• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
westminster

PLEASE HELP!! - Hijacked by 89.188.16.10.......

20 posts in this topic

PLEASE HELP ME!

I have been infected by a virus(?) that continues to invoke ie and tries to send me off to unknown sites.

Currently using Mozilla Firefox as my browser (ie uninstalled)

Windows XP Home w/SP2 and regular updates

Have just run Adaware SE Personal and Spybot- Search and Destroy with updated definitions

Still get ie windows trying to send me off to sites unknown, almost always with 89.188.16.10 somewhere in the the title

Get periodic "Threats Detected" trojan horse messages from AVG (free edition)

Occasionally the CPU usage goes to near 100% for long periods

I have read the FAQ for the forum

 

hijack log file:

 

Logfile of HijackThis v1.99.1

Scan saved at 7:24:03 PM, on 5/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\eFax Messenger 4.3\J2GTray.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09e8d69e844ce5f6f017/...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reportserver.nexionnet.com/viewer/a...tivexviewer.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Can you please help me???? I'm ready to take a sledge hammer to the cpu!!!!

Thanks so very much!!!! Jim.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Nothing suspicious was found on your log. Clean these items from the registry.

 

Disable TeaTimer:

 

Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable TeaTimer:

  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

 

After all of the fixes are complete it is very important that you enable TeaTimer again.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09e8d69e844ce5f6f017/...ip/RdxIE601.cab

 

Click on Fix Checked when finished and exit HijackThis.

 

Download this file - combofix.exe

 

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

 

"%userprofile%\desktop\combofix.exe"

 

Boot into safe mode by tapping the F8 key just before Windows starts to load.

 

go to start --> run and copy/paste in the following:

 

"%userprofile%\desktop\combofix.exe"

 

When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

In your next post, please include

  • new hijackthis log
  • combofix log

*use separate posts to ensure the logs don't get cut off!

Share this post


Link to post
Share on other sites

First off, THANK YOU SO MUCH for helping me tackle this problem!!

 

Per your instructions, I will post THREE things (in seperate replies):

 

1- new HJT log

 

TWO log files generated by ComboFix (don't know which one you need

 

2- ComboFix.txt log

3- ComboFix-quarantined-files.txt

 

New HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:06:31 AM, on 5/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\eFax Messenger 4.3\J2GTray.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reportserver.nexionnet.com/viewer/a...tivexviewer.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Next attachment (sorry about the duplication above!)

 

ComboFix.txt log:

 

"Jim" - 2007-05-27 9:47:49 Service Pack 2 [sAFE MODE]

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Jim\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\aidjbqbe.dll

C:\WINDOWS\system32\betmsveu.dll

C:\WINDOWS\system32\bpnkbbmd.dll

C:\WINDOWS\system32\cgxinxad.dll

C:\WINDOWS\system32\cybyrlbw.dll

C:\WINDOWS\system32\dbuexqcc.dll

C:\WINDOWS\system32\eqbqkjlb.dll

C:\WINDOWS\system32\fefsrrhj.dll

C:\WINDOWS\system32\fgdiawkf.dll

C:\WINDOWS\system32\fiqtatmm.dll

C:\WINDOWS\system32\hdbafdld.dll

C:\WINDOWS\system32\hfafqfnx.dll

C:\WINDOWS\system32\hfhsbjxs.dll

C:\WINDOWS\system32\hqbgjsvf.dll

C:\WINDOWS\system32\kafvpjun.dll

C:\WINDOWS\system32\kcskbdfl.dll

C:\WINDOWS\system32\kxajedok.dll

C:\WINDOWS\system32\lxhppymk.dll

C:\WINDOWS\system32\mpdekvyb.dll

C:\WINDOWS\system32\ngchbmtb.dll

C:\WINDOWS\system32\nxinlfgt.dll

C:\WINDOWS\system32\pnqpvifu.dll

C:\WINDOWS\system32\runpxypo.dll

C:\WINDOWS\system32\shxvvlnt.dll

C:\WINDOWS\system32\sjuwwinc.dll

C:\WINDOWS\system32\svwthivj.dll

C:\WINDOWS\system32\svwtrhnh.dll

C:\WINDOWS\system32\uahnldol.dll

C:\WINDOWS\system32\ubicnkym.dll

C:\WINDOWS\system32\utujcieq.dll

C:\WINDOWS\system32\vujrmfdx.dll

C:\WINDOWS\system32\vvswrdsr.dll

C:\WINDOWS\system32\wgxnixql.dll

C:\WINDOWS\system32\xnhwprwq.dll

C:\WINDOWS\system32\xwkoapmf.dll

C:\WINDOWS\system32\daxnixgc.ini

C:\WINDOWS\system32\bljkqbqe.ini

C:\WINDOWS\system32\cdeeg.bak1

C:\WINDOWS\system32\cdeeg.bak2

C:\WINDOWS\system32\cdeeg.ini

C:\WINDOWS\system32\cdeeg.ini2

C:\WINDOWS\system32\cdeeg.tmp

C:\WINDOWS\system32\dldfabdh.ini

C:\WINDOWS\system32\xnfqfafh.ini

C:\WINDOWS\system32\fvsjgbqh.ini

C:\WINDOWS\system32\nujpvfak.ini

C:\WINDOWS\system32\lfdbksck.ini

C:\WINDOWS\system32\byvkedpm.ini

C:\WINDOWS\system32\ufivpqnp.ini

C:\WINDOWS\system32\opyxpnur.ini

C:\WINDOWS\system32\cniwwujs.ini

C:\WINDOWS\system32\jvihtwvs.ini

C:\WINDOWS\system32\hnhrtwvs.ini

C:\WINDOWS\system32\lodlnhau.ini

C:\WINDOWS\system32\qeicjutu.ini

C:\WINDOWS\system32\xdfmrjuv.ini

C:\WINDOWS\system32\rsdrwsvv.ini

C:\WINDOWS\system32\lqxinxgw.ini

C:\WINDOWS\system32\qwrpwhnx.ini

C:\WINDOWS\system32\fmpaokwx.ini

C:\WINDOWS\SYSTEM32\cdeeg.bak1

C:\WINDOWS\SYSTEM32\cdeeg.bak2

C:\WINDOWS\SYSTEM32\cdeeg.ini

C:\WINDOWS\SYSTEM32\cdeeg.ini2

C:\WINDOWS\SYSTEM32\cdeeg.tmp

C:\WINDOWS\SYSTEM32\cdeeg.bak1

C:\WINDOWS\SYSTEM32\cdeeg.bak2

C:\WINDOWS\SYSTEM32\cdeeg.ini

C:\WINDOWS\SYSTEM32\cdeeg.ini2

C:\WINDOWS\SYSTEM32\cdeeg.tmp

C:\WINDOWS\system32\gebawww.dll

C:\WINDOWS\system32\geedc.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"

"C:\WINDOWS\NDNuninstall4_80.exe"

"C:\WINDOWS\NDNuninstall4_88.exe"

"C:\WINDOWS\NDNuninstall4_94.exe"

"C:\Program Files\xloadnet"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

 

 

No new files created in this timespan

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-27 15:50:26 -------- d-----w C:\Program Files\Mozilla Thunderbird

2007-04-23 23:44:54 0 ----a-w C:\CONFIG.SYS

2007-04-23 23:44:54 0 ----a-w C:\AUTOEXEC.BAT

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 15:46:30 -------- d-----w C:\DOCUME~1\Jim\APPLIC~1\Thunderbird

2007-04-13 15:46:06 15,892 ----a-w C:\WINDOWS\mozver.dat

2007-04-13 15:27:12 -------- d-----w C:\Program Files\mozilla.org

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]

{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 09:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" []

"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 05:21]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-03-09 11:06]

"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" []

"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []

"sr1exe"="C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" [2003-05-15 15:21]

"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 10:13]

"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []

"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []

"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

@=

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk

backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]

"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]

C:\Program Files\Common Files\Dell\EUSW\Support.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig]

C:\IME\IMKR\imekrmig.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

C:\Program Files\Microsoft Works\WkDetect.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sr1exe]

"C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe

"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

"sr1exe"="C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

"PrintDrive"=rundll32.exe "C:\WINDOWS\system32\qeoelacw.dll",setvm

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22564038-544a-11d9-843e-00038a000015}]

AutoRun\command- E:\SafeGuard\Windows\SafeGuard20.exe

 

*Newly Created Service* -STLTRK2K

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070527-091711-365

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09e8d69e844ce5f6f017/...ip/RdxIE601.cab

 

???????(a hugely long string of question marks...)(had to delete many)??????'????????

 

backup-20070527-091711-585

O15 - Trusted Zone: *.sxload.net (HKLM)

 

backup-20070527-091711-481

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

Contents of the 'Scheduled Tasks' folder

2007-05-26 01:13:00 C:\WINDOWS\tasks\Symantec NetDetect.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-27 09:57:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-27 9:59:38 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-27 09:59

 

--- E O F ---

Share this post


Link to post
Share on other sites

Last attachment

 

ComboFix-quarantined-files.txt log:

 

2003-02-15 17:06	  52224	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_80.exe.vir
2003-05-26 13:18	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_88.exe.vir
2003-07-21 17:58	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_94.exe.vir
2007-04-19 10:54	  26694	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gebawww.dll.vir
2007-04-19 10:59	  281172	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\geedc.dll.vir
2007-04-19 11:02	  40183	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
2007-04-20 11:00	  1406358	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.ini.vir
2007-04-21 10:01	  1422496	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.tmp.vir
2007-04-25 08:08	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\uahnldol.dll.vir
2007-04-25 08:08	  343	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lodlnhau.ini.vir
2007-04-25 20:47	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hqbgjsvf.dll.vir
2007-04-25 20:48	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fvsjgbqh.ini.vir
2007-04-26 07:30	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kcskbdfl.dll.vir
2007-04-26 07:30	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lfdbksck.ini.vir
2007-05-07 07:27	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xwkoapmf.dll.vir
2007-05-07 07:27	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aidjbqbe.dll.vir
2007-05-07 15:53	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fmpaokwx.ini.vir
2007-05-08 10:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pnqpvifu.dll.vir
2007-05-08 10:26	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\shxvvlnt.dll.vir
2007-05-08 10:32	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ufivpqnp.ini.vir
2007-05-08 11:16	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vujrmfdx.dll.vir
2007-05-08 11:16	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bpnkbbmd.dll.vir
2007-05-08 20:37	  1463082	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xdfmrjuv.ini.vir
2007-05-09 08:03	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hdbafdld.dll.vir
2007-05-09 08:03	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dldfabdh.ini.vir
2007-05-09 08:03	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cybyrlbw.dll.vir
2007-05-10 08:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\svwtrhnh.dll.vir
2007-05-10 08:25	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hnhrtwvs.ini.vir
2007-05-10 08:25	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fgdiawkf.dll.vir
2007-05-11 07:50	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wgxnixql.dll.vir
2007-05-11 07:50	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lqxinxgw.ini.vir
2007-05-11 07:50	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dbuexqcc.dll.vir
2007-05-11 08:14	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\svwthivj.dll.vir
2007-05-11 10:25	  294	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jvihtwvs.ini.vir
2007-05-11 10:55	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kxajedok.dll.vir
2007-05-12 10:55	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cgxinxad.dll.vir
2007-05-12 10:55	  1509586	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.bak1.vir
2007-05-12 10:56	  354	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\daxnixgc.ini.vir
2007-05-12 10:56	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fefsrrhj.dll.vir
2007-05-12 12:11	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xnhwprwq.dll.vir
2007-05-12 12:18	  1429694	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qwrpwhnx.ini.vir
2007-05-13 09:48	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vvswrdsr.dll.vir
2007-05-13 09:48	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fiqtatmm.dll.vir
2007-05-13 09:55	  1431359	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rsdrwsvv.ini.vir
2007-05-14 08:23	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\utujcieq.dll.vir
2007-05-14 08:56	  1431775	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qeicjutu.ini.vir
2007-05-15 07:50	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpdekvyb.dll.vir
2007-05-15 07:50	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ngchbmtb.dll.vir
2007-05-15 07:52	  344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\byvkedpm.ini.vir
2007-05-16 08:25	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nxinlfgt.dll.vir
2007-05-16 08:25	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hfafqfnx.dll.vir
2007-05-16 08:32	  1463830	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xnfqfafh.ini.vir
2007-05-17 08:03	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\runpxypo.dll.vir
2007-05-17 08:03	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lxhppymk.dll.vir
2007-05-17 08:09	  1458614	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\opyxpnur.ini.vir
2007-05-18 08:09	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\betmsveu.dll.vir
2007-05-18 08:09	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ubicnkym.dll.vir
2007-05-18 08:10	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sjuwwinc.dll.vir
2007-05-18 08:10	  844889	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cniwwujs.ini.vir
2007-05-19 07:26	  123972	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hfhsbjxs.dll.vir
2007-05-19 07:26	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kafvpjun.dll.vir
2007-05-19 07:27	  833162	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nujpvfak.ini.vir
2007-05-20 07:49	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\eqbqkjlb.dll.vir
2007-05-20 07:49	  1531667	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.bak2.vir
2007-05-20 07:49	  833163	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bljkqbqe.ini.vir
2007-05-27 09:52	  1406677	--a------	C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.ini2.vir


Folder PATH listing
Volume serial number is 20E1-B51C
C:\QOOBOX
\---Quarantine
+---C
|   +---Program Files
|   |   \---Common Files
|   |		   Yazzle1281OinUninstaller.exe.vir
|   |		   
|   \---WINDOWS
|	   |   NDNuninstall4_80.exe.vir
|	   |   NDNuninstall4_88.exe.vir
|	   |   NDNuninstall4_94.exe.vir
|	   |   
|	   \---SYSTEM32
|			   aidjbqbe.dll.vir
|			   betmsveu.dll.vir
|			   bljkqbqe.ini.vir
|			   bpnkbbmd.dll.vir
|			   byvkedpm.ini.vir
|			   cdeeg.bak1.vir
|			   cdeeg.bak2.vir
|			   cdeeg.ini.vir
|			   cdeeg.ini2.vir
|			   cdeeg.tmp.vir
|			   cgxinxad.dll.vir
|			   cniwwujs.ini.vir
|			   cybyrlbw.dll.vir
|			   daxnixgc.ini.vir
|			   dbuexqcc.dll.vir
|			   dldfabdh.ini.vir
|			   eqbqkjlb.dll.vir
|			   fefsrrhj.dll.vir
|			   fgdiawkf.dll.vir
|			   fiqtatmm.dll.vir
|			   fmpaokwx.ini.vir
|			   fvsjgbqh.ini.vir
|			   gebawww.dll.vir
|			   geedc.dll.vir
|			   hdbafdld.dll.vir
|			   hfafqfnx.dll.vir
|			   hfhsbjxs.dll.vir
|			   hnhrtwvs.ini.vir
|			   hqbgjsvf.dll.vir
|			   jvihtwvs.ini.vir
|			   kafvpjun.dll.vir
|			   kcskbdfl.dll.vir
|			   kxajedok.dll.vir
|			   lfdbksck.ini.vir
|			   lodlnhau.ini.vir
|			   lqxinxgw.ini.vir
|			   lxhppymk.dll.vir
|			   mpdekvyb.dll.vir
|			   ngchbmtb.dll.vir
|			   nujpvfak.ini.vir
|			   nxinlfgt.dll.vir
|			   opyxpnur.ini.vir
|			   pnqpvifu.dll.vir
|			   qeicjutu.ini.vir
|			   qwrpwhnx.ini.vir
|			   rsdrwsvv.ini.vir
|			   runpxypo.dll.vir
|			   shxvvlnt.dll.vir
|			   sjuwwinc.dll.vir
|			   svwthivj.dll.vir
|			   svwtrhnh.dll.vir
|			   uahnldol.dll.vir
|			   ubicnkym.dll.vir
|			   ufivpqnp.ini.vir
|			   utujcieq.dll.vir
|			   vujrmfdx.dll.vir
|			   vvswrdsr.dll.vir
|			   wgxnixql.dll.vir
|			   xdfmrjuv.ini.vir
|			   xnfqfafh.ini.vir
|			   xnhwprwq.dll.vir
|			   xwkoapmf.dll.vir
|			   
\---Registry_backups

Share this post


Link to post
Share on other sites

Your log is clean.

 

What problem remains?

Share this post


Link to post
Share on other sites

THANK YOU THANK YOU THANK YOU!!

 

Things are fairly well behaved now.

 

The only nagging issue is that during a follow-up AdAware scan I encountered a series of "Threat Detected" messages indicating the presence of a Trojan Horse virus.

 

Should this be something to worry about?

 

During normal operation (for the past few hours anyway) I don't have the IE popups!

 

Did I already say THANK YOU?

 

Thanks and best regards, Jim.

Share this post


Link to post
Share on other sites

Please print this topic for your reference.

 

The only thing suspicious I found on your log is this item.

 

Look at the properties of the files and find out where it came from.

C:\WINDOWS\system32\qeoelacw.dll

 

Then Submit the file in bold to the following link for a scan, then post the results in your next message for me to see.

http://virusscan.jotti.org/

 

I suspect it's from a Vundo infection. Run this tool.

 

=*=

 

Please download Atribune's VundoFix.exe from this site:

http://www.atribune.org/ccount/click.php?id=4 and place it on your desktop.

 

Double-click VundoFix.exe to run it.

 

Click the Scan for Vundo button.

 

Once it's done scanning, click the Remove Vundo button.

 

You will receive a prompt asking if you want to remove the files,

click YES

 

Once you click yes, your desktop will go blank as it starts removing

Vundo.

 

When completed, it will prompt that it will reboot your computer,

click OK.

 

=*=

 

Your Java version is vulnerable to this type of infections. Please update.

 

Updating Java

  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions. <- important.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Share this post


Link to post
Share on other sites

I cannot find the file C:\WINDOWS\system32\qeoelacw.dll

 

As a matter of fact, about a month ago I was getting error messages at startup informing me that the computer could not find that particular file. All I could do is to say OK and the computer continued on without it. Haven't noticed anything that would not run, but it certainly coincided with the start of my malware problems.

 

IS this file important, or can I continue to process without it? I don't get the error message anymore, but not sure why- perhaps I set a flag that told the computer to stop telling me about it?

 

Should I still go ahead and scan for the Vundo infection and update Java?

 

Thanks again for all the help!

Share this post


Link to post
Share on other sites

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

 

Unzip to your Desktop and double click on regsrch.vbs

(if you have script protection, please allow this to run)

 

In the dialog that opens enter the following:

qeoelacw.dll

 

Press 'OK'

 

The search will run for a while then alert you when it is finished.

 

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Share this post


Link to post
Share on other sites

Here are the results of the scan:

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "qeoelacw.dll" 5/28/2007 11:56:45 AM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

"PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\qeoelacw.dll\",setvm"

Share this post


Link to post
Share on other sites

; Purpose: Remove traces in the registry.

;

; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.

;

; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

"PrintDrive"=-

 

; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

 

If you need help on "How to Make a .Reg File"

See: http://www.nellie2.co.uk/file.htm

 

Let me know what problem persist.

Share this post


Link to post
Share on other sites

You guys are the BEST!

 

Thanks again for all the help!

 

I just ran AdAware and SpybotS&D, and got good results!

 

Additionally, I no longer get hijacked, and no longer get Trojan "Threat" messages.

 

I'm thinking that your work here is done.

 

I plan to throw a few $$ at your paypal donation page as a small thank you!

 

Only one last question: in the next-to-last replay you suggested I update a couple of things: Should I still go ahead and scan for the Vundo infection and update Java?

 

If not, please move this to the "problem solved" category with my heartfelt thanks!!!

 

Best regards, Jim.

Share this post


Link to post
Share on other sites

Great the left over item in the registry was triggering your security software.

 

Just Update your Java, Download and install this one.

 

Java Runtime Environment (JRE) 6u1.

 

 

Glad we could help.

 

Please read this Prevention page with lots of info and tips how to prevent this in the future.

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

:wave:

Share this post


Link to post
Share on other sites

Hello!

 

I am VERY happy with the overall performance now- THANKS again for the help.

 

I have two follow-up questions:

1- Firefox just sent an update, and when I downloaded it, I received a message that the JRE 6 software was not compatible. Is this something I need to worry about?

2- every couple of days I get a 'Threat detected" message from AVG. Could there be something still lurking about or is this normal?

 

Thanks again, Jim.

Share this post


Link to post
Share on other sites

Did you update your Java to this latest version.?

Java Runtime Environment (JRE) 6u1.

 

If so then they are not ready for it. Check with them.

 

As for your AVG it's doing it's things. There may be a way in the program to not advise you of these intrusions.

Share this post


Link to post
Share on other sites

Yes I downloaded Java Runtime Environment (JRE) 6u1. The next day I got the Firefox update with the incompatibility message- looks like they are indeed NOT ready for it. I'll deal with them.

 

I don't mind the notifications from AVG. Just glad to hear it is normal.

 

Sorry to have bugged you over nothing.

 

Looks like you can put me into the "resolved" category for keeps!

 

Thanks again for all the assistance, Jim.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0