Celldorado.com

Hello,


I have a very annoying problem with a website called "Celldorado.com" at the moment. It started popping up regularly a few weeks ago and has consequently started all sorts of other websites popping up.


I have Spybot Search & Destroy, AVG, McAfee and Windows Defender, but none of them find any problems. I also use Firefox Web Browser and have manually blocked the various cookies that these websites keep adding to the computer.


Please God help me before I throw my PC out of the window! :wacko:


Your rated as an excellent forum, so I'm hoping you can help me out.


Thanks.

Comments

  • Please give us 2 logs of StartupList (one from safe-mode and another one from normal-mode)


    You can download it from: http://www.spywareinfo.com/~merijn/files/startuplist.zip or http://www.merijn.org/files/startuplist.zip

  • shaunhale
    edited June 2008
    Please give us 2 logs of StartupList (one from safe-mode and another one from normal-mode)


    You can download it from: http://www.spywareinfo.com/~merijn/files/startuplist.zip or http://www.merijn.org/files/startuplist.zip


    I used the link and copied the data it gave me to the clipboard. I then copied it into my reply on this post, but when I pressed "add reply" it gave me an error message saying that the post was too long.


    Where have I gone wrong?


    Can anyone help with this???


    crysty2k5's EDIT: posts merged

  • Dear sir,


    please save the log into a file (log.txt) and attach it on this forum.

  • shaunhale
    edited June 2008
    Dear sir,


    please save the log into a file (log.txt) and attach it on this forum.


    Here is the normal mode log saved in notepad:


    Dear sir,


    please save the log into a file (log.txt) and attach it on this forum.


    Here is the safe mode log saved in notepad:


    Have I attached these logs correctly???


    Please can somebody help me with this problem!!!???


    Nobody has replied to my post for a long time.


    Please can somebody help me?


    crysty2k5's EDIT: posts merged


    /applications/core/interface/file/attachment.php?id=1775" data-fileid="1775" rel="">log.txt

    /applications/core/interface/file/attachment.php?id=1776" data-fileid="1776" rel="">log_safemode_.txt

  • Hello shaunhale,


    Sorry for the late reply. I don't know why someone didn't reply earlier.


    Please post a HijackThis log. I'll take a look and see what could trigger the popups.


    Cris.

  • Hello shaunhale,


    Can you please check the following locations:


    Click on start,my computer,double click on the icon of your hard disc ,documents and settings now go to the tools menu,folder options,press on the display/view tab check the option show hidden files/folders press on apply,open now the folder of your user account,you will see now a folder called local settings open it,application data open it also and see if you can find files inside with these names:


    uielagc.dat


    uielagc.exe


    uielagc_nav.dat


    uielagc_navps.dat


    Now check these locations: go to start,my computer,double click on the icon of your hard disc, windows,system 32 folder,cache and add the content also to an archive. Look also for nvs2.inf


    entries.


    Please archive these an upload them on the forum.


    After you done that please read this and follow these instructions.Post the output of that scan together with a hijack this log.


    Best regards


    Niels

  • Hello shaunhale,


    Can you please check the following locations:


    Click on start,my computer,double click on the icon of your hard disc ,documents and settings now go to the tools menu,folder options,press on the display/view tab check the option show hidden files/folders press on apply,open now the folder of your user account,you will see now a folder called local settings open it,application data open it also and see if you can find files inside with these names:


    uielagc.dat


    uielagc.exe


    uielagc_nav.dat


    uielagc_navps.dat


    Now check these locations: go to start,my computer,double click on the icon of your hard disc, windows,system 32 folder,cache and add the content also to an archive. Look also for nvs2.inf


    entries.


    Please archive these an upload them on the forum.


    After you done that please read this and follow these instructions.Post the output of that scan together with a hijack this log.


    Best regards


    Niels


    Niels,


    Thanks for getting back to me. I have to apologise myself for taking so long to action the above - I haven't had much time to get on a computer.


    Please find attached the ComboFix Log and the HijackThis Log.


    I followed your instructions regarding going into the Application Data folder and Cache folder, but they didn't quite follow (maybe because I use Windows Vista?) Anyway, I did find a Application Data folder, but it says "Access Denied" even if I run Explorer as an Administrator. There was no "Cache" folder that I could see under the "System 32" folder. I did reveal all the hidden folders.


