgshyt.exe
O4 - HKCU\..\Run: [yjqmpdu] c:\windows\wsxbkqa.exe
O4 - HKCU\..\Run: [ddfjlre] c:\windows\jgmfjws.exe
O4 - HKCU\..\Run: [ploveie] c:\windows\ejmvgbr.exe
O4 - HKCU\..\Run: [lskhwvd] c:\windows\kyqkxbl.exe
O4 - HKCU\..\Run: [fafffjw] c:\windows\hlrdyxa.exe
O4 - HKCU\..\Run: [iwtexsb] c:\windows\hgwylge.exe
O4 - HKCU\..\Run: [jqiwwor] c:\windows\hivcpxc.exe
O4 - HKCU\..\Run: [hlblhkm] c:\windows\xpxgejw.exe
O4 - HKCU\..\Run: [modkcdp] c:\windows\vcbdpqk.exe
O4 - HKCU\..\Run: [gmlvbjc] c:\windows\lrsvqig.exe
O4 - HKCU\..\Run: [woyirjs] c:\windows\htmmijy.exe
O4 - HKCU\..\Run: [wnqenjk] c:\windows\ykgshyt.exe
O4 - HKCU\..\Run: [dsqovas] c:\windows\hgwylge.exe
O4 - HKCU\..\Run: [aqrkmad] c:\windows\ivrpsdw.exe
O4 - HKCU\..\Run: [gtgnegm] c:\windows\kyqkxbl.exe
O4 - HKCU\..\Run: [yxjpwri] c:\windows\bgxeedf.exe
O4 - HKCU\..\Run: [rrfbfsu] c:\windows\fdxnhxn.exe
O4 - HKCU\..\Run: [lpmnsjk] c:\windows\wsxbkqa.exe
O4 - HKCU\..\Run: [yyycmec] c:\windows\xpxgejw.exe
O4 - HKCU\..\Run: [taqrtek] c:\windows\hivcpxc.exe
O4 - HKCU\..\Run: [wfnihow] c:\windows\jgmfjws.exe
O4 - HKCU\..\Run: [ysnkrrx] c:\windows\rpkypsb.exe
O4 - HKCU\..\Run: [kxbwexn] c:\windows\ivrpsdw.exe

Boot in normal mode and get a new HJT scan - log1.txt. The reconnect your cable and get a second HJT scan - log2.txt. Now come back here and post the ProcessExplorer process list and both HJT logs.

shields19 · Dec 24, 2004

Dr. C

Thanks for everything. I will be out of town for a couple days, but will try your suggestions next Tues night and let you know how everything goes. I've said it before, but I really appreciate ALL the hard work and help you have provided.

Have a great Holiday.

Byron

p.s. I only stopped csrss.exe in Task Mgr, the system wouldn't let me delete it in HJT or safe mode. My Dad always says..."dumb people, do dumb things!" and "better lucky, than good" I'm beginning to think he was talking about me.

chaslang · Dec 24, 2004

shields19 said:

Dr. C
Thanks for everything. I will be out of town for a couple days, but will try your suggestions next Tues night and let you know how everything goes. I've said it before, but I really appreciate ALL the hard work and help you have provided.

Have a great Holiday.

Byron

p.s. I only stopped csrss.exe in Task Mgr, the system wouldn't let me delete it in HJT or safe mode. My Dad always says..."dumb people, do dumb things!" and "better lucky, than good" I'm beginning to think he was talking about me.
Click to expand...

You're welcome Byron! Enjoy the Holiday and we'll talk on Tuesday.

Don't feel dumb! There are a ton of files on your PC. It is not easy to know what they are all for. A word of wisdom though. Don't guess at what someone means. Always ask a question if not sure about something. Malware loves trick you. They name bad things we similar looking names to valid programs to trick you. And in some cases they use the exact same name but run it from a different location. So you not only need to be careful that you are matching the EXACT filename but also have to know the path it is supposed to be running from. In your case, a process ??rss.exe was shown running. The question marks are occurring due to some non-valid characters in the filename and you needed to kill that process (??rss.exe) not csrss.exe. Always read directions carefully and note the actually spelling in filenames. Another example, if I said to delete c:\windows\svchost.exe and you did not find it, but then you continued to look and found it in c:\windows\system32\svchost.exe. You should not delete the second one because that was not what I asked you to delete. If unsure, you stop and ask a question. I hope this is sinking in. It is very important to follow directions exactly and in most cases even the exact order is critical. (That was a lot of "a word or wisdom"!)

shields19 · Dec 29, 2004

chaslang said:

Okay we need to verify something first before continuing. Make sure you have the following setup properly.

- Right click Start and select Explore.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Files and Folders heading
- Make sure you put a check on Display the contents of system folders
- Under the Hidden files and folders heading put a check on Show hidden files and folders.
- Uncheck the Hide extensions for known file types option.
- Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Let me know if any (and which) of those were not set as a just gave you.

Damn! You spread those problems like a plague!
Did anything else go wrong during the procedure?
Did you have ALL browsers, email sessions etc closed while doing the steps? Basically it would be good if nothing was run except what I mention in the procedure.
Click to expand...

I checked, and everything is setup just as you described

shields19 · Dec 29, 2004

Dr. C
Got in late last night and spent a couple hours TRYING to do every thing you suggested. As usual, I ran into problems. The big problem is, I am unable to run MY login in safe mode, I can only run Administrator or Beth, mine does not show. Therefore, I log in as Adm. and make your changes. Then using my login I reboot in Normal mode and I am unable to follow your instructions because the PC will not allow it (e.g. The PC locks-up). Here is exactly what I did last night and why.

-Logged on in Safe Mode (as Administrator), Downloaded, Unzipped, and Configured ProcessExplorer.
-Looked for msqsb.dll or msqsb6.dll, but did not find
-In Safe Mode, the 20+ process you listed were not running.
-Ran HJT, again the 04 processes you mentioned were not running.
-Saved Process List.

-Booted in Normal Mode, Unable to open anything except TaskManager, due to the CPU being maxed at 100%.
-Logged back into SafeMode, configured ProcessExplorer to open using Ctrl-Alt-Delete.
-Logged into normal mode, and was still unable to open ProcessExplorer using Ctrl-Alt-Delete. (I waited 10 minutes, believe other process maxing CPU)
-Logged into safe mode, configured ProcessExplorer to NOT open using the Ctrl-Alt-Delete.
-Logged back into Normal Mode command and using Task Manager, I ended about 60 processes, then I was able to open ProcessExplorer and HJT. Saved Process List. I ran HJT and deleted the selected 04 process you mentioned. I also found several R1,RO,O2,O3 processs you had me delete last time (e.g. ...yoursearch, no name, Neo Toolbar). Since these were exactly like the list you told me to kill before, I had HJT kill them also. Saved logfile.
Re-booted the PC in normal mode, again CPU maxed out and had to run TaskManager to end 40+process. Created HJT log. Cried in beer. Cussed profusely. Cried in another beer. gave up for the night.

I know this isn't how you said to do it, but when I run in Safe Mode as Adm. everything looks okay. When I run in Normal Mode using my login, everything blows up and I can ONLY use the PC once I have ended numerous processes using only TaskMgr. This is the only way I can get HJT or anything else to run. I will send the HJT logs tonight.

This morning I changed my login from "Byron" to "B". I didn't have time to see if this makes a difference, but when I login into Safe Mode, it is only showing the first two logins, Administrator and Beth. I hope, changing my login to B, it will show Adm. and B. I then hope, the processes you suspect running in SafeMode under my login, will appear in SafeMode and you and I can finally be on the same page.

shields19 · Dec 29, 2004

Dr. C
I think we're getting closer. Made the change to my login name, this made a huge difference. Now I can my login and make changes both in SafeMode and Normal Mode. Before, I never saw my login name in SafeMode and all the changes were made to the Adm. login. Although I don't see Beth's login now, when I get ready to fix her login, I know how to make it viewable in SafeMode.
Started at step one and went through everything you told me. In Safe Mode I was able to use HJT and delete all the 04 process (which now allows me to work in normal mode).
I have attached a file called, Procexp_B_12-29-04.txt (on 12-24-04, you asked me to create this file, but until now, I was unable). I have also attached my HJT log, B_HJT12-29-04log1.log, which was run in Safe Mode before I killed 330+ 04 process.

Because I can only attach 2 files, I will attach the other two HJT logs you asked for, in your message on 12-24-04 (give me about two minutes).

Although, I still get the about.blank web page, I can at least NOW perform simple task like open HJT and ProcessExplorer!

Thanks for all the help

Byron

shields19 · Dec 29, 2004

Dr. C
After following your instructions, I have attached one log file, "B_HJTNormalMode12-29-04.log". This log was created in Normal Mode without my cable box hooked up. The other file, "B_NormalMode_HJT12-29-04_2.log", was created with the box hooked up.

For some reason, I delete the 02 process BHO:Neo Toolbar, but it still shows up every time I run HJT again. As I mentioned earlier, I still have the about:blank page when I open IE. But, in SafeMode, I'm good to go.

Thanks and Happy New Year.

Byron

chaslang · Dec 30, 2004

Let's start with the searchbar2.dll problem again now that you can boot in safe mode.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\searchbar2.dll
then click OK. If a dialog box confirming this action appears, click OK.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\searchbar2.dll

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\searchbar2.dll

Also while in safe mode look for and delete (if found those processes we where seeing before:
C:\windows\fsfgieu.exe
C:\windows\tgtvaja.exe
C:\windows\hngyjsm.exe
C:\windows\lvigbdl.exe
C:\windows\riwkbsg.exe
C:\windows\dimigha.exe

Reboot in normal mode. Open an IE session and allow it to connect to whatever start page comes up, then exit IE. Now get a new HJT log and post it.

shields19 · Dec 30, 2004

Dr. C

Followed your instructions, had a couple questions.

