TechSpot

infected

By siedog
Oct 22, 2007
  1. Hi,

    I have another computer that has the XP system in Chinese, but I don't read Chinese unfortunately (it's for my uncle, and he doesn't understand english too much). His system is infected with a few baddies, and after going through the removal steps, i re-booted, but keep getting this popup run dll error saying it's missing c:\windows\system32\iefsqxxn.dll file.

    rebooting is very slow, it takes awhile to place all icons on the desktop. Internet connection is also slow.

    Attached is the hjt log, combofix and avgantispyware log files.

    Nothing came up on the rootkit scan.

    Please help and advise on what to do next or programs to uninstall. I'm not too familar with XP too much either.

    Thanks.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There are two anitvirus programmes running on that system. This is not recommended, will slow the system down and can cause serious conflicts.

    I suggest you uninstall McAfee. Instructions HERE.

    Then, do the following.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  3. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I uninstalled mcafee and ran the avenger program. Attached is the script and new hjt log. Still slow when booting, and the comodo firewall says when booting up that it failed to initialize and a fresh reinstall may help.

    Still getting the run dll error. I also get a failed to find local server dialog box and soeme kind of vstskmngr dialog box. Please advise. Thanks.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I asked for a fresh Combofix log as well.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: {118cff44-ad4c-6fa8-a044-c076011952d8} - {8d259110-670c-440a-8af6-c4da44ffc811} - C:\WINDOWS\system32\igcpybnj.dll (file missing)

    O2 - BHO: (no name) - {CA3CB9D6-A5A2-485C-982F-81C2487844A1} - C:\WINDOWS\system32\ssqpq.dll (file missing)

    O4 - HKLM\..\Run: [40641a68] rundll32.exe "C:\WINDOWS\system32\iefsqxxn.dll",b

    O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab

    O20 - AppInit_DLLs: tbkrnl32.dll

    O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll (file missing)

    O20 - Winlogon Notify: iifggeb - iifggeb.dll (file missing)

    O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll (file missing)

    O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)

    O20 - Winlogon Notify: pmnnl - C:\WINDOWS\system32\pmnnl.dll (file missing)

    O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system32\iefsqxxn.dll
    C:\WINDOWS\\system32\tbkrnl32.dll

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. siedog

    siedog TS Rookie Topic Starter Posts: 46

    ooops, sorry forgot about the combofix log. I ran combofix then ran another fresh hjt log attached.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Follow the instructions in my post above, then post the requested log files lol.

    Regards Howard :)
     
  7. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, ran in safe mode, ticked and fixed the things in hjt, rebooted, ran combofix and htj. Attached are the logs. Still slow when booting and comodo still takes a long time to load up and icons showing up on the desktop. I got a popup saying can't find local server.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\WINDOWS\system32\drivers\rhwsmvkl.sys

    * Click Open
    * Please let me know the results.

    Rehide your protected OS files.

    Other than the above possible nasty, your log files appear to be clean.

    If the above file comes back as clean, please do the following.

    Download the latest version of Comodo and disconnect from the net. Uninstall Comodo, then reinstall with the latest version. Reconnect to the net.

    1.) Download WinsockFix.zip. (by: Option^Explicit)
    2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
    3.) Run WinsockFix.exe.
    4.) Click the Fix button.

    See if any of the above helps.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. siedog

    siedog TS Rookie Topic Starter Posts: 46

    ok, tried to find that rhwsmvkl.sys file, but i don't see it.

    Tried downloading the new version of comodo, unplugged the net a duninstalling/reinstalling but still slow when booting back up (takes about 3 minutes for icons to show on desktop). Tried to uninstall comodo and installing zonealarm and still same slowness.

    I couldn't find that WinsockFix.zip file to download.

    Please advise. latest hjt log attached.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You would need to enable show all files and folders, including your protected OS files. Then, you should be able to see the C:\WINDOWS\system32\drivers\rhwsmvkl.sys file.


    I`ve changed the link for Winsockfix in my post above. You shouldn`t have any problems in downloading it now.

    Your HJT log is clean as a whistle.

    Run the Winsockfix and let me know if it helps.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I have turned on all files/folders/extensions/os files. Due to the fact that this is an OS in chinese, it's difficlt for me to know if I hae shown all files/folders, etc but I think I do because all the .sys files in the drivers folder are showing.

    I am still not able to find that rhwsmvkl.sys file.

    I ran combofix again, and it stilll says it sees that file for some reason.

    I ran the winsock program, rebooted and still it takes awhile/gets stuck at the desktop and takes about 2-3 minutes befofe the icons are loaded. It keeps looking at the a:\ drive every now and then also.

    I thank you for cleaning up the hjt file, but if there's any help in figuring out why bootting up and placing the icons on the desktop takes so long. This would be tremendously appreciated.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, lets get rid of that rhwsmvkl.sys file.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Then we`ll see about speeding the system up etc.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, attached is the avenger.txt file.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well, even the Avenger didn`t find that file.

    I don`t know why we can`t actually see that file, since it definitely shows up in your Combofix log.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Click edit and choose find. Type magyngxw into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to magyngxw and display them in the righthand pane. Right click on any such magyngxw entries and choose delete.

    Now click edit again and choose find next. Again, delete any entries that reference magyngxw.

    Close regedit.

    Reboot into normal mode.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, booted into safe mode. backuped the registry to my desktop. tried to find that magyngxw file and it found a folder called legacy_magyngxw on the left hand side. I couldn't delete any files in this folder.

    It also found another magyngxw folder on the left hand side as well. It seems I could delete this folder, but you said to look to delete any files on the right pane that reference magyngxw.

    Also, it's in this folder that I saw a file that mentions th rhwsmvkl.sys file.

    Should I delete this entire folder that's on the left hand side?
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, delete the folder, then close regedit and reboot the system.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I deleted the magyngxw folder. I couldn't delete the legacy_magyngxw folder though. Rebooted and still very slow loading the icons on the desktop.

    I just went back to the regedit and searched for magyngxw. It found the legacy_magyngxw folder but no magyngxw folder.

    Let me know what's next. Thanks.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t think there`s anything next mate.

    I`ve done all I can think of.

    Either, you have some malware variant that we can`t remove, or, your computer needs a format in order to get it back to it`s former glory.

    I don`t know which, but I suspect the former.

    If that was my system, I`d definitely reformat it.

    Obviously, that`s up to you, but something definitely aint right.

    I suppose you could try a Windows repair as per this thread and see if that helps at all.

    I`m real sorry I`ve been unable to solve your problem.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...