Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another virus problem


  • Please log in to reply

#1
dfb500

dfb500

    Member

  • Member
  • PipPip
  • 75 posts
My computer again was infected with a nasty virus, something referencing EZULA this time. After running several AD-WARE removal utilities and changing the necesary administrative rights to delete all of the parasitic files that could not be deleted I am now receiving two RUN DLL errors when the PC starts up. The dlls something is looking for are

ielzcde8.dll
li01f948.dll

I am no longer sure if these are parasitic dll's that are being called from some process that is still running on my PC or whether these are legitimate dlls that were inadvertently deleted during the many scans I had to perform, here is a Hijack this file from current

Logfile of HijackThis v1.97.7
Scan saved at 4:15:08 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\gnabant.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O6 "USB002" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\gnabant.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [psp1hfmx] C:\WINDOWS\System32\psp1hfmx.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} (Participant Class) - http://idx-care-cast...ext/IDXWFCC.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa...tandard_acx.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8096.7359953704
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://idx-care-cast...xt/IDXTools.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0496809-4500-11D3-BEE1-00C04F559D73} (IdxLcjInstall Class) - http://idx-care-cast...etupBrowser.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx-care-cast.../IDXBrowser.cab

Any help is appreciated.

David
  • 0

Advertisements


#2
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You need an anti-virus to prevent future virus problems! AVG is a great free anti-virus program:

http://www.grisoft.c...s_dwnl_free.php

For your immediate problem, reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files and folders, and remove the following files in bold:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe <-- This File
C:\PROGRA~1\Internet Explorer\[n]inetkw.dl[/b] <-- This File
C:\Program Files\TV Media\ <-- This Folder
C:\Program Files\Enigma Software Group\ <-- This Folder
C:\Program Files\BulletProofSoft.com\ <-- This Folder (these last two programs truthfully don't help anything)

C:\WINDOWS\system32\ps2.exe <-- This File
C:\WINDOWS\System32\gnabant.exe <-- This File
C:\WINDOWS\System32\li01f948.dll <-- This File
C:\WINDOWS\System32\iel2cde8.dll <-- This File
C:\WINDOWS\System32\psp1hfmx.exe <-- This File

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: VPN Client.lnk = ?
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} (Participant Class) - http://idx-care-cast...ext/IDXWFCC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa...tandard_acx.exe
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://idx-care-cast...xt/IDXTools.cab
O16 - DPF: {E0496809-4500-11D3-BEE1-00C04F559D73} (IdxLcjInstall Class) - http://idx-care-cast...etupBrowser.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx-care-cast.../IDXBrowser.cab

The following are optional and not required (they're using up RAM):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Quicktime Tray Icon)
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (Microsoft Money Tray Icon)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (MSN Messenger)

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log. <_<
  • 0

#3
dfb500

dfb500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
I am posting the new Hijack this log after following the instructions of the first reply......problem remains, still receiving the RUN DLL errors, also, please note that these dlls are not on my harddrive, that is why I am receiving the error, seems to me that whatever process or app is calling them is the one that needs to be corrected. Even though the HT log lists some of these files in certain cases they have already been deleted.

Waiting for more instructions

P.S. What does PS2.exe do because this can be removed from the remove software utility in Control Panel

Logfile of HijackThis v1.97.7
Scan saved at 6:02:27 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O6 "USB002" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\gnabant.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [psp1hfmx] C:\WINDOWS\System32\psp1hfmx.exe
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8096.7359953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

David
  • 0

#4
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
fix these

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP