TechSpot

Virus infection

By deen13
Apr 6, 2007
  1. I have a problem with my computer where sometimes when I open firefox or when browsing in firefox a window opens in Internet Explorer saying a securiy alert or something to do with WinAntiVirus pro.

    I carried out a virus scan using AVG Anti Spyware and it detected tracking cookies which I deleted and also a virus called Trojan.vundo. The same virus plus several others were detected by Norton Anti virus. Norton was able to quarantine all viruses except for one particular trojan horse with filename "sqvsbrox.dll" which is in C:\Windows\system32.

    I also noticed that after re-booting my computer a notification icon opened saying Explorer.exe is corrupt and unreadable but then disappeared. The same type of message appeared about AVG Anti Spyware but then disappeared. My system performance has also slowed a bit.

    Please help me solve this problem.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of deen13 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. deen13

    deen13 TS Rookie Topic Starter Posts: 16

    I followed all the steps given in the link you gave me and my results are attached to this post.

    The AVG Antirootkit scan showed that no rootkits were found.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re using an outdated version of HijackThis. See HERE for the lates version and post a fresh HJT log into your next reply.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\system32\lqqjjkss.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {66FE8D89-577B-CF23-5B5C-052F39E86414} - C:\WINDOWS\system32\sblpotm.dll (file missing)

    O2 - BHO: (no name) - {6B28E148-FE70-41B9-8856-1E666FDD70F5} - C:\WINDOWS\system32\lqqjjkss.dll

    O2 - BHO: (no name) - {74D3E440-AD5B-186B-A367-008BA1C687F6} - C:\WINDOWS\system32\abihvvd.dll (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B11EFD2-AEED-4BF2-9C27-CC139F9D5D68}: NameServer = 203.115.0.46 203.115.0.47

    O17 - HKLM\System\CS1\Services\Tcpip\..\{3B11EFD2-AEED-4BF2-9C27-CC139F9D5D68}: NameServer = 203.115.0.46 203.115.0.47

    Only fix the above 017 entries if they don`t belong to your ISP.

    O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of deen13 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. deen13

    deen13 TS Rookie Topic Starter Posts: 16

    I followed all the steps given. However, I am not sure if the following entry belongs to my ISP or not. How do I check if it does belong to my ISP?

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B11EFD2-AEED-4BF2-9C27-CC139F9D5D68}: NameServer = 203.115.0.46 203.115.0.47

    I have attached a fresh hijackthis log to this reply.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Here is some info on your 017 entries.

    203.115.0.47
    address: SRI LANKA TELECOM INTERNET
    address: DATA COMMUNICATION DIVISION
    address: FIFTH FLOOR
    address: OTS BUILDING
    address: SRI LANKA TELECOM
    address: LOTUS ROAD
    address: COLOMBO 1

    If that`s your ISP, then don`t fix those entries.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of deen13 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. deen13

    deen13 TS Rookie Topic Starter Posts: 16

    This website has saved me alot of money as it has solved alot problems for me for which I normally reformat my computer.

    Thank you so much
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...