Qrxzwwp.exe? - Cannot Complete 8 Steps

Status
Not open for further replies.

Smartkid

Posts: 25   +0
Hi,

I think my computer is infected with something, but I don't know what exactly. After I start-up, I cannot run any programs and I can tell that things are running in the background. It doesn't let me CTRL+ATL+DEL either. I'm able to boot up in Safe Mode however. I ran CCleaner. I already had MBAM installed on my computer but it doesn't run when I click on it. I uninstalled it and then trying to reinstall, but nothing happens when I click the install file. Similarly, I also have not been able to install SUPERAntiSpyware. I had a version of HijackThis already and was able to run that in Safe Mode (I don't think I have the latest version.)

I've attached my HijackThis log. Unfortuntately I cannot complete all 8 steps. I have noticed that one of the programs that is constantly running in the background is qrxzwwp.exe. It also appears in the HijackThis log. I'm guessing that its one of the things thats causing problems.

I'm hoping you guys can help me out. I think I'll only be able to work within SafeMode at the moment, because I cannot seem to do much when I do a normal boot-up.

Thanks in advance!
 

Attachments

  • hijackthis.log
    10.3 KB · Views: 5
Hello Smartkid

You have a large number of infections, therefore, please tell, is your antivirus updated?


Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Reboot.

See if you can complete all 8 steps now ?
 
Thanks touch.

I tried what you suggested and reset my hosts but I still cannot install the programs in order to complete the 8 steps.

I've attached a new HijackThis log. It at least looks a little better than before.

Is there anything else I can do?
 
Yes, there are more you can do ;)


Please download combofix here -> https://www.techspot.com/downloads/5587-combofix.html

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::

File::
C:\WINDOWS\system32\zatarozu.dll
C:\WINDOWS\system32\nhser43uhjnefr.dll
C:\WINDOWS\asojumaf.dll
C:\WINDOWS\system32\hetiguta.dll
C:\WINDOWS\system32\laviweta.dll
C:\WINDOWS\TEMP\qrxzwwp.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2676015204.exe
C:\RECYCLER\S-1-5-21-3737289209-9135909911-675161945-2678\service.exe
C:\WINDOWS\system32\niyihifi.dll
C:\windows\system32\nawonane.dll

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Thanks touch.

I ran Combofix and have attached the log.

Combofix automatically rebooted my computer in the middle of the process and took me into Normal mode (I had been using Safe Mode). I was able to install mbam, superantispyware, and hijack this after Combofix had finished running.

Should I try to complete the 8 steps now? I wanted to check whether there was any followup on the Combofix procedure first.
 

Attachments

  • ComboFix.txt
    17.6 KB · Views: 5
I suggest you run the below fix, as there still some infections/files in the combolog, I don´t think any scanner can find.

Open notepad and copy/paste the text in the quotebox below into it:

Killall:

Snapshot::

File::
c:\windows\Nyiquwud.dat
c:\windows\Xcifadax.bin
C:\liymwuq.exe
C:\ijmaxk.exe
c:\windows\system32\drivers\OLDA.tmp
c:\windows\system32\drivers\63feb0eb.sys
C:\aoqckrns.exe
C:\wicnin.exe
C:\dmsiacq.exe
c:\windows\MOTA113.exe
c:\windows\meta4.exe
c:\windows\mdslomg.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\63feb0eb]

Save this as:
CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then attach fresh combofix log.
 
Thanks.

Attached are my logs. I had to run MBAm twice because it froze midway.

Is there anything else still wrong? My PC is still acting a bit funny. I had to uninstall my Norton Internet Security because it wasn't working anymore. I've installed Avira and ZoneAlarm for the time being. Are these good enough? Do you recommend any other protection programs? I think Norton wasn't that good since it allowed me to get all these infections in the first place.
 

Attachments

  • hijackthis.log
    10.3 KB · Views: 5
Avira and Zone Alarm are good enough. I can only agree about Norton ;)


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
(Description: Adware by Backweb Technologies)

The following are not spyware/malware, but I suggest you place a check mark next to the following entries and hit 'Fix checked' , as these programs may be taking up system resources.

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
(Description: Adobe reader startup - unnecessarily uses system resources.)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)


Unfortunality have you got new infections, I´ll therefore you post new combofix log.

Uninstall the version you have ->

To uninstall ComboFix.exe And all Backups of files that it deleted
Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

Download newest version ->

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.
please attach it to your next post
 
Sorry I haven't gotten to this - I've been using my laptop all this past week because I didn't have time to deal with this. I'll run the fixes today and post the new logs.

Thanks for your help.

** EDIT:
ComboFix log attached.

I've also run into some problems and have posted some screenshots for reference:
1. Webshots - I used to have this program but have since deleted it. However, when I boot up, I get an errors message on startup.
2. iTunes - Whenever I start the program, I have to agree to the user agreement.
3. Internet Explorer - Does not display images.
4. Firefox - Does not retain browsing history. "Save and Quit" function does not work.
 
Ok. Run Ccleaner, and see if Internet Explorer - display images again.
Please attach fresh hijackthis log.
 
I ran CCleaner but still no luck. In IE, I need to right click and choose Show Picture in each of the boxes in order to see images.

Attached is my HijackThis log.
 
That´s good news :)

No, it is time for the clean-up procedure now ->

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place
 
Status
Not open for further replies.
Back