unknown HijackThis entry

I can't figure out what this is for

O4 - HKLM\..\Run: [utiiwio] C:\winnt\system32\ddvqrrf.exe

I've tried searching via the list at http://www.sysinfo.org/startuplist.php and google, but no results.
Also the folder 'WINNT' is in capital letters on my C: directory as opposed to the small letters in the entry, if that matters anything.
So does anyone know what this is for?

 

Doesn't look legit to me, I would locate the file manually and rename it to ddvqrrf.bad and then fix the entry in HJT.

Be sure you have the viewing of hidden files and folders enabled and also uncheck where it says hide file extensions.

 

My hidden files and my extentions are visible. I have typed in the address in the address bar, to get to the folder, and then I used the search function (I can't search the entire computer due to an explorer.exe error inducing folder).
However this file wasn't found, I even opened the folder to check manually.
Any other suggestions?

I was thinking, since I couldn't find info on the file on the internet, it won't be a system critical entry, and HiJack This makes backups of fixed files; could I just fix it, and see what happens?

 

HJT just removes the startup registry entry, it doesnt actually delete the file. To delete the file you can do the below:

Download Pocket KillBox

Now, Copy and Paste BAD FILE HERE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a full HJT log from normal mode.

 

The file doesn't exist, but here is my log anyway.

 

I' sorry, I hadn't closed my web browser yet before running the scan. Here is the correctlog

 

The file exist or it wouldnt be in the HJT log, just because you cant find it doesnt mean it doesnt exist, its just hidden well

You have a few issues that we need to address...

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Is a quick scan OK too? If I do a full scan, it will scan this folder

C:\Documents and Settings\ERIK\Local Settings\Temp\Temporary Internet Files

and any scanner that scans that folder crashes, including this one.

BTW, there may be some leftover pieces of text in dutch, but I don't think it will pose a problem.

 

It's late,very late here in Belgium, so I'm goingto turn f the computer. Do I need new scan reports tomorow, or can I just keep the ones I have?

 

First you need to run CCleaner to clean out all of the junk files, then do a FULL scan with Ewido not a quick scan, follow my post very carefully skipping nothing.

After you do this, attach a new HJT log.

 

I suppose CCleaner is to remove that folder that can't be scanned right. Unfortunately it didn't work, I've also tried various other TEMP cleaning programs, several delete on boot programs, I've tried deleting it manually, nothing works. I can't even open it, view its properties, or delete it manually, without causing an explorer.exe error.
I also get this error message with some scanners:

Access violation at address 395F3834. Read of address 395F3834.

I'm sorry, but a full scan is impossible while that folder exists. Quickscan doesn't seem to have this problem.

 

Just a fresh batch of saved logs, and some questions

1) When I boot in safe mode, I get the choice between 'safe mode' 'safe mode with network capabilities' and another type of safe mode. So I'm assuming regular safe mode doesn't have network capabilities. My question is, if I run regular safe mode, do I still need to unplug my network cable to sever all connections to the internet?

2) What functions does ewido lose when its trail period is over?

3) Is quickscan really insufficient, because it's impossible to do a full scan, because of that immortal, 'scan impossile'-making folder.

4) Is advice regarding a 'HiJack This' log useless if the log was made during a previous boot?

Well those were my questions. Both my attached scan logs are recent, but ewido was done with quick scan.

 

Yes, just so you will know there is no way possible for anything to get access during the cleaning.

After the trial period I dont think you can use it anymore, thats why its a trial.

CCleaner will clean the folder, never has it failed for me! You must run the Ewido scan exactly as I request or its no good.

When you attach a HJT log, they usually are good for a few hours. After that depending on the users actions it can change.

 

What we are going to do is this, if not already downloaded, download and install CCleaner. With the default boxes checked click on "Run Cleaner". If any errors or problem occur reboot into Safe Mode and run it again. There shouldn’t be any reason why this program can’t run.

Be sure you have Admin rights also.

 

Since I'm the only user on this computer, I assume I have admin rights.

CCleaner says it has cleaned internet temporary files, but that one map isn't deleted, I've also tried a truckload of other deleting tools. Also, an error occurs when I try to analyse or clean the system temporary files.

And every time I start IExplorer, ewido detects these spywares:

-spyware.findspy --> c:\WINNT\system32\bndmod.exe
-spyware.MSNagent --> c:\WINNT\system32\hlmicro.exe

 

Download the following utility:

TrendMicro Spyware Cleaner

1. Click the above to download utility
2. Select Run
3. Click Scan to begin spyware detection, and follow prompts.

Note: To use this tool, you must agree to the terms of the end user license agreement. Your computer may also display a warning that the tool is attempting to run. Click Yes to proceed.

After the scan completes, reboot and run CCleaner once more and let me know how things are running.

 

Sorry, still the same problem with that folder. I could attach the partial log if that'll help.

 

I'm running spybot now, I completely forgot I stil had that installed, and it found utiiwio in a registry value. It recognises the spyware as CoolWWWSearch.Feat2Instaler

I also have Google toolbar installed, and I've read somewhere that spyware may use this. And google is acting weird, sometimes it doesn't go to the link it finds. And every time I go to google, my 'previous'-button gets dissabled. Do you know anything about this?

 

No, I dont, personally I hate any toolbar so I would uninstall, but thats me!

Did the TM scanner find anything? What?

 

unfortunately, TM also stopped working after after it got to that folder. It did create partial scan log though, if that is of any use.

 

Good news, I ran spybot, ad-aware SE and Fixwareout.exe today. And MS antispyware is blocking the startup registry "dmgwd.exe after I ranFixwareout. I don't know which one did it, but that folder is now accessible.
I will run the full scans first chance I get.

 

Will be awaiting results!

 

here it finally is. I ignored the parts where ewido listed iMesh as spyware, because I still use that.
Should I uninstall Eido before the trail period is up?

 

And in addition to those two, here is a panda log.

 

Sorry for the tripple post, but mom reset the computer, here is a fresh HiJack log. The Panda log is one post back, and the Ewido log is two posts back

Can I safely move the HiJack this folder to another folder? When I try this windows says it may not work properly.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Microsoft AntiSpyware

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)

O4 - HKLM\..\Run: [Windows Update Host] hoster.exe
O4 - HKLM\..\Run: [dmhfb.exe] C:\WINNT\system32\dmhfb.exe
O4 - HKLM\..\RunServices: [Windows Update Host] hoster.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Windows Update Host] hoster.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O17 - HKLM\System\CCS\Services\Tcpip\..\{113940A9-A124-4EF1-8478-462D07B3D2E8}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{113940A9-A124-4EF1-8478-462D07B3D2E8}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CS2\Services\Tcpip\..\{113940A9-A124-4EF1-8478-462D07B3D2E8}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153
(If you know these entries and need them, do not check these)

O19 - User stylesheet: (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\run.cxq

C:\WINNT\system32\favme.exe
C:\WINNT\system32\msexnpfi.exe
C:\WINNT\system32\dmhfb.exe

internat.exe <-- Search for this file and delete if found!
hoster.exe <-- Search for this file and delete if found!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Finally, here it is.

Can I reïnstall MS antispyware if everything is OK, or is it not such a recommendable thing to do?

Second, if I cut/paste my HiJack this folder to another folder, will it still work properly?

 

Yes, you can reinstall MSAS once your completely clean.

No, it will be fine!

 

Your HJT log is now clean, you must now get updated. You need to update your OS to Service Pack 4 and Internet Explorer 6 SP1 for security purposes.

Are you having any further problems?