-Unregistered searchbar2.dll
-Ran HJT- Didn't find either line (02 or 03). But did find an 02 that looked very close. Thought I would delete it, but decided I should wait to hear from you.
-In safe mode, deleted searchbar2.dll
-none of the processes you listed were running. everything looked pretty decent, although had several instances of svchost.exe.

Logged in Normal Mode, opened IE, opened to about:blank

Thanks

Byron

chaslang · Dec 30, 2004

svchost.exe is a valid Windows process that will normally be seen multiple times.

The O2 line is there but the file is now missing because we unregister it and deleted the file. So have HJT fix:

O2 - BHO: (no name) - {722E8B26-1C44-460F-88BB-50C82B20E30E} - (no file)

Then rescan with HJT. If the O2 entry is now gone or it is still there just tell me. I don't need a log unless something else comes up.

shields19 · Dec 30, 2004

Dr C

Can you say HOLY CRAP! This bad boy is close (I think). I deleted the 02 line in HJT. Then I logged into Normal Mode a couple times and the HJT log was always clean. PC runs smooth (e.g. no "extra" processes running).

Changed my IE home page to excite.com, but it still doesn't allow access to the internet (although I have internet access in SafeMode). I hate to say this, but is it possible for you to give me assistance in trying to get IE to run?

I know you probably hate to hear this, but damn this stuff is fun. Funny how it works... follow instructions...boom, PC starts to come back from the dead. 10 days ago, I was ready to say the hell with it. Now, I can almost taste success.

Thanks

Byron

chaslang · Dec 30, 2004

Tell me exactly what happens when you try to connect in normal boot mode.

Also have you tried installing and using Mozilla Firefox. Try it and see if you can access the internet with it in normal boot mode.

shields19 · Dec 31, 2004

Dr. C
Open IE
"Detecting proxy settings" (message in lower left corner)
Receive Zone Alarm message (IE trying to access the internet)
I select "allow"
"finding site excite.com" (message in lower left corner)
in the address bar is "excite.com"
Message header on a white page "The page cannot be displayed"
the text of the message includes generic stuff like "you may need to adjust browser settings"

I have looked at my settings in safe mode and normal mode, I don't see any difference.

I am downloading Mozilla right now. I will install, run, and let you know if it works.

Thanks

Byron

chaslang · Dec 31, 2004

Okay! I'll be around for a little while longer.

chaslang · Dec 31, 2004

Do you use a proxy server to connect to the Internet?
How do you connect? Dial-up, Cable, DSL?

shields19 · Dec 31, 2004

chaslang said:

Okay! I'll be around for a little while longer.
Click to expand...

Did I mention you were the frick'n MAN! This message is coming from my normal login using Mozilla!!

At first Mozilla wasn't running in normal mode, but would run in safe mode. After a couple minutes the only thing I could think of that was different was Zone Alarm wasn't running in SafeMode.
Logged in Normal Mode, ended Zone Alarm, Mozilla worked. Closed Mozilla, opened IE, it worked. I made some changes to Zone Alarm. Both Mozilla and IE now work. But I get the following message box every time I open a page when using IE:
- Network connections-
You (or a program) have requested information from google.com. Which connection do you want to use.
At the bottom of the box, it gives me the options of settings, connect, cancel
---------------
Is this a problem? Does it matter, as long as I only use Mozilla? Should I delete IE or just remove it from my Desktop?
------------
One last question. I noticed in Zone Alarm, in Program Control, I have two programs that look funny: nvrsfi.exe and snmesuk.exe. nvrsfi.exe is located in c:\windows\system32. snmesuk.exe is located in c:windows. I have blocked access and server rights to both of these (e.g. red x in all 4 fields). Are these two files okay?
-----------
Am I correct in assuming my login is fixed? Is there anything else I need to do to it besides reviewing the Malware instructions and properly protecting my PC? Is it okay to start working on my wife's login?

THANKS

Byron

chaslang · Dec 31, 2004

No you cannot delete IE. And you may need it some day (some sites like even Microsoft Update will not work unless you use IE.)

ZoneAlarm is not showing you what is in system32. It is showing you a list of programs that at one time tried to access the internet. Look in system32 yourself and delete those two files if they exist and then if you want, you can delete them from ZoneAlarm's Control list.

I would say this Login is Fixed. At least it seems to be.
Yes let's work your wives login. But lets start a new thread for it to avoid any confusion about what was going on here. And before starting that thread. Run all the READ ME FIRST stuff and do all the other steps we have done here (as appropriate). Then if necessary, post a new message indicating what you have done and what problems you have. Reference this thread too.

But before ending this thread make sure you have complete this: How to Protect yourself from malware!

shields19 · Dec 31, 2004

This is awesome!! Go Get some sleep. I can't tell you how upset and happy I've felt during this process. When the stuff works, this is a lot of fun.

Thanks. I will follow the Malware instructions and start to work on the next login.

Again, Thanks for all the help.

Byron.

chaslang · Dec 31, 2004

You're welcome. And I do need the sleep!

Spyware? Trojans? Problems?...heck yes

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

shields19 Private E-2

shields19 Private E-2

Attached Files:

shields19 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

shields19 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches