PDA

View Full Version : help - ##exgmrgml#.exe



fivee
2008-02-25, 20:28
i need help removing that
the situation is, spyboot, AVG, combofix, windows defender, and microsoft malware removal where unable to remove this, most of the time they dont even recognize a threat!
i've used all i could, removed all registry entry i thought safe to remove, it does not load a starup, and it appears to load only when im connected to the internet (adsl dial up)
i allways has diferente numbers in the beginning and end of the name, like now its "69exgmrgml19.exe", and i can find it inside my temp folder.

By closing it in the task manager i can delet it from the temp directory, and it wont bug me for a while...and if it stays there long enought others will appear, with diferent numbers, allways in the temp folder.


here is the hijackthis log now (while the file is on memory)

Logfile of HijackThis v1.99.1
Scan saved at 18:26:52, on 25-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Microsoft SQL Server\MSSQL$MACWIN\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\DEFINI~1\Temp\61exgmrgml19.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\FILIP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.millenniumbcp.pt/index.jhtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202808292109
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0493CEE-D31A-43DE-8117-2898941FCBE6}: NameServer = 212.13.35.189 212.13.35.33
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: MSSQL$MACWIN - Unknown owner - C:\Programas\Microsoft SQL Server\MSSQL$MACWIN\Binn\sqlservr.exe" -sMACWIN (file missing)
O23 - Service: SQLAgent$MACWIN - Unknown owner - C:\Programas\Microsoft SQL Server\MSSQL$MACWIN\Binn\sqlagent.EXE" -i MACWIN (file missing)

pskelley
2008-02-27, 14:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, Scan that file to see what it is, Google returns nothing:
C:\DOCUME~1\ADMINI~1\DEFINI~1\Temp\61exgmrgml19.exe
Use one or more of the scans and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

You also have this trojan onboard:
C:\WINDOWS\system\smvss.exe this is probably:
http://www.sophos.com/virusinfo/analyses/trojdedlerg.html
http://www.google.com/search?hl=en&q=smvss.exe&btnG=Search

If you still want help, read the directions which are posted above and pinned to the top of the forum. Post the correct version of HJT and the Kaspersky scan described in the instruction and I will be glad to take a look.

Provide:
a) The HJT log.
HiJackThis log - Trend Micro HijackThis 2.0.2

b) The Kaspersky log report.

Thanks