Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log....ebirihes.dll and lapxemav.dll


  • Please log in to reply
4 replies to this topic

#1 SoMeChIcK

SoMeChIcK

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 08 June 2010 - 05:32 AM

I forgot to mention before:
I am running windows Xp professional with service pack 2.

Since 10:3pm Monday, I've been having a strange problem with my machine. The computer will freeze up everything on the screen except my mouse cursor. If I click a bunch of times too fast on something trying to close my computer totally freezes up and beeps at me. I also noticed my internet is slower than usual, as is everything else running on my system. It seems to progressively get worse. I've cleared out both my firefox cache and my firefox cookies to try to fix this. I ran Hijack this and the logs posted below. I ran a trend micro housecall scan and it told me for sure that ebirihes is a virus, so I removed it. I also tried another scan by trendmicro, but the installation jammed up my internet and refused to complete, so I had to do a system restore. My machine is STILL freezing and I'm not sure what to do. Oh, I also ran a malewarebytes scan and nothing came up with it. I also cleaned out my machine when the stuff started with a can of air. I also notice there's a file called lapxemav.dll in my startup. I have no idea what this is, but when I previously removed it using hijackthis and removing the .dll itself, it still showed up in my startup, even though it didn't actually start up. Since then, I did another system restore. One more thing I'd like to add, is that when I close out firefox it wont actually close out until i kill it in the task manager.

Notes:
Nothing out of the ordinary besides lapxemav.dll shows up in my system start up.
Nothing out of the ordinary shows up in my task manger. (System runs slow but cpu and ram looks fine.)

Screen shot of my Hijack this log:

Removed as these logs not permitted in this forum and because rarely used anymore. ~ OB

I hope you guys can help me, and thank you in advance for any help you may offer. If you know of any free virus scans that might help I'd appreciate it.

Update:
I ran Scandisk and I guess it didn't find anything cus right after it finished it just closed...I ran disk cleanup, and I also ran chkdsk and fixed some errors, but not all would fix. I ran it again and it's still having some errors. But this time it allowed me to run a disk defrag, so I ran that. Now I'm going to check out autoruns and see if it'll do me any good.

I did a disk clean up and emptied my recycle bin and my temporary internet files...Didn't seem to work...Still checking for more ways to fix.

Edited by SoMeChIcK, 08 June 2010 - 07:09 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 08 June 2010 - 03:11 PM

If you mean you are getting A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SoMeChIcK

SoMeChIcK
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 08 June 2010 - 07:00 PM

If you mean you are getting A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.


Nope, it's not a startup error. But I have a file that's on my start up called lapxemav. I can remove that using hijack this...but it's still in the startup in the configuration, because the files not gone, it's just shut off. My question is how I remove this lapxemav file? Would I use autoruns for that?

----
I ran autoruns and there's some that say file not found, is it okay if I remove those or no?

The ones I am not sure about:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Display panning CPL Extension ----- File not found: deskpan.dll (For this file, I told it search online and I got this: "Although it is a part of a CPL extension, it would not affect the systems capabilities when it is altered or deleted.")

-----------------------------------

HKLM\System\CurrentControlSet\Services

Changer ----- File not found: C:\WINDOWS\System32\Drivers\Changer.sys (When I searched online for this I found that it's A system file for Service Pack 2...Is it necessary?)
GMSIPC ----- File not found: E:\INSTALL\GMSIPCI.SYS (I searched the web and it tells me this is 11% dangerous, so I ran RegistryBooster, but, it will only fix 15 of my 1217 errors...Unless I buy it.)
i2omgmt ----- File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys (Says this is a 0% threat and is probably harmless)
lbrtfdc ----- File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys (Web tells me this is has to do with a floppy controller, and may not be necessary.)
MSICPL ----- File not found: E:\install4\MSICPL.sys (The web tells me this probably has to do with my nvidia drivers. I'm using an ATI Radeon card in my machine now though)
NTACCESS ----- File not found: E:\NTACCESS.sys (The web tells me this may be 12% dangerous, but no reviews)
PCIDUMP ----- File not found: C:\WINDOWS\System32\Drivers\PCIDUMP.sys (The web tells me this "%System%\drivers\pcidump.sys
%System%\malware\malware\ed45782.sys
%Temp%\sxkiller.sys" Meaning it's a malware. I guess so I removed it.)
PDCOMP ----- File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys (The web tells me this may or may not be necessary. So I unchecked it for now.)
PDFRAME ----- File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys (The web tells me this may or may not be necessary. So I unchecked it for now.)
PDRELI ----- File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys (The web tells me this may or may not be necessary. So I unchecked it for now.)
PDRFRAME ----- File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys (The web tells me this may or may not be necessary. So I unchecked it for now.)
SetupNTGLM7X ----- File not found: E:\NTGLM7X.sys (The web tells me this may be a 40% threat, but someone commented that it's essential for windows)
WDICA ----- File not found: C:\WINDOWS\System32\Drivers\WDICA.sys (The web tells me this may or may not be necessary. So I unchecked it for now.)

-----------------------------------

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Drivers32

vidc.ffds ----- File not found: C:\PROGA~1\COMBIN~1\Filters\FFDSHOW\ff_vfw.dll (This I think is just a codec that's useless, so would it be alright to remove this?)

Also in:
HKLM\Software\Classes\CLSID\{08386F1-70DE-11d0-BD40-00A0C911CE86}\Instance

There's a few more FFDSHOW stuff:

ffdshow Audio Decoder
ffdshow Audio Processor
ffdshow raw video filter
ffdshow subtitles filter
ffdshow Video Decoder


Later, I also found these:

HKLM\Software\Classes\CLSID\{08386F1-70DE-11d0-BD40-00A0C911CE86}\Instance

Matroska Source ----- C:\windows\system32\matroskadx.ax (Possible virus? The web couldn't tell me.)
Matroska Splitter ----- C:\windows\system32\matroskadx.ax (Possible virus? The web couldn't tell me.)
WIA Stream Snapshot Filter ----- C:\windows\system32\wiasf.ax (Possible virus? The web couldn't tell me.)

Other than that everything looks familiar or I know what it's for. Now, I am going to remove any unncessary programs.

Edited by SoMeChIcK, 08 June 2010 - 08:50 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 PM

Posted 08 June 2010 - 09:10 PM

These all look like orphaned entries and can go.
You should first set a New restore point in case you need to go back.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.


Let;s run MBAM FTER THt log we will deal with the "lapxemav.dll" file.

Edited by boopme, 08 June 2010 - 09:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SoMeChIcK

SoMeChIcK
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 09 June 2010 - 01:24 AM

These all look like orphaned entries and can go.
You should first set a New restore point in case you need to go back.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.


Let;s run MBAM FTER THt log we will deal with the "lapxemav.dll" file.



I used autoruns to remove that lapxemav.dll I also used hijackthis to help remove it. Seems that's not the problem. Neither are any of the other files because I set them NOT to run. Also, I just ran the cleanmgr like you said, but am unsure if I want to remove all old restore points because I don't think it's fixed yet.

Update:
Finished the malewarebytes scan. Didn't find anything and checked both of my drive. I'm all out of ideas. Nothing running in the task manager that I can find. I even tried Security Task Manager. I've run cleanmgr 3 times, ran chdkdsk 3 times, and ran Malewarebytes 3 times. What's weird is, sometimes it will be fine for a while, hours, before it freezes and crashes, other times, it's right on the start up when it crashes, usually when I open either firefox to watch a video, or when I chat on yahoo messenger. If I don't use the internet it doesn't wig out.

Here's my Mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4182

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/9/2010 12:40:12 AM
mbam-log-2010-06-09 (00-40-12).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 322831
Time elapsed: 1 hour(s), 9 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




NEW UPDATE:
I just had a blue screen of death occur when I wasn't doing anything, it was short after I closed the mbam log that it crashed.
http://img710.imageshack.us/f/dsc09991x.jpg/

Problem is, I haven't installed any new hardware. Could this be a sign my hard drive is dying?

I went back and checked autoruns, and some things wont remove even though they are busted, ffdshow ones, and the Display panning CPL.

I am just gunna try and reformat and see if that fixes the malfunction. Assuming my hdd will take the reformat, seeing as last time I tried it wouldn't allow me too, crashing right in the middle of the formating.

Edited by SoMeChIcK, 09 June 2010 - 03:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users