Jump to content


Photo

ORUX[^ad.dll bad or not?


  • This topic is locked This topic is locked
2 replies to this topic

#1 sean74

sean74

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 July 2004 - 11:42 PM

Helping my uncle out with a CWS About Blank issue and this is what I have found so far.

-Found a magj.dll that seemed suspicious so I renamed it magj.bak in case it's something I need to keep
-Notepad.exe was missing (not sure if the file was infected and he lost it due to an anti-virus program deleting it, or if it was just a hard drive issue.
-"fixed" everything that was suspicious using hijack this, rescanned and a file called ORUX[^ad.dll keeps popping back up.

Does anyone have any idea which variant I'm dealing with? And how I'd go about fixing it?


Oh might be worth mentioning that I ran hijack this while using remote assistance so that's why the remote assistance process is showing up.

Looking through the various running processes I couldn't identify anything as not belonging, but it definately seems like something is running somewhere.. any files that I should suspect of being compromised, or did I overlook something?

-Sean74


Logfile of HijackThis v1.98.0
Scan saved at 6:58:47 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\System32\rsvp.exe
C:\Documents and Settings\user\Desktop\Stuff\HijackThis.exe

O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\ORUX[^ad.dll

Edited by sean74, 18 July 2004 - 12:01 AM.


#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 22 July 2004 - 10:15 PM

Hello sean74

The log that you have posted is not complete.

Also you are running Hijackthis form a your desktop folder which is not recommended.

Do the following.

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis.

Move HijackThis.exe to that new folder and run it from there.
Submit a complete log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 September 2004 - 10:33 AM

Due to lack of response by the poster this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button