Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qewiryu1.exe ?


  • Please log in to reply
1 reply to this topic

#1 yesme

yesme

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 26 June 2007 - 07:46 PM

My computer has recently been showing this error message at the bottom of my screen and then boots a ms-dos program ""

16 bit ms-dos subsystem

C;/windows/system32/qewiyr~1.exe


Ntvdm CPU has encountered an illegal instruction.

""

I have searched for this file in my system 32 folder and have found 3 executables called qewiryu1 , 2 , 3
And Google proves useless for help.

Please can you help me here is my hijackthis.log as i hear you need it to help me::::::
::::


Logfile of HijackThis v1.99.1
Scan saved at 01:22:50, on 27/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\system32\psctoolx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\XP Tools\xptools.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phil\Desktop\Hijck this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44666d1c-1dd2-11b2-a30b-bc4d2487903f} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b085af2c-1dd1-11b2-840b-8a7c2e52cf6c} - (no file)
O2 - BHO: (no name) - {b26d6b66-1dd1-11b2-ab0e-f2710b9d5c2b} - C:\WINDOWS\system32\Bz8B47Lo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [PSC tool] C:\WINDOWS\system32\psctoolx.exe
O4 - HKLM\..\Run: [nvfywxd.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Phil\Local Settings\Application Data\nvfywxd.dll",scnqtoc
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [TPSRV9x] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XP Tools] C:\Program Files\XP Tools\xptools.exe /min
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Run BBDTMngr.exe.lnk = C:\Program Files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw003
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F8EBE73-0DA7-442E-BA0C-B1A1819321EC}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D436A3-A835-46DA-830A-872FF3776A99}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BB9C2D8-397D-49CA-AB7A-BD3E9059BE9E}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E39E242-3969-4B67-A1BA-6D391C325025}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DC2D9D-6C6F-4D2E-A96A-7ED2B520C11C}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F8EBE73-0DA7-442E-BA0C-B1A1819321EC}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F8EBE73-0DA7-442E-BA0C-B1A1819321EC}: NameServer = 85.255.116.89,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

:::::::::::::
thanks .

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 27 June 2007 - 10:38 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum yesme :thumbsup:

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

****************

Download SmitfraudFix (by S!Ri), to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

****************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users