Executing cmd or regedit from Run crashing explorer XPP SP3 Lockups and hangs frequent. Google searches were pointing to adds no matter what was searched for earlier in this month.
See attached logs
regards,
-dave
Printable View
Executing cmd or regedit from Run crashing explorer XPP SP3 Lockups and hangs frequent. Google searches were pointing to adds no matter what was searched for earlier in this month.
See attached logs
regards,
-dave
Execute this script in avz:
[code]begin
QuarantineFile('C:\WINDOWS\Downloaded Program Files\ieatgpc.dll','');
QuarantineFile('C:\WINDOWS\system32\BrMuSNMP.dll','');
end.[/code]
Please upload quarantine in accordance to App #3 of our rules, by link: [url]http://virusinfo.info/upload_virus_eng.php?tid=41561[/url]
Let us know, when you done.
Files have been uploaded. I believe they are commercial products but maybe not. - ieatgpc.dll = Webex - BrMuSNMP.dll = Brother printers please advise. regards, -dave
Nothing malicious was found in your files :)
Do you remember after what it is start ? Perhaps this malefaction caused by some program that you did installed lately?
Lets try another thing: please download in my signature special avz, disable antivirus, lunch you browser and make with special avz-> virusinfo_syscure.zip
Attach it to next post on this topic.
Use ccleaner portable to clean your system.[url]http://www.ccleaner.com/download/builds/downloading-portable[/url]
Well some other searching on the subject found an article on bleepingcomputer.com which led to another site that suggested checking the drivers32 section of the registry for suspect "aux"(n) entries.
In my case using Ultimate Boot CD (couldn't run regedit even after renaming in safemode) I found
[CODE][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="C:\\WINDOWS\\system32\\..\\qpja.nik"
[/CODE]
Note the ".." in the data which means go up twice in the directory structure, that would inidcate the root of 'c:\' however the file was actually found in the "WINDOWS" directory in this instance so it was executed by being in the path variable. I understand by the second article that this may be placed in other directories and of course the name is randomized in some fashion - so a general search should find out where it actually is. The only attribute set was archive. The modify date was from 4/08 and the creation date was 8/04. Clever.
Would you like me to upload to quarantine by zipping and adding virus password?
regards,
-dave
ref:
1. [URL]http://www.bleepingcomputer.com/forums/topic209960.html[/URL]
2. [URL]http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html[/URL]
use an avz to copy this suspicious file, avz will put a password automatically.
read app#2 of the rules ;)
uploading by [url]http://virusinfo.info/upload_virus_eng.php?tid=41561[/url] , as you did it before.
nevertheless, i would like to see a log from special avz.