Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Elitemedia, Dmonwv.dll And Other Popups


  • Please log in to reply
4 replies to this topic

#1 rich z

rich z

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 22 August 2006 - 01:42 PM

I have installed and used spybot and adaware. Bit defender could not get rid of one infection - log below the HijackThis one. I cannot get rid of these popups.

Below is the HijackThis logfile.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:51 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 148.175.98.10:80
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qeuln.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bycoxxt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nso173.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.riotinto.com
O15 - Trusted Zone: *.riotinto.org
O15 - Trusted Zone: *.riotinto.com (HKLM)
O15 - Trusted Zone: *.riotinto.org (HKLM)
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://nassappsrv02/wx/client/IrcViewer.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8657B67-EE7C-4B09-B441-71D482FF9456} (CompositeView Control) - http://rtsiweb03/wx/Client/IrcViewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://utu.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O17 - HKLM\Software\..\Telephony: DomainName = ae.riotinto.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\PROGRA~1\orawin\bin\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Here is the BitDefender log. It could not remove dmonwv.dll or thiselt.exe
Scanned File
Status
C:\WINDOWS\idlemg.exe
Infected with: Trojan.Downloader.Small.BUY
C:\WINDOWS\idlemg.exe
Deleted
C:\WINDOWS\installer_2512.exe
Infected with: Trojan.Downloader.Qoologic.BC
C:\WINDOWS\installer_2512.exe
Disinfection failed
C:\WINDOWS\installer_2512.exe
Deleted
C:\WINDOWS\system32\dmonwv.dll
Infected with: Trojan.Downloader.Qoologic.BC
C:\WINDOWS\system32\dmonwv.dll
Disinfection failed
C:\WINDOWS\system32\dmonwv.dll
Delete failed
C:\WINDOWS\system32\frska.dat
Infected with: Trojan.Downloader.Qoologic.BJ
C:\WINDOWS\system32\frska.dat
Disinfection failed
C:\WINDOWS\system32\frska.dat
Deleted
C:\WINDOWS\thiselt.exe
Infected with: Trojan.Clicker.VB.DW
C:\WINDOWS\thiselt.exe
Disinfection failed
C:\WINDOWS\thiselt.exe
Delete failed
C:\WINDOWS\unwn.exe
Infected with: Trojan.Downloader.Qoologic.BC
C:\WINDOWS\unwn.exe
Disinfection failed
C:\WINDOWS\unwn.exe
Deleted
C:\WINDOWS\YOINSI.exe
Infected with: Trojan.Scapur.A
C:\WINDOWS\YOINSI.exe
Disinfection failed
C:\WINDOWS\YOINSI.exe
Deleted



Thanks for reviewing my log and helping.

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 22 August 2006 - 02:33 PM

Hello rich z

Like to take a look at this log, I'll get back you you as soon as I can.

Thank you,
ourwilly. :thumbsup:

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 23 August 2006 - 11:02 AM

Hello rich z :thumbsup:

Copy and Paste this post into a new text document or print it for reference

Step 1.

Please download the Killbox by Option^Explicit.

Note - In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

We shall use Killbox later!


Now Download Qoofix.zip by RubbeR DuckY from HERE and save it to your Desktop:

Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
Close all windows and programs, including internet windows.
Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
Click Begin Removal and wait for the scan to finish
If Qoofix finds an infection, select yes to restart your computer
You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.


Step 2.

Please Re-Scan with HijackThis and place a "checkmark" next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qeuln.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bycoxxt.exe
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nso173.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://nassappsrv02/wx/client/IrcViewer.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://utu.popcap.com/games/popcaploader_v6.cab

Make sure all browser and all Windows Explorer windows are closed and select "Fix checked". Exit Hijack This


Please now double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\qeuln.exe
C:\WINDOWS\system32\nodeipproc.dll
C:\WINDOWS\system32\nso173.dll
C:\WINDOWS\system32\comcap16.dll
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\frska.dat



Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Step 3.

Download Ewido Anti-Spyware
http://www.ewido.net/en/download/

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Ewido Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Ewido automatically updates the spyware definitions if you are connected to the net during installation.
As a precaution, click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close Ewido.
Note: If you have any problems with the updater, you can Update Ewido Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen Ewido Anti-Spyware and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Please Re-Scan with Hijack This and post the new HJT log, The Qoofix Logfile.txt
& the Ewido Report-Scan.txt

Thank You,
ourwilly.

#4 rich z

rich z
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 28 August 2006 - 02:29 PM

Below is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:47:11 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\auehnr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qeuln.exe
C:\WINDOWS\system32\qeuln.exe
C:\WINDOWS\system32\qeuln.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 148.175.98.10:80
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qeuln.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bycoxxt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Iconizer - {AA1A4F83-B4AC-4859-8C91-21DBE6C5625B} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [yliynp] C:\WINDOWS\system32\auehnr.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vipao] C:\WINDOWS\system32\auehnr.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: scqit.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.riotinto.com
O15 - Trusted Zone: *.riotinto.org
O15 - Trusted Zone: *.riotinto.com (HKLM)
O15 - Trusted Zone: *.riotinto.org (HKLM)
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://nassappsrv02/wx/client/IrcViewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8657B67-EE7C-4B09-B441-71D482FF9456} (CompositeView Control) - http://rtsiweb03/wx/Client/IrcViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O17 - HKLM\Software\..\Telephony: DomainName = ae.riotinto.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ae.riotinto.org
O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINDOWS\system32\nodeipproc.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\PROGRA~1\orawin\bin\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

The nassappsrv02 is a viewer that I use for work.

I received the following two errors when I run HJT
  • For some reason your system denied write access to the Hosts File.
    If any hijacked domains are in this file, HiJack this may NOT be able to fix this.

    If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

    notepad "C:\WINDOWS\System32\drivers\etc\hosts"

    and press enter. Find the line(s) HiJackThis reports and delete them. Save the files as "hosts." (with quotes), and reboot.

  • An unexpected error has occured at procedure: modMain_CheckOther1Item()
    Error #75 - Path/File access error (The error then lists an email to send
The Qoofix log is next

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/28/2006] at [11:59:19 AM]
-------------------------------------------------------------
Terminated module: gcehfaf.dll found in Qoofix.exe (2092)
Terminated module: gcehfaf.dll found in auehnr.exe (224)
Terminated module: gcehfaf.dll found in explorer.exe (308)
Terminated module: gcehfaf.dll found in qeuln.exe (1452)
Terminated module: gcehfaf.dll found in qeuln.exe (852)
Terminated module: gcehfaf.dll found in qeuln.exe (740)
Terminated module: gcehfaf.dll found in DWRCST.EXE (2248)
Terminated module: gcehfaf.dll found in qttask.exe (2532)
Terminated module: gcehfaf.dll found in ccApp.exe (2544)
Terminated module: gcehfaf.dll found in VPTray.exe (2552)
Terminated module: gcehfaf.dll found in ctfmon.exe (2560)
Terminated module: gcehfaf.dll found in pnagent.exe (2584)
Terminated module: gcehfaf.dll found in OUTLOOK.EXE (2988)
Terminated module: gcehfaf.dll found in WINWORD.EXE (3160)
Terminated module: gcehfaf.dll found in wfcrun32.exe (3036)
Terminated module: gcehfaf.dll found in wfica32.exe (3044)
Terminated module: gcehfaf.dll found in wfica32.exe (3676)
-------------------------------------------------------------
C:\WINDOWS\system32\auehnr.exe will be deleted on reboot!
C:\WINDOWS\system32\bycoxxt.exe will be deleted on reboot!
C:\WINDOWS\system32\frska.dat will be deleted on reboot!
C:\WINDOWS\system32\gcehfaf.dll will be deleted on reboot!
C:\WINDOWS\system32\qeuln.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\scqit.exe will be deleted on reboot!
C:\WINDOWS\system32\dmonwv.dll will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/28/2006] at [12:01:29 PM]

Note: Some registry keys may have been removed.

The Killbot did send me a PendingFileRenameOperation prompt.

I cannot install Ewido because I'm not an administrator but I did run the scan on-line; however the clean failed and told me to install. Is there another program that might let me install?

I appreciate the help.

rich z

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 31 August 2006 - 09:28 AM

Hello rich z

Please Note - that you must have "Admin privelidges" on your User Account for the last fix to work,

Then can you please "Repeat my last instructions"

If you don't have "Admin privelidges" please boot into Safe Mode and access the Aministrator account and then proceed with the fix.

Thank you,
ourwilly. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users