Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with xxyxxya.dll [RESOLVED]

Started by Yhe1 , Apr 20 2008 06:36 PM

  • This topic is locked This topic is locked

#1
Yhe1
Posted 20 April 2008 - 06:36 PM

Yhe1

    Member

  • Member
  • PipPip
  • 65 posts
Hello, I use Avast 4.8, and it found a memory threat with xxyxxya.dll in the winnt/system32 directory. However, Avast cannot get rid of it and I cannot delete it. Any help would be great, thanks. I use windows 2000
  • 0

Advertisements

#2
greyknight17
Posted 20 April 2008 - 07:50 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read this topic and post your HijackThis log here when ready.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
Yhe1
Posted 22 April 2008 - 12:32 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Thanks for the reply. Attached are my malwarebytes log and my combofix log.

Attached Files


  • 0

#4
greyknight17
Posted 22 April 2008 - 07:18 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run Malwarebytes Anti-Malware again. You need to change the settings exactly as specified in my last reply. Make sure you check all the results found and remove them.

Did you have problems installing the recovery console? Please install this as soon as possible. Go back to the site where you downloaded combofix. Skip the part for the CD and go straight to the section to download the file. Just save it to your desktop. Then drag and drop that bootdisk file to combofix to install the recovery console.

Uninstall AntiSpy via the Add/Remove Programs panel if found.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Rootkit::
Microsoft Video Capture Controls
Microsoft Synchronization Manager
Synchronization Data Schedul
Driver::
Wupdated
naecd
File::
C:\WINNT\system32\glfyylpt.ini
C:\WINNT\BMf3dff8e5.xml
C:\WINNT\system\xsrqxvnb.exe
C:\WINNT\system32\oaocara.exe
Folder::
C:\WINNT\system32\G1r\
C:\Program Files\AntiSpy\
C:\PROGRA~1\COMMON~1\fkwz\
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Task manager"=-
"Mw4sRiGnQ"=-
"System Updates"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Updates"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"8q8rg0oc"=-
"antiware"=-
"77ni3si"=-
"njzqzdls"=-
"AntiSpy"=-
"System Updates"=-
"Win2KService"=-
"f0eccb79"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Task manager"=-
"System Updates"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Microsoft Update Machine"=-
"fkwz"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"xsrqxvnb.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\8d538988-50a3-4b76-b9b2-8d0bbc469acc]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Video Capture Controls]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Synchronization Manager]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Synchronization Data Schedul]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Post your HijackThis log here (you forgot to do this earlier). Run a new scan and post the log here.
  • 0

#5
Yhe1
Posted 25 April 2008 - 08:30 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I am not sure what you mean about the Malwarebytes settings. I download malwarebytes, allowed it to update, then performed a full scan, then removed the malware it detected. Which setting are you referring to?

The instructions on how to install the windows recovery console is for XP. I use Windows 2000. I wasn't sure if the instructions still apply.
  • 0

#6
greyknight17
Posted 25 April 2008 - 09:03 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
According to the log no action was performed on those files found by Malwarebytes. Just want to confirm that you removed them as they usually will say specifically that it was removed successfully :)

I think Windows 2000 has it also, but we may skip that part....

Were you able to run the latest CFScript.txt fix yet? Post the new log here when ready.
  • 0

#7
Yhe1
Posted 26 April 2008 - 07:31 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I get an message of:

"Cannot import C:\Documents and Settings\Administrator\Desktop\CFScript.txt: The specified file is not a registry script. You can only import registry files."

When I try to run the CFScript.txt.

My CFscript.txt is attached

Attached Files


Edited by Yhe1, 26 April 2008 - 07:35 PM.

  • 0

#8
greyknight17
Posted 26 April 2008 - 08:08 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We'll do it using another method then.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Task manager"=-
"Mw4sRiGnQ"=-
"System Updates"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Updates"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"8q8rg0oc"=-
"antiware"=-
"77ni3si"=-
"njzqzdls"=-
"AntiSpy"=-
"System Updates"=-
"Win2KService"=-
"f0eccb79"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Task manager"=-
"System Updates"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Video Capture Controls"=-
"Microsoft Synchronization Manager"=-
"Synchronization Data Schedul"=-
"Microsoft Update Machine"=-
"fkwz"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"xsrqxvnb.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\8d538988-50a3-4b76-b9b2-8d0bbc469acc]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Video Capture Controls]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Synchronization Manager]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Synchronization Data Schedul]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

For the CFScript.txt, delete everything in Registry:: (<-- including that line itself). Then try running it now and post the new log here.
  • 0

#9
Yhe1
Posted 27 April 2008 - 10:51 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
The registry was successfully merged/added, but the CFScript.txt still produced the same message. The error message showed up, then Combofix ran, although I am not sure if it executed the CFscript or not. Combo fix rebooted the computer, but stalled during the "preparing log" window, along with a message of an exception with a dll. file.

Is it safe for me to run combofix again?

Edited by Yhe1, 29 April 2008 - 02:17 AM.

  • 0

#10
greyknight17
Posted 29 April 2008 - 08:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Would Combofix run alone if you just double click on it without using the CFScript? If it still won't work, go to Start->Run, copy/paste in combofix /u to remove it. Go back to the link I gave you in my first post for Combofix and download the tool. Save it to your desktop again and run it by double clicking on it. See if it can produce the log for you now.
  • 0

Advertisements

#11
Yhe1
Posted 02 May 2008 - 02:05 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I reinstalled combofix and run it again by itself, and it produced a log, attached below:

Attached Files


  • 0

#12
greyknight17
Posted 03 May 2008 - 01:30 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINNT\system32\oaocara.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\8d538988-50a3-4b76-b9b2-8d0bbc469acc]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

I want you to upload this file (C:\WINNT\system32\dnsrslvr.dll) to http://virusscan.jotti.org and report back what it found. Do the same thing for C:\Documents and Settings\Administrator\lkid.exe

How is the computer running so far?
  • 0

#13
Yhe1
Posted 03 May 2008 - 06:56 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I ran the CFScript. It ran, but stalled during the log generation process. I reinstall combofix again and ran it by itself, and it generated a log, attached below. My dnsrslvr.dll file is clean, but my lkid.exe file is infected. I have attached a picture. My Hijackthis log is also attached.

Attached Thumbnails

  • Ikid.jpg

Attached Files


  • 0

#14
greyknight17
Posted 04 May 2008 - 11:50 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupd...ll/aun_0010.exe
O23 - Service: 75348 - Unknown owner - \\71.109.65.4\Admin$\eraseme_81071.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.52bbg.net...t/emot/em23.gif

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINNT\system32\oaocara.exe
C:\Documents and Settings\Administrator\lkid.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\8d538988-50a3-4b76-b9b2-8d0bbc469acc]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#15
Yhe1
Posted 04 May 2008 - 03:05 PM

Yhe1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Attached are my combofix log and my Hijackthis log after I followed the instructions.

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP