system
July 13, 2008, 11:42pm
1
Hi, and sorry that I’m quite new to this forum and don’t know if this topic is suppose be here or in another thread, topic or somehow irrelevant in some way or another and sorry again but need a little advice.
I’m currently using avast! 4.8 Professional, and just wandering with the MySpace website, sometimes when I either login or could be viewing a friends MySpace page, sometimes I get redirected to another website and with the whole Drive By Download thing and telling me to download their security software saying that my computer is possibly infected.
I haven’t actually gone ahead and downloaded anything because I know that if I do it’ll harm my computer and avast! Professional would most likely pick up what I guess would some form of malware or a rogue anti-virus/spyware program (the program is called AntiVirus 2009, just to let you know before hand).
I’m wandering what can be done, has got anything to the Website itself or anything because it’s annoying when it redirects you and have reload the page you were on previously before. Although I’ve gone to the WebShield options and blocked the URL so when it occurs it blocks it.
I’d managed to write down the address what it says in the task bar I think it’s called, but anyway here it is - hxxp://elihue.cn/s/
Sorry if this message is rather long and thank you for any replies.
system
July 14, 2008, 12:05am
2
I suggest you schedule a boot-time scan.
I also recommend you download and run HiJackThis and post a log here.
RogueRemover will scan and remove any rogue software it finds.
You need to disable the link by replacing “tt” with “xx” in your post.
Just in case you’ve installed AntiVirus 2009, you can get help removing it from:
http://www.2-spyware.com/remove-antivirus-2009.html
system
July 14, 2008, 1:48am
4
Thank you for the help Jtaylor83 and bob3160,
I downloaded the HiJackThis program and here what it says in the Log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:30 AM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Xfire\xfire.exe
c:\program files\valve\steam\steamapps\jktsoldier\counter-strike source\hl2.exe
C:\Program Files\Valve\Steam\GameOverlayUI.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: (no name) - {19F08A37-29B5-4B66-9551-89E35A0FA8D5} - C:\WINDOWS\system32\xxyxXPij.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [AcerOrbicamRibbon] “C:\Program Files\Acer\OrbiCam10\OrbiCam.exe” /hide
O4 - HKLM..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [b8893263] rundll32.exe “C:\WINDOWS\system32\ioibqnmt.dll”,b
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [LogitechSetup] C:\DOCUME~1\JESSEH~1\LOCALS~1\Temp\Temporary Directory 3 for Camera Logitech_10_4_0_1319.zip\Logitech_10_4_0_1319\Setup\Setup.exe /start /restart /l:enu
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190515477453
O17 - HKLM\System\CCS\Services\Tcpip..{1F4468FD-9819-48CC-AF51-B961C51810FB}: Domain = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip..{6C1538B3-A429-4546-9D3C-CC82AEDB9A64}: Domain = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip..{EF99674A-A0D7-41A1-BB4A-1587091C777A}: Domain = sa.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: pgfkxtvh - C:\WINDOWS
O20 - Winlogon Notify: __c0085BC4 - __c0085BC4.dat (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
system
July 14, 2008, 2:42am
5
This looks suspicious, I can’t look it up on either search engines.
O4 - HKLM..\Run: [b8893263] rundll32.exe “C:\WINDOWS\system32\ioibqnmt.dll”,b
ioibqnmt.dll
Please upload the file above to VirusTotal and post the results.
As for this entry, fix it.
O2 - BHO: (no name) - {19F08A37-29B5-4B66-9551-89E35A0FA8D5} - C:\WINDOWS\system32\xxyxXPij.dll (file missing)
It also appears that your Java is out of date. I suggest uninstall the old version and install Latest version here .
To be sure your software is up to date, download Secunia Software Inspector .
system
July 14, 2008, 3:23am
6
I followed what you have posted before, but with the uploading the ioibqnmt.dll file to VirusTotal that’s where I may have a problem with. I cannot find that file because I also have a problem where when I turn on my computer a “RUNDLL” error pops on the screen when the loads up on the desktop.
The Error says “Error loading C:\WINDOWS\system32\ioibqnmt.dll” then it goes on saying “This specified module cannot be found”
Thank you for your help so far.
system
July 14, 2008, 3:46am
7
Okay then run HJT and fix.
O4 - HKLM..\Run: [b8893263] rundll32.exe “C:\WINDOWS\system32\ioibqnmt.dll”,b
system
July 14, 2008, 4:06am
8
Ok, all done and thank you for your help.
One more thing though, with the Secunia Software Inspector, everything seems up to date except the Macromedia Flash Player, in which I’ve already updated the Adobe Flash Player thing.
Sorry if that didn’t make sense.