• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
wjholtjr

Res://<somename>.dll/index.html#26980

6 posts in this topic

Sorry to have to post this. I thought that after reading all your information I would be successful without posting.

 

This thing started out like the Topic Title indicates with ngjic.dll as the DLL. I used SpyBot, Ad-Aware (both current versions), removed all references to ngjic.dll in the registry, ran HijackThis and cleaned off a couple of unknown BHO entries, deleted ngjic.dll from the system and trash bin, and probably more. Windows updates all current. Norton AV current. However, SpyBot keeps finding DSO exploit even after I tell it to fix the problem.

 

WE'RE BACK! It looked as though I was succesful. Not the case. Now it is back as qwqfk.dll. What am I missing here? Something is replicating this thing. There are numerous RunOnce entries in the HijackThis log. I don't recognize any of them as legitimate.

 

Here's the log.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:46:10 PM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\BQuote\MSSQL$BQUOTE\Binn\sqlservr.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\mfcka32.exe

C:\WINDOWS\system32\sysco.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\HJT\HijackThis.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Dell\AccessDirect\DadTray.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwqfk.dll/sp.html#26980

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qwqfk.dll/index.html#26980

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qwqfk.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwqfk.dll/sp.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qwqfk.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwqfk.dll/sp.html#26980

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {E5FE8B28-20B7-0E2B-7FD1-042B1A24EF17} - C:\WINDOWS\system32\ipjb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sysco.exe] C:\WINDOWS\system32\sysco.exe

O4 - HKLM\..\RunOnce: [sdkvx32.exe] C:\WINDOWS\system32\sdkvx32.exe

O4 - HKLM\..\RunOnce: [ntnb.exe] C:\WINDOWS\ntnb.exe

O4 - HKLM\..\RunOnce: [d3rd.exe] C:\WINDOWS\system32\d3rd.exe

O4 - HKLM\..\RunOnce: [sysvz32.exe] C:\WINDOWS\system32\sysvz32.exe

O4 - HKLM\..\RunOnce: [iehy32.exe] C:\WINDOWS\system32\iehy32.exe

O4 - HKLM\..\RunOnce: [mfceg.exe] C:\WINDOWS\system32\mfceg.exe

O4 - HKLM\..\RunOnce: [netmu.exe] C:\WINDOWS\netmu.exe

O4 - HKLM\..\RunOnce: [javaou.exe] C:\WINDOWS\system32\javaou.exe

O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\ntjf.exe

O4 - HKLM\..\RunOnce: [winep32.exe] C:\WINDOWS\system32\winep32.exe

O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaver...st/twophase.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8023.5102777778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I did not include the 017 lines that refer to my Domain. They look correct.

 

Thank you for your help. Sorry I couldn't figure it out myself.

 

Bill

Share this post


Link to post
Share on other sites

Download About:Buster by RubbeR DuckY from

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

 

Run another hijackthis scan place a check next to the following entries.

O2 - BHO: (no name) - {E5FE8B28-20B7-0E2B-7FD1-042B1A24EF17} - C:\WINDOWS\system32\ipjb.dll

O4 - HKLM\..\Run: [sysco.exe] C:\WINDOWS\system32\sysco.exe

O4 - HKLM\..\RunOnce: [sdkvx32.exe] C:\WINDOWS\system32\sdkvx32.exe

O4 - HKLM\..\RunOnce: [ntnb.exe] C:\WINDOWS\ntnb.exe

O4 - HKLM\..\RunOnce: [d3rd.exe] C:\WINDOWS\system32\d3rd.exe

O4 - HKLM\..\RunOnce: [sysvz32.exe] C:\WINDOWS\system32\sysvz32.exe

O4 - HKLM\..\RunOnce: [iehy32.exe] C:\WINDOWS\system32\iehy32.exe

O4 - HKLM\..\RunOnce: [mfceg.exe] C:\WINDOWS\system32\mfceg.exe

O4 - HKLM\..\RunOnce: [netmu.exe] C:\WINDOWS\netmu.exe

O4 - HKLM\..\RunOnce: [javaou.exe] C:\WINDOWS\system32\javaou.exe

O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\ntjf.exe

O4 - HKLM\..\RunOnce: [winep32.exe] C:\WINDOWS\system32\winep32.exe

O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe

Then close all windows and click the fix checked button. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

Clean, finally. The trip wasn't pretty. Below are notes I took during the process AFTER I realized things weren't going as expected.

