Celldorado.com
Hello,
I have a very annoying problem with a website called "Celldorado.com" at the moment. It started popping up regularly a few weeks ago and has consequently started all sorts of other websites popping up.
I have Spybot Search & Destroy, AVG, McAfee and Windows Defender, but none of them find any problems. I also use Firefox Web Browser and have manually blocked the various cookies that these websites keep adding to the computer.
Please God help me before I throw my PC out of the window!
Your rated as an excellent forum, so I'm hoping you can help me out.
Thanks.
Comments
-
Please give us 2 logs of StartupList (one from safe-mode and another one from normal-mode)
You can download it from: http://www.spywareinfo.com/~merijn/files/startuplist.zip or http://www.merijn.org/files/startuplist.zip0 -
Please give us 2 logs of StartupList (one from safe-mode and another one from normal-mode)
You can download it from: http://www.spywareinfo.com/~merijn/files/startuplist.zip or http://www.merijn.org/files/startuplist.zip
I used the link and copied the data it gave me to the clipboard. I then copied it into my reply on this post, but when I pressed "add reply" it gave me an error message saying that the post was too long.
Where have I gone wrong?
Can anyone help with this???
crysty2k5's EDIT: posts merged0 -
Dear sir,
please save the log into a file (log.txt) and attach it on this forum.0 -
Dear sir,
please save the log into a file (log.txt) and attach it on this forum.
Here is the normal mode log saved in notepad:Dear sir,
please save the log into a file (log.txt) and attach it on this forum.
Here is the safe mode log saved in notepad:
Have I attached these logs correctly???
Please can somebody help me with this problem!!!???
Nobody has replied to my post for a long time.
Please can somebody help me?
crysty2k5's EDIT: posts merged/applications/core/interface/file/attachment.php?id=1775" data-fileid="1775" rel="">log.txt
0 -
Hello shaunhale,
Sorry for the late reply. I don't know why someone didn't reply earlier.
Please post a HijackThis log. I'll take a look and see what could trigger the popups.
Cris.0 -
Hello shaunhale,
Can you please check the following locations:
Click on start,my computer,double click on the icon of your hard disc ,documents and settings now go to the tools menu,folder options,press on the display/view tab check the option show hidden files/folders press on apply,open now the folder of your user account,you will see now a folder called local settings open it,application data open it also and see if you can find files inside with these names:
uielagc.dat
uielagc.exe
uielagc_nav.dat
uielagc_navps.dat
Now check these locations: go to start,my computer,double click on the icon of your hard disc, windows,system 32 folder,cache and add the content also to an archive. Look also for nvs2.inf
entries.
Please archive these an upload them on the forum.
After you done that please read this and follow these instructions.Post the output of that scan together with a hijack this log.
Best regards
Niels0 -
Hello shaunhale,
Can you please check the following locations:
Click on start,my computer,double click on the icon of your hard disc ,documents and settings now go to the tools menu,folder options,press on the display/view tab check the option show hidden files/folders press on apply,open now the folder of your user account,you will see now a folder called local settings open it,application data open it also and see if you can find files inside with these names:
uielagc.dat
uielagc.exe
uielagc_nav.dat
uielagc_navps.dat
Now check these locations: go to start,my computer,double click on the icon of your hard disc, windows,system 32 folder,cache and add the content also to an archive. Look also for nvs2.inf
entries.
Please archive these an upload them on the forum.
After you done that please read this and follow these instructions.Post the output of that scan together with a hijack this log.
Best regards
Niels
Niels,
Thanks for getting back to me. I have to apologise myself for taking so long to action the above - I haven't had much time to get on a computer.
Please find attached the ComboFix Log and the HijackThis Log.
I followed your instructions regarding going into the Application Data folder and Cache folder, but they didn't quite follow (maybe because I use Windows Vista?) Anyway, I did find a Application Data folder, but it says "Access Denied" even if I run Explorer as an Administrator. There was no "Cache" folder that I could see under the "System 32" folder. I did reveal all the hidden folders.
Can you help using the two logs above?/applications/core/interface/file/attachment.php?id=2079" data-fileid="2079" rel="">ComboFix.txt
/applications/core/interface/file/attachment.php?id=2080" data-fileid="2080" rel="">hijackthis.log
0 -
Please pack this file in a zip or rar archive with the password infected and attach it here !
C:\Users\Shaun\AppData\Local\Microsoft\sgbvea.exe
Upload the file on http://www.virustotal.com/ and paste here the link analysis0 -
Please pack this file in a zip or rar archive with the password infected and attach it here !
Upload the file on http://www.virustotal.com/ and paste here the link analysis
crysty2k5,
I have found the folder C:\Users\Shaun\AppData\Local\Microsoft but it only contains 24 other folders and no files. I certainly cannot see a file called sgbvea.exe
How do I find it?
If I do find it, how do I put it into a zip or rar archive and how do I password protect it?
Can anyone help me with my query please?
crysty2k5's EDIT: posts merged0 -
Hello shaunhale,
Please download vundofix from here. Double click on it and press on scan for vundo. Wait till the scan is finished. Press remove vundo. If infected files are found confirm the deletion by pressing on yes. If something found please post the the output of vundofix.txt which you will find in the root of your hard disk. (start,my computer,double click on the partition where windows is installed on). Make a new hijackthis log.
Best regards
Niels0 -
Hello shaunhale,
Please download vundofix from here. Double click on it and press on scan for vundo. Wait till the scan is finished. Press remove vundo. If infected files are found confirm the deletion by pressing on yes. If something found please post the the output of vundofix.txt which you will find in the root of your hard disk. (start,my computer,double click on the partition where windows is installed on). Make a new hijackthis log.
Best regards
Niels
Vundofix didn't find anything.
Here is my new hijackthis log.0 -
There is another suspicious file in the log:
C:\Users\Shaun\AppData\Local\Microsoft\dgvgfulclf.exe
Download SUPERAntiSpyware && Malwarebytes' Anti-Malware and run a complete scan !0 -
There is another suspicious file in the log:
Download SUPERAntiSpyware && Malwarebytes' Anti-Malware and run a complete scan !
SuperAntiSpyware did not find anything.
Malwarebytes' Anti-Malware found 11 items, which I have now removed.
Attached is the log file.
Is there any more I need to do?0 -
Good, clean all the ad-aware !
0 -
Good, clean all the ad-aware !
I pressed the "Remove" button when the scan had finished, if that's what you mean?
Attached is my latest hijackthis log.
Does everything look okay now?0 -
Check and press Fix checked for:
O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
Run a system scan cu Bitdefender !0 -
Check and press Fix checked for:
Run a system scan cu Bitdefender !
Sorry, I don't understand?
I've just had another pop-up come up.
I went back into Malwarebytes' Anti-Malware and found the 11 items in the Quarantine section. I then pressed "Delete All"
What are the items you have listed? How do I "fix check" them? What sort of system scan do you want me to do?
Sorry this is taking so long! My computer skills are somewhat limited and I'm not quite following everything you're saying. Please bear with me!0 -
O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
Not in Malwarebytes' Anti-Malware, in HijackThis0 -
Not in Malwarebytes' Anti-Malware, in HijackThis
Thanks!
I've removed everything apart from:
O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf
(It was no longer there)
Attached is a new hijackthis log0 -
The log is now clean !
0 -
The log is now clean !
Thank you, but I have just had another pop-up appear. The site is www.yesloansuk.com.
I blocked the cookie associated with it and closed the window, but a couple of minutes later the same website popped up again.
Help!0 -
Download: http://download.bleepingcomputer.com/andymanchesta/SDFix.exe
Instructions: http://www.bleepingcomputer.com/forums/topic131299.html
Attach here the SDFix log0 -
Download: http://download.bleepingcomputer.com/andymanchesta/SDFix.exe
Instructions: http://www.bleepingcomputer.com/forums/topic131299.html
Attach here the SDFix log
Sorry I've taken so long to reply.
I installed the software you suggested and tried to run it. A black window opened for just a brief second and then disappeared. I found the file location and it is definitely there, but every time I try to run it, I get the same black screen appear and disappear in a flash.0 -
same problem here, the adware seems to disabe McAfee SiteAdvisor, BitDefender AntiPhishing and IE 7 phishingfilter. I have Win Vista Home Prem 32 bit
tried (in safe mode):
BitDefender Total Security 2008
VundoFix (BitDefender blocks www.atribune.org, difficult to download)
Spybot Search & Destroy
Lavasoft Ad-Aware
Hijack This0 -
same problem here, the adware seems to disabe McAfee SiteAdvisor, BitDefender AntiPhishing and IE 7 phishingfilter. I have Win Vista Home Prem 32 bit
tried (in safe mode):
BitDefender Total Security 2008
VundoFix (BitDefender blocks www.atribune.org, difficult to download)
Spybot Search & Destroy
Lavasoft Ad-Aware
Hijack This
just a note: the pop-ups are opened in IE7 and FireFox 2 too0 -
just a note: the pop-ups are opened in IE7 and FireFox 2 too
VundoFix V7.0.6
Scan started at 11:05:23 23/06/2008
Listing files found while scanning....
C:\Windows\System32\rQHbyaaX.dll
Beginning removal...
Attempting to delete C:\Windows\System32\rQHbyaaX.dll
C:\Windows\System32\rQHbyaaX.dll Has been deleted!
Performing Repairs to the registry.
Done!
after this nothing has changed and a critical windows error appaered telling me the comp will be restarted in 1 min
at the moment I'm trying Malwarebyte's Anti-Malware
I think this trojan is called Virtumonde0 -
VundoFix V7.0.6
Scan started at 11:05:23 23/06/2008
Listing files found while scanning....
C:\Windows\System32\rQHbyaaX.dll
Beginning removal...
Attempting to delete C:\Windows\System32\rQHbyaaX.dll
C:\Windows\System32\rQHbyaaX.dll Has been deleted!
Performing Repairs to the registry.
Done!
after this nothing has changed and a critical windows error appaered telling me the comp will be restarted in 1 min
at the moment I'm trying Malwarebyte's Anti-Malware
I think this trojan is called Virtumonde
Can anyone see anything dodgy in my hijack this log?0 -
I haven't heard from anyone in a while.
Can someone help me with this problem please???0 -
Please, please, please can someone help with this?????????? " />
0 -
Please, please, please can someone help with this?????????? " />
Hello.
Make an archive with the following file (with the password "infected") and attach it in a post.
C:\Users\Shaun\AppData\Local\Microsoft\kmygwkkey.exe
Have a nice day!0 -
Hello.
Make an archive with the following file (with the password "infected") and attach it in a post.
C:\Users\Shaun\AppData\Local\Microsoft\kmygwkkey.exe
Have a nice day!
Please excuse my ignorance, but how do I do that?0 -
Nobody has got back to me yet.
How do I create this "archive file" mentioned above?
I have had this problem with pop-ups for 4 and a half months now and it is getting worse!!! " />0 -
I am getting no assistance with this problem and everyone seems to have stopped replying.
The pop-ups now are appearing very regularly and seem to be getting worse.
PLEASE HELP !!!!!!!!!!!!!!!!!!!!!!
" />0 -
I'm going to keep posting until someone notices me and helps!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0