Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help needed, HJT log here, need rid of CELLDORADO malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 10:17 am

Hello weegieq,

Please re-run Navilog1 Option 1
---------------------------------------
Navilog1 for Vista

Option #1:

Make sure the UAC-User Account Control is turned off.
  • Right-click Navilog1 shortcut on Desktop and choose "Run as Administrator".
  • On main menu, choose 1
  • Follow the instructions and wait.
  • Wait for the *** Search completed *** message (It may take a reasonable amount of time)
  • Press any key as requested.
  • A new notepad document will be produced: fixnavi.txt.
  • Please copy/paste the contents of this report in your next reply.
The report fixnavi.txt is also saved in %systemdrive%. (usually C:\)
---------------------------------------
Note: Remember to run the tool as Administrator if you have problems with it.

BLACKLIGHT
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: Select all
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic.
---------------------------------------
Post back both reports.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 12:23 pm

hi
I still seem to have problems with navilog1 as its been running for 90mins without completing. Although whilt i was looking thru some files i found a new fixnavi document created just 13 minutes after I had lanched option 1 of Navilog1. Here are the contents of that document

Search Navipromo version 3.5.1 began on 04/04/2008 at 16:23:22.16

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "ANDREW"

Updated on 23.03.2008 at 22h00 by IL-MAFIOSO

Microsoft Windows Vista 6.0.6001
Version Internet Explorer : 7.0.6001.18000
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\Windows ***



*** Search folders in C:\Program Files ***


*** Search folders in C:\ProgramData ***


*** Search folders in C:\ProgramData\Microsoft\Windows\Start Menu\Programs ***


*** Search folders in c:\users\andrew\appdata\roaming\microsoft\windows\start menu\programs ***


*** Search folders in C:\Users\ANDREW\AppData\Local\virtualstore\Program Files ***

...\InternetGameBox found !


*** Search folders in C:\Users\ANDREW\AppData\Roaming ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

Hidden file(s) :

C:\Program Files\Navilog1\Backupnavi\qjocawhseg.dat
C:\Program Files\Navilog1\Backupnavi\qjocawhseg.exe
C:\Program Files\Navilog1\Backupnavi\qjocawhseg_nav.dat
C:\Program Files\Navilog1\Backupnavi\qjocawhseg_navps.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg.exe
C:\Users\ANDREW\AppData\Local\qjocawhseg_nav.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg_navps.dat
C:\Program Files\Navilog1\Backupnavi\qjocawhseg.dat
C:\Program Files\Navilog1\Backupnavi\qjocawhseg.exe
C:\Program Files\Navilog1\Backupnavi\qjocawhseg_nav.dat
C:\Program Files\Navilog1\Backupnavi\qjocawhseg_navps.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg.exe
C:\Users\ANDREW\AppData\Local\qjocawhseg_nav.dat
C:\Users\ANDREW\AppData\Local\qjocawhseg_navps.dat



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\Windows\system32 *

I am now currently running F-secure backlight and will post report when available
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 12:27 pm

Hi

FSBL has now completed without finding any infections. here is the log

04/04/08 17:17:37 [Info]: BlackLight Engine 1.0.70 initialized
04/04/08 17:17:37 [Info]: OS: 6.0 build 6001 (Service Pack 1)
04/04/08 17:17:37 [Note]: 7019 4
04/04/08 17:17:37 [Note]: 7005 0
04/04/08 17:17:59 [Note]: 7006 0
04/04/08 17:17:59 [Note]: 7022 0
04/04/08 17:17:59 [Note]: 7027 0
04/04/08 17:17:59 [Note]: 7035 0
04/04/08 17:17:59 [Note]: 7026 0
04/04/08 17:18:00 [Note]: 7026 0
04/04/08 17:18:08 [Note]: FSRAW library version 1.7.1024
04/04/08 17:26:18 [Note]: 7007 0
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 1:13 pm

Hello weegieq,

This is really stubborn.

Please try to run Navilog1 Option #2 one more time.

Disable UAC-User Account Control (Please remember to re-enable it afterwards when disinfection is complete):

Remember to run the tool as Administrator.

See my instructions here:
http://www.malwareremoval.com/forum/viewtopic.php?p=282646#p282646
Please note that if the report doesn't open you can find it here:
%SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)

Because you should have many saved files from the tool, please see the date and time you run it, and post back the proper one.
It will be in the heading of the report. - See example from previous run of the tool.

Search Navipromo version 3.5.1 began on 04/04/2008 at 16:23:22.16

If this fails we'll run another tool to remove it.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 1:43 pm

Hi

I just tried running option2 under administrator right with UAC off and it failed as it said i had to complete option1 first. Because of this I can't post any log.

Its driving me up the wall, but i want u toknow im really greatful fr all ur help. theres no need for u to help me but ur being patient and doin all can.

thanks
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 2:15 pm

Hi,

It seems that last time Option #1 was stuck, didn't run.
We'll try another tool.
----------------------------------------------
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 2:31 pm

hi

jut before i do the next steps, i htought id make u aware ive just restarted the laptop and windows defender has shown a change. its called guxhpiy.exe, its asking whether i should permit this and my 1st instinct is not to as have no idea what it is, but if its from one of the programmes i feel i should alow it

any idea wat i should do
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 4th, 2008, 2:35 pm

weegieq wrote:hi

jut before i do the next steps, i htought id make u aware ive just restarted the laptop and windows defender has shown a change. its called guxhpiy.exe, its asking whether i should permit this and my 1st instinct is not to as have no idea what it is, but if its from one of the programmes i feel i should alow it

any idea wat i should do


Do not permit it. Your infection is re-creating new files. You see this infection each time creates new files each time a pc starts.

It's not from the program. Please proceed with Combofix, and post the report back, together with a new HijackThis log, which i forgot to ask in my previous post.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 2:39 pm

thanks

one last thing im not entirely sure how to stop AVG (freeversion) whilst I do combo fix do u know how
im currently looking on the AVG website for help. im only asking in case u know
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 2:42 pm

sorry got it know - next post will be combo fix log
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby weegieq » April 4th, 2008, 3:09 pm

Hi

I cant seem to get combofix to run. ive turned off all antispyware, firewall, antvirus software. I read thru the instructns to use it right click run as administrator, when i do this a small box opens and a bar fills up from left to right with green, then the desktop icons go blank then reset back to there original colours/icons but nohing happens.

Weegieq
weegieq
Regular Member
 
Posts: 20
Joined: February 19th, 2008, 10:11 am

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby chryssi2001 » April 5th, 2008, 1:00 am

Hi,

sorry i couldn't answer before it looks we have different times.
I signed out, it was late night here. :)
Before i explain to you to re-try Combofix try this first:
----------------------------------------------
REMOVE PROGRAMS-VISTA
  • Go to start > control panel > programs and features.
  • Right click on each instance of:

    InternetGameBox
  • Click Uninstall & then follow the prompts to remove it.
----------------------------------------------
Show All Files And Folders in Vista
Now you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Organise menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Remember to re-hide them when you are done!
----------------------------------------------
Now we need to do a search.
Start > Search > For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

InternetGameBox

If any of these files are found please delete them.
----------------------------------------------
Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\Users\ANDREW\AppData\Local\qjocawhseg.exe
C:Program Files\InternetGameBox

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
If OTMoveIt2 says it will remove the file on reboot, please reboot your pc.
----------------------------------------------
Post back any problems you had doing so, and OTMoveIt2 results.
I need also a new HijackThis log.
Still Pop-ups/redirections?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Help needed, HJT log here, need rid of CELLDORADO malware

Unread postby Shaba » April 10th, 2008, 7:28 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware