Jump to content


Photo

PLEASE HELP!! - Hijacked by 89.188.16.10.......


  • This topic is locked This topic is locked
19 replies to this topic

#1 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2007 - 09:42 PM

PLEASE HELP ME!
I have been infected by a virus(?) that continues to invoke ie and tries to send me off to unknown sites.
Currently using Mozilla Firefox as my browser (ie uninstalled)
Windows XP Home w/SP2 and regular updates
Have just run Adaware SE Personal and Spybot- Search and Destroy with updated definitions
Still get ie windows trying to send me off to sites unknown, almost always with 89.188.16.10 somewhere in the the title
Get periodic "Threats Detected" trojan horse messages from AVG (free edition)
Occasionally the CPU usage goes to near 100% for long periods
I have read the FAQ for the forum

hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:03 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reportserver....tivexviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Can you please help me???? I'm ready to take a sledge hammer to the cpu!!!!
Thanks so very much!!!! Jim.

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 24 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 26 May 2007 - 01:38 PM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your log. Clean these items from the registry.

Disable TeaTimer:

Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable TeaTimer:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab


Click on Fix Checked when finished and exit HijackThis.

Download this file - combofix.exe

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe"

Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe"

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
  • new hijackthis log
  • combofix log
*use separate posts to ensure the logs don't get cut off!
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2007 - 12:17 PM

First off, THANK YOU SO MUCH for helping me tackle this problem!!

Per your instructions, I will post THREE things (in seperate replies):

1- new HJT log

TWO log files generated by ComboFix (don't know which one you need

2- ComboFix.txt log
3- ComboFix-quarantined-files.txt

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:31 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reportserver....tivexviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2007 - 12:27 PM

Next attachment (sorry about the duplication above!)

ComboFix.txt log:

"Jim" - 2007-05-27 9:47:49 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Jim\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aidjbqbe.dll
C:\WINDOWS\system32\betmsveu.dll
C:\WINDOWS\system32\bpnkbbmd.dll
C:\WINDOWS\system32\cgxinxad.dll
C:\WINDOWS\system32\cybyrlbw.dll
C:\WINDOWS\system32\dbuexqcc.dll
C:\WINDOWS\system32\eqbqkjlb.dll
C:\WINDOWS\system32\fefsrrhj.dll
C:\WINDOWS\system32\fgdiawkf.dll
C:\WINDOWS\system32\fiqtatmm.dll
C:\WINDOWS\system32\hdbafdld.dll
C:\WINDOWS\system32\hfafqfnx.dll
C:\WINDOWS\system32\hfhsbjxs.dll
C:\WINDOWS\system32\hqbgjsvf.dll
C:\WINDOWS\system32\kafvpjun.dll
C:\WINDOWS\system32\kcskbdfl.dll
C:\WINDOWS\system32\kxajedok.dll
C:\WINDOWS\system32\lxhppymk.dll
C:\WINDOWS\system32\mpdekvyb.dll
C:\WINDOWS\system32\ngchbmtb.dll
C:\WINDOWS\system32\nxinlfgt.dll
C:\WINDOWS\system32\pnqpvifu.dll
C:\WINDOWS\system32\runpxypo.dll
C:\WINDOWS\system32\shxvvlnt.dll
C:\WINDOWS\system32\sjuwwinc.dll
C:\WINDOWS\system32\svwthivj.dll
C:\WINDOWS\system32\svwtrhnh.dll
C:\WINDOWS\system32\uahnldol.dll
C:\WINDOWS\system32\ubicnkym.dll
C:\WINDOWS\system32\utujcieq.dll
C:\WINDOWS\system32\vujrmfdx.dll
C:\WINDOWS\system32\vvswrdsr.dll
C:\WINDOWS\system32\wgxnixql.dll
C:\WINDOWS\system32\xnhwprwq.dll
C:\WINDOWS\system32\xwkoapmf.dll
C:\WINDOWS\system32\daxnixgc.ini
C:\WINDOWS\system32\bljkqbqe.ini
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.tmp
C:\WINDOWS\system32\dldfabdh.ini
C:\WINDOWS\system32\xnfqfafh.ini
C:\WINDOWS\system32\fvsjgbqh.ini
C:\WINDOWS\system32\nujpvfak.ini
C:\WINDOWS\system32\lfdbksck.ini
C:\WINDOWS\system32\byvkedpm.ini
C:\WINDOWS\system32\ufivpqnp.ini
C:\WINDOWS\system32\opyxpnur.ini
C:\WINDOWS\system32\cniwwujs.ini
C:\WINDOWS\system32\jvihtwvs.ini
C:\WINDOWS\system32\hnhrtwvs.ini
C:\WINDOWS\system32\lodlnhau.ini
C:\WINDOWS\system32\qeicjutu.ini
C:\WINDOWS\system32\xdfmrjuv.ini
C:\WINDOWS\system32\rsdrwsvv.ini
C:\WINDOWS\system32\lqxinxgw.ini
C:\WINDOWS\system32\qwrpwhnx.ini
C:\WINDOWS\system32\fmpaokwx.ini
C:\WINDOWS\SYSTEM32\cdeeg.bak1
C:\WINDOWS\SYSTEM32\cdeeg.bak2
C:\WINDOWS\SYSTEM32\cdeeg.ini
C:\WINDOWS\SYSTEM32\cdeeg.ini2
C:\WINDOWS\SYSTEM32\cdeeg.tmp
C:\WINDOWS\SYSTEM32\cdeeg.bak1
C:\WINDOWS\SYSTEM32\cdeeg.bak2
C:\WINDOWS\SYSTEM32\cdeeg.ini
C:\WINDOWS\SYSTEM32\cdeeg.ini2
C:\WINDOWS\SYSTEM32\cdeeg.tmp
C:\WINDOWS\system32\gebawww.dll
C:\WINDOWS\system32\geedc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
"C:\WINDOWS\NDNuninstall4_80.exe"
"C:\WINDOWS\NDNuninstall4_88.exe"
"C:\WINDOWS\NDNuninstall4_94.exe"
"C:\Program Files\xloadnet"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 15:50:26 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-23 23:44:54 0 ----a-w C:\CONFIG.SYS
2007-04-23 23:44:54 0 ----a-w C:\AUTOEXEC.BAT
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 15:46:30 -------- d-----w C:\DOCUME~1\Jim\APPLIC~1\Thunderbird
2007-04-13 15:46:06 15,892 ----a-w C:\WINDOWS\mozver.dat
2007-04-13 15:27:12 -------- d-----w C:\Program Files\mozilla.org
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 09:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 05:21]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-03-09 11:06]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" []
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"sr1exe"="C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" [2003-05-15 15:21]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 10:13]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig]
C:\IME\IMKR\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sr1exe]
"C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
"sr1exe"="C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
"PrintDrive"=rundll32.exe "C:\WINDOWS\system32\qeoelacw.dll",setvm


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22564038-544a-11d9-843e-00038a000015}]
AutoRun\command- E:\SafeGuard\Windows\SafeGuard20.exe

*Newly Created Service* -STLTRK2K


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070527-091711-365
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab

???????(a hugely long string of question marks...)(had to delete many)??????'????????

backup-20070527-091711-585
O15 - Trusted Zone: *.sxload.net (HKLM)

backup-20070527-091711-481
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
Contents of the 'Scheduled Tasks' folder
2007-05-26 01:13:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 09:57:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 9:59:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 09:59

--- E O F ---

#6 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2007 - 12:29 PM

Last attachment

ComboFix-quarantined-files.txt log:

2003-02-15 17:06	  52224	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_80.exe.vir
2003-05-26 13:18	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_88.exe.vir
2003-07-21 17:58	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_94.exe.vir
2007-04-19 10:54	  26694	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gebawww.dll.vir
2007-04-19 10:59	  281172	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\geedc.dll.vir
2007-04-19 11:02	  40183	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
2007-04-20 11:00	  1406358	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.ini.vir
2007-04-21 10:01	  1422496	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.tmp.vir
2007-04-25 08:08	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\uahnldol.dll.vir
2007-04-25 08:08	  343	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lodlnhau.ini.vir
2007-04-25 20:47	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hqbgjsvf.dll.vir
2007-04-25 20:48	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fvsjgbqh.ini.vir
2007-04-26 07:30	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kcskbdfl.dll.vir
2007-04-26 07:30	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lfdbksck.ini.vir
2007-05-07 07:27	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xwkoapmf.dll.vir
2007-05-07 07:27	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aidjbqbe.dll.vir
2007-05-07 15:53	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fmpaokwx.ini.vir
2007-05-08 10:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pnqpvifu.dll.vir
2007-05-08 10:26	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\shxvvlnt.dll.vir
2007-05-08 10:32	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ufivpqnp.ini.vir
2007-05-08 11:16	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vujrmfdx.dll.vir
2007-05-08 11:16	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bpnkbbmd.dll.vir
2007-05-08 20:37	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xdfmrjuv.ini.vir
2007-05-09 08:03	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hdbafdld.dll.vir
2007-05-09 08:03	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dldfabdh.ini.vir
2007-05-09 08:03	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cybyrlbw.dll.vir
2007-05-10 08:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\svwtrhnh.dll.vir
2007-05-10 08:25	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hnhrtwvs.ini.vir
2007-05-10 08:25	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fgdiawkf.dll.vir
2007-05-11 07:50	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wgxnixql.dll.vir
2007-05-11 07:50	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lqxinxgw.ini.vir
2007-05-11 07:50	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dbuexqcc.dll.vir
2007-05-11 08:14	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\svwthivj.dll.vir
2007-05-11 10:25	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jvihtwvs.ini.vir
2007-05-11 10:55	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kxajedok.dll.vir
2007-05-12 10:55	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cgxinxad.dll.vir
2007-05-12 10:55	  1509586	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.bak1.vir
2007-05-12 10:56	  354	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\daxnixgc.ini.vir
2007-05-12 10:56	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fefsrrhj.dll.vir
2007-05-12 12:11	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xnhwprwq.dll.vir
2007-05-12 12:18	  1429694	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qwrpwhnx.ini.vir
2007-05-13 09:48	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vvswrdsr.dll.vir
2007-05-13 09:48	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fiqtatmm.dll.vir
2007-05-13 09:55	  1431359	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rsdrwsvv.ini.vir
2007-05-14 08:23	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\utujcieq.dll.vir
2007-05-14 08:56	  1431775	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qeicjutu.ini.vir
2007-05-15 07:50	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpdekvyb.dll.vir
2007-05-15 07:50	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ngchbmtb.dll.vir
2007-05-15 07:52	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\byvkedpm.ini.vir
2007-05-16 08:25	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nxinlfgt.dll.vir
2007-05-16 08:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hfafqfnx.dll.vir
2007-05-16 08:32	  1463830	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xnfqfafh.ini.vir
2007-05-17 08:03	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\runpxypo.dll.vir
2007-05-17 08:03	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lxhppymk.dll.vir
2007-05-17 08:09	  1458614	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\opyxpnur.ini.vir
2007-05-18 08:09	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\betmsveu.dll.vir
2007-05-18 08:09	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ubicnkym.dll.vir
2007-05-18 08:10	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sjuwwinc.dll.vir
2007-05-18 08:10	  844889	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cniwwujs.ini.vir
2007-05-19 07:26	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hfhsbjxs.dll.vir
2007-05-19 07:26	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kafvpjun.dll.vir
2007-05-19 07:27	  833162	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nujpvfak.ini.vir
2007-05-20 07:49	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\eqbqkjlb.dll.vir
2007-05-20 07:49	  1531667	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.bak2.vir
2007-05-20 07:49	  833163	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bljkqbqe.ini.vir
2007-05-27 09:52	  1406677	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.ini2.vir


Folder PATH listing
Volume serial number is 20E1-B51C
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |   \---Common Files
	|   |		   Yazzle1281OinUninstaller.exe.vir
	|   |		   
	|   \---WINDOWS
	|	   |   NDNuninstall4_80.exe.vir
	|	   |   NDNuninstall4_88.exe.vir
	|	   |   NDNuninstall4_94.exe.vir
	|	   |   
	|	   \---SYSTEM32
	|			   aidjbqbe.dll.vir
	|			   betmsveu.dll.vir
	|			   bljkqbqe.ini.vir
	|			   bpnkbbmd.dll.vir
	|			   byvkedpm.ini.vir
	|			   cdeeg.bak1.vir
	|			   cdeeg.bak2.vir
	|			   cdeeg.ini.vir
	|			   cdeeg.ini2.vir
	|			   cdeeg.tmp.vir
	|			   cgxinxad.dll.vir
	|			   cniwwujs.ini.vir
	|			   cybyrlbw.dll.vir
	|			   daxnixgc.ini.vir
	|			   dbuexqcc.dll.vir
	|			   dldfabdh.ini.vir
	|			   eqbqkjlb.dll.vir
	|			   fefsrrhj.dll.vir
	|			   fgdiawkf.dll.vir
	|			   fiqtatmm.dll.vir
	|			   fmpaokwx.ini.vir
	|			   fvsjgbqh.ini.vir
	|			   gebawww.dll.vir
	|			   geedc.dll.vir
	|			   hdbafdld.dll.vir
	|			   hfafqfnx.dll.vir
	|			   hfhsbjxs.dll.vir
	|			   hnhrtwvs.ini.vir
	|			   hqbgjsvf.dll.vir
	|			   jvihtwvs.ini.vir
	|			   kafvpjun.dll.vir
	|			   kcskbdfl.dll.vir
	|			   kxajedok.dll.vir
	|			   lfdbksck.ini.vir
	|			   lodlnhau.ini.vir
	|			   lqxinxgw.ini.vir
	|			   lxhppymk.dll.vir
	|			   mpdekvyb.dll.vir
	|			   ngchbmtb.dll.vir
	|			   nujpvfak.ini.vir
	|			   nxinlfgt.dll.vir
	|			   opyxpnur.ini.vir
	|			   pnqpvifu.dll.vir
	|			   qeicjutu.ini.vir
	|			   qwrpwhnx.ini.vir
	|			   rsdrwsvv.ini.vir
	|			   runpxypo.dll.vir
	|			   shxvvlnt.dll.vir
	|			   sjuwwinc.dll.vir
	|			   svwthivj.dll.vir
	|			   svwtrhnh.dll.vir
	|			   uahnldol.dll.vir
	|			   ubicnkym.dll.vir
	|			   ufivpqnp.ini.vir
	|			   utujcieq.dll.vir
	|			   vujrmfdx.dll.vir
	|			   vvswrdsr.dll.vir
	|			   wgxnixql.dll.vir
	|			   xdfmrjuv.ini.vir
	|			   xnfqfafh.ini.vir
	|			   xnhwprwq.dll.vir
	|			   xwkoapmf.dll.vir
	|			   
	\---Registry_backups


#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 27 May 2007 - 03:48 PM

Your log is clean.

What problem remains?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2007 - 04:36 PM

THANK YOU THANK YOU THANK YOU!!

Things are fairly well behaved now.

The only nagging issue is that during a follow-up AdAware scan I encountered a series of "Threat Detected" messages indicating the presence of a Trojan Horse virus.

Should this be something to worry about?

During normal operation (for the past few hours anyway) I don't have the IE popups!

Did I already say THANK YOU?

Thanks and best regards, Jim.

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 28 May 2007 - 06:32 AM

Please print this topic for your reference.

The only thing suspicious I found on your log is this item.

Look at the properties of the files and find out where it came from.
C:\WINDOWS\system32\qeoelacw.dll

Then Submit the file in bold to the following link for a scan, then post the results in your next message for me to see.
http://virusscan.jotti.org/

I suspect it's from a Vundo infection. Run this tool.

=*=

Please download Atribune's VundoFix.exe from this site:
http://www.atribune..../click.php?id=4 and place it on your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click YES

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click OK.

=*=

Your Java version is vulnerable to this type of infections. Please update.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions. <- important.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2007 - 11:57 AM

I cannot find the file C:\WINDOWS\system32\qeoelacw.dll

As a matter of fact, about a month ago I was getting error messages at startup informing me that the computer could not find that particular file. All I could do is to say OK and the computer continued on without it. Haven't noticed anything that would not run, but it certainly coincided with the start of my malware problems.

IS this file important, or can I continue to process without it? I don't get the error message anymore, but not sure why- perhaps I set a flag that told the computer to stop telling me about it?

Should I still go ahead and scan for the Vundo infection and update Java?

Thanks again for all the help!

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 28 May 2007 - 01:18 PM

Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
qeoelacw.dll

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2007 - 02:00 PM

Here are the results of the scan:

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "qeoelacw.dll" 5/28/2007 11:56:45 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\qeoelacw.dll\",setvm"

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 28 May 2007 - 03:00 PM

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"PrintDrive"=-



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

If you need help on "How to Make a .Reg File"
See: http://www.nellie2.co.uk/file.htm

Let me know what problem persist.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2007 - 05:23 PM

You guys are the BEST!

Thanks again for all the help!

I just ran AdAware and SpybotS&D, and got good results!

Additionally, I no longer get hijacked, and no longer get Trojan "Threat" messages.

I'm thinking that your work here is done.

I plan to throw a few $$ at your paypal donation page as a small thank you!

Only one last question: in the next-to-last replay you suggested I update a couple of things: Should I still go ahead and scan for the Vundo infection and update Java?

If not, please move this to the "problem solved" category with my heartfelt thanks!!!

Best regards, Jim.

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 29 May 2007 - 06:54 AM

Great the left over item in the registry was triggering your security software.

Just Update your Java, Download and install this one.

Java Runtime Environment (JRE) 6u1.


Glad we could help.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html

:wave:
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 31 May 2007 - 03:18 PM

Hello!

I am VERY happy with the overall performance now- THANKS again for the help.

I have two follow-up questions:
1- Firefox just sent an update, and when I downloaded it, I received a message that the JRE 6 software was not compatible. Is this something I need to worry about?
2- every couple of days I get a 'Threat detected" message from AVG. Could there be something still lurking about or is this normal?

Thanks again, Jim.

#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 01 June 2007 - 06:32 AM

Did you update your Java to this latest version.?
Java Runtime Environment (JRE) 6u1.

If so then they are not ready for it. Check with them.

As for your AVG it's doing it's things. There may be a way in the program to not advise you of these intrusions.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 westminster

westminster

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 June 2007 - 11:03 AM

Yes I downloaded Java Runtime Environment (JRE) 6u1. The next day I got the Firefox update with the incompatibility message- looks like they are indeed NOT ready for it. I'll deal with them.

I don't mind the notifications from AVG. Just glad to hear it is normal.

Sorry to have bugged you over nothing.

Looks like you can put me into the "resolved" category for keeps!

Thanks again for all the assistance, Jim.

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 01 June 2007 - 12:51 PM

Glad we could help.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 12 June 2007 - 08:38 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button