Hi i also have a malware problem i think its a trojan it keeps connecting me to a site called celldarado.com 8O and it opens 2 pop ups every hour or so. I had a svcpiva.exe (or something like that) running in the background and i never heard of this file before and when i googled it, the forum and multiple sites said it was bad and i must remove it so i did.
However the popups didnt stop after that however the random small files (no extensions they had) which AVG was picking up as viruses stop being created in the windows temp directory. So i did a scan with ad-Ware and no results and i did a virus scan with AVG 7.5 and again nothing.
After which i used hi-jack this and i was unable to find any malware the log is below. I have verified my entire processes running in the background and all seem like they suppose to be running. However runDll32.exe seems to be running in the background under my programs and not under system... ending the rundll32.exe does not cause my system to crash or function improperly therefore i think its running a non-vital .dll and this process is running even when the system is idling.
How do i remove this annoying pop-ups?
Hijack This log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\TopazChat\TopazChat.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Stuff\Apps\Software\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ispace.co.za/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - C:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [{29-9B-B5-59-ZN}] C:\Documents and Settings\TavirB\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\TavirB\Local Settings\Temp\TIP2D002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://telerad.jrp.co.za
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - https://telerad.jrp.co.za/magicweb/bin/ ... nstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2942296-58C2-45AA-A869-5F1228AC5004}: NameServer = 196.43.38.190 196.43.42.190
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Help with Celldarado pop ups
I already removed all irregular processes ... im used to fixing spyware/malware i get it alot from the campus networks .... have no choice 
these things go straight past avg 
just opening the task manager now i found a this --> fd86n8vp.exe running and to me that looks like a virus however no scan picks up this file so i did a search on google to find out WTH this thing is and i got 0... yes zero results so i searched for it and found 2 files namely:
1) fd86N8Vp.exe in C:\windows\system32 (24Kb)
2) FD86N8VP.EXE-1DAA1070.pf in c:\windows\prefetch (8Kb)
would it be safe for me to delete these files normally ?
these things go straight past avg just opening the task manager now i found a this --> fd86n8vp.exe running and to me that looks like a virus however no scan picks up this file so i did a search on google to find out WTH this thing is and i got 0... yes zero results so i searched for it and found 2 files namely:
1) fd86N8Vp.exe in C:\windows\system32 (24Kb)
2) FD86N8VP.EXE-1DAA1070.pf in c:\windows\prefetch (8Kb)
would it be safe for me to delete these files normally ?
-
Frozenfireside
- Registered User
- Posts: 2618
- Joined: 26 Apr 2007, 02:00
- Location: Westcliff, Johannesburg
- Contact:
Me thinks this is a new virus that the antivirus companies have to found as I cannot find anything about this Virus.
It could be a virus that creates a random name that includes numbers and words but I'm not sure.
I googled Rundll32.exe and found this \/\/\/\/
http://www.liutilities.com/products/win ... /rundll32/
Delete all yer cookies, delete all yer temp files as well.
Google Spybot search and destroy and download and install.
Teatimer is a side programe that comes with Spybot and stops registry installs unless prompted. A nice feature but can be really annoying.
Update and scan.
You should have alot of malware. Get rid of it before entering websites that require usernames and passwords...AKA pcformat.co.za..
It could be a virus that creates a random name that includes numbers and words but I'm not sure.
I googled Rundll32.exe and found this \/\/\/\/
http://www.liutilities.com/products/win ... /rundll32/
Delete all yer cookies, delete all yer temp files as well.
Google Spybot search and destroy and download and install.
Teatimer is a side programe that comes with Spybot and stops registry installs unless prompted. A nice feature but can be really annoying.
Update and scan.
You should have alot of malware. Get rid of it before entering websites that require usernames and passwords...AKA pcformat.co.za..
Soon Google will know everything...including how to divide by zero
-
neon_chameleon
- Moderator Emeritus
- Posts: 6098
- Joined: 27 Feb 2004, 02:00
- Location: Durban
- Contact:
Yeah I'm running NOD32, SpyBot and Adaware 6 Pro and I'm getting it as well. All the time... mainly for facebook it seems. Don't you just hate these computers sometimes. I just live with it now and I'll just format sometime soon again.
Qualifications: BSc Computer Science & Information Technology, BCom Information Systems Honours, ISACA CISA, ISACA CRISC
Experience: Web Design, IT Auditing, IT Governance, Computer Retail, IT Consulting
Interests: Technology, Nutrition, Toasters, BBM, Facebook, Colourful Diagrams
Experience: Web Design, IT Auditing, IT Governance, Computer Retail, IT Consulting
Interests: Technology, Nutrition, Toasters, BBM, Facebook, Colourful Diagrams