    Can you help using the two logs above?

    /applications/core/interface/file/attachment.php?id=2079" data-fileid="2079" rel="">ComboFix.txt

    /applications/core/interface/file/attachment.php?id=2080" data-fileid="2080" rel="">hijackthis.log

  • rootkit
    rootkit ✭✭✭
    edited May 2008

    Please pack this file in a zip or rar archive with the password infected and attach it here !


    C:\Users\Shaun\AppData\Local\Microsoft\sgbvea.exe


    Upload the file on http://www.virustotal.com/ and paste here the link analysis

  • shaunhale
    edited June 2008
    Please pack this file in a zip or rar archive with the password infected and attach it here !


    Upload the file on http://www.virustotal.com/ and paste here the link analysis


    crysty2k5,


    I have found the folder C:\Users\Shaun\AppData\Local\Microsoft but it only contains 24 other folders and no files. I certainly cannot see a file called sgbvea.exe


    How do I find it?


    If I do find it, how do I put it into a zip or rar archive and how do I password protect it?


    Can anyone help me with my query please? :huh:


    crysty2k5's EDIT: posts merged

  • Hello shaunhale,


    Please download vundofix from here. Double click on it and press on scan for vundo. Wait till the scan is finished. Press remove vundo. If infected files are found confirm the deletion by pressing on yes. If something found please post the the output of vundofix.txt which you will find in the root of your hard disk. (start,my computer,double click on the partition where windows is installed on). Make a new hijackthis log.


    Best regards


    Niels

  • Hello shaunhale,


    Please download vundofix from here. Double click on it and press on scan for vundo. Wait till the scan is finished. Press remove vundo. If infected files are found confirm the deletion by pressing on yes. If something found please post the the output of vundofix.txt which you will find in the root of your hard disk. (start,my computer,double click on the partition where windows is installed on). Make a new hijackthis log.


    Best regards


    Niels


    Vundofix didn't find anything.


    Here is my new hijackthis log.

    /applications/core/interface/file/attachment.php?id=2113" data-fileid="2113" rel="">hijackthis_02.06.08.txt

  • rootkit
    rootkit ✭✭✭

    There is another suspicious file in the log:


    C:\Users\Shaun\AppData\Local\Microsoft\dgvgfulclf.exe


    Download SUPERAntiSpyware && Malwarebytes' Anti-Malware and run a complete scan !

  • There is another suspicious file in the log:



    Download SUPERAntiSpyware && Malwarebytes' Anti-Malware and run a complete scan !


    SuperAntiSpyware did not find anything.


    Malwarebytes' Anti-Malware found 11 items, which I have now removed.


    Attached is the log file.


    Is there any more I need to do?

    /applications/core/interface/file/attachment.php?id=2117" data-fileid="2117" rel="">mbam_log_6_2_2008__19_40_25_.txt

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Good, clean all the ad-aware !

  • Good, clean all the ad-aware !


    I pressed the "Remove" button when the scan had finished, if that's what you mean?


    Attached is my latest hijackthis log.


    Does everything look okay now?

    /applications/core/interface/file/attachment.php?id=2118" data-fileid="2118" rel="">hijackthis_02.06.08__ii_.txt

  • rootkit
    rootkit ✭✭✭

    Check and press Fix checked for:



    O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf


    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)


    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)


    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


    Run a system scan cu Bitdefender !

  • Check and press Fix checked for:


    Run a system scan cu Bitdefender !


    Sorry, I don't understand?


    I've just had another pop-up come up.


    I went back into Malwarebytes' Anti-Malware and found the 11 items in the Quarantine section. I then pressed "Delete All"


    What are the items you have listed? How do I "fix check" them? What sort of system scan do you want me to do?


    Sorry this is taking so long! My computer skills are somewhat limited and I'm not quite following everything you're saying. Please bear with me! :blink:

  • rootkit
    rootkit ✭✭✭

    O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf


    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)


    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)


    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


    Not in Malwarebytes' Anti-Malware, in HijackThis ;)

  • Not in Malwarebytes' Anti-Malware, in HijackThis ;)


    Thanks!


    I've removed everything apart from:


    O4 - HKCU\..\Run: [dgvgfulclf] c:\users\shaun\appdata\local\microsoft\dgvgfulclf.exe dgvgfulclf


    (It was no longer there)


    Attached is a new hijackthis log

    /applications/core/interface/file/attachment.php?id=2137" data-fileid="2137" rel="">hijackthis_04.06.08.txt

  • rootkit
    rootkit ✭✭✭

    The log is now clean ! ;)

  • The log is now clean ! ;)


    Thank you, but I have just had another pop-up appear. The site is www.yesloansuk.com.


    I blocked the cookie associated with it and closed the window, but a couple of minutes later the same website popped up again.


    Help! :unsure:


  • Sorry I've taken so long to reply.


    I installed the software you suggested and tried to run it. A black window opened for just a brief second and then disappeared. I found the file location and it is definitely there, but every time I try to run it, I get the same black screen appear and disappear in a flash.

  • guitarist44
    edited June 2008

    same problem here, the adware seems to disabe McAfee SiteAdvisor, BitDefender AntiPhishing and IE 7 phishingfilter. I have Win Vista Home Prem 32 bit


    tried (in safe mode):


    BitDefender Total Security 2008


    VundoFix (BitDefender blocks www.atribune.org, difficult to download)


    Spybot Search & Destroy


    Lavasoft Ad-Aware


    Hijack This

  • same problem here, the adware seems to disabe McAfee SiteAdvisor, BitDefender AntiPhishing and IE 7 phishingfilter. I have Win Vista Home Prem 32 bit


    tried (in safe mode):


    BitDefender Total Security 2008


    VundoFix (BitDefender blocks www.atribune.org, difficult to download)


    Spybot Search & Destroy


    Lavasoft Ad-Aware


    Hijack This


    just a note: the pop-ups are opened in IE7 and FireFox 2 too

  • just a note: the pop-ups are opened in IE7 and FireFox 2 too


    VundoFix V7.0.6


    Scan started at 11:05:23 23/06/2008


    Listing files found while scanning....


    C:\Windows\System32\rQHbyaaX.dll


    Beginning removal...


    Attempting to delete C:\Windows\System32\rQHbyaaX.dll


    C:\Windows\System32\rQHbyaaX.dll Has been deleted!


    Performing Repairs to the registry.


    Done!


    after this nothing has changed and a critical windows error appaered telling me the comp will be restarted in 1 min


    at the moment I'm trying Malwarebyte's Anti-Malware


    I think this trojan is called Virtumonde

  • VundoFix V7.0.6


    Scan started at 11:05:23 23/06/2008


    Listing files found while scanning....


    C:\Windows\System32\rQHbyaaX.dll


    Beginning removal...


    Attempting to delete C:\Windows\System32\rQHbyaaX.dll


    C:\Windows\System32\rQHbyaaX.dll Has been deleted!


    Performing Repairs to the registry.


    Done!


    after this nothing has changed and a critical windows error appaered telling me the comp will be restarted in 1 min


    at the moment I'm trying Malwarebyte's Anti-Malware


    I think this trojan is called Virtumonde


    Can anyone see anything dodgy in my hijack this log?

    /applications/core/interface/file/attachment.php?id=2313" data-fileid="2313" rel="">hijackthis_24.06.08.txt

  • I haven't heard from anyone in a while.


    Can someone help me with this problem please???

  • Please, please, please can someone help with this?????????? <img class=" />

  • Please, please, please can someone help with this?????????? <img class=" />


    Hello.


    Make an archive with the following file (with the password "infected") and attach it in a post.


    C:\Users\Shaun\AppData\Local\Microsoft\kmygwkkey.exe


    Have a nice day!

  • Hello.


    Make an archive with the following file (with the password "infected") and attach it in a post.


    C:\Users\Shaun\AppData\Local\Microsoft\kmygwkkey.exe


    Have a nice day!


    Please excuse my ignorance, but how do I do that? :blink:

  • Nobody has got back to me yet.


    How do I create this "archive file" mentioned above?


    I have had this problem with pop-ups for 4 and a half months now and it is getting worse!!! <img class=" />

  • I am getting no assistance with this problem and everyone seems to have stopped replying.


    The pop-ups now are appearing very regularly and seem to be getting worse.


    PLEASE HELP !!!!!!!!!!!!!!!!!!!!!!


    <_<:wacko::blink:<img class=" />

  • I'm going to keep posting until someone notices me and helps!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!