 

NOTES:

 

Ok. Here is the report. Used FIX in HijackThis then ran About:Buster. Based on your instructions I expected a report to appear (I misunderstood) and it didn't so I clicked Ok again. It re-ran the scan.

 

This time it found another file it removed. I ran it again. It found another file it removed but then reported Error removing: C:\Windows\netea.exe. When it finished I ran another scan. Again it removed a different file but still reported the error removing netea.exe.

 

I opened Windows explorer and manually deleted netea.exe and re-ran the scan. It removed another file and reported Error Removing C:\Windows\System32\crnv32.exe. This file would not delete manually. Opening Task Manager revealed that it was a running process. I killed it and was able to manually delete it.

 

It went through this same process a couple of times (now saving my reports) until I realized this was an endless loop. I figured that Windows explorer might be using some of the same technology that IE uses and I was re-infecting my machine. I then removed the file using a command prompt in DOS.

 

Still getting reports of error removing <xxxx>.exe (name changing with each delete).

 

So, I left Task Manager open, killing the process that About:Buster reported an error removing and deleting it via DOS prompt. I watched the Task Manager process count. Upon deleting the process there were 39 running. In a little bit the number popped up to 40. I looked to see if a similarly named (4 or 5 characters.exe) process was started. Yep. I re-ran About:Buster and sure enough, that was the <xxxxx>.exe it could not remove.

 

I then figured that even the Start menu is related to IE and I was clicking Start to open the DOS prompt. So, I left the DOS prompt open, killed the process, deleted the file and re-ran About:Buster for the 10th time. A clean report. Just as I was feeling pretty good the Task Manager reported another process started. Sure enough, addlb.exe was running.

 

11th time through, same thing. Error removing addlb.exe. Back to the old cycle.

 

I repeated the above steps trying to do everything faster (the About:Buster scan is long). As the 12th scan was running I noticed a process named Sysco.exe was running. I looked back at your post and realized that you told me to FIX one named Sysco.exe. I don't know if didn't FIX it but I killed that process as well. 12th report has come back clean and no additional process has started. I'll restart and see what happens. Report at 11 :-)

 

Restarting resulted in failure. Both HijackThis and About:Buster report trouble. I continued watching Task Manager and About:Buster, deleting files reported after killing the process. Sysco.exe had returned and appeared to be the one generating all the new processes. Funny that About:Buster didn't deal with or report Sysco.exe.

 

I am not certain of the combination but I eventually got it right - no reports from About:Buster and no processes starting up on their own. What a trip!

 

Here is my log final file.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:30:31 PM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\BQuote\MSSQL$BQUOTE\Binn\sqlservr.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\AccessDirect\DadTray.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaver...st/twophase.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8023.5102777778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I appreciate very much the direction. I hope that my notes will help some poor soul.

Share this post


Link to post
Share on other sites

The trip could've been shot down in one try... <me blushes> I really should add a note in the program saying if the files keep coming back you should try in safe mode... <again blushes>.

 

Glad to see your fixed though :)

Share this post


Link to post
Share on other sites

RackTracker,

 

Thanks for the confirmation and the link to "So how..."

 

I actually had 1 - 3 already in place and will look into the others.

 

I think I read here that if you really want to get rid of the problem, change browsers. Well, I've done that too. Using Mozilla now except when I need Windows updates beyond the ones that run automatically.

 

Duck,

 

Do put your Safe Mode advice in your program. After thinking about it, that is probably the best way to handle it from the beginning. Don't know if you have the room for being chatty but some folks will find that they cannot logon to their PC in safe mode using the same username/password as when attached to their domain or running in Safe Mode with networking enabled. That can be a little panicky for some folks.

 

Good night to you both. Again, thanks.

Edited by wjholtjr

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0