Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Urgent Help Needed


  • This topic is locked This topic is locked
13 replies to this topic

#1 falci

falci

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 18 June 2007 - 10:42 PM

I just can't remove those BHO with anti virus, anti malware or anti anything. And i just can't find any info on Google or any search engine. The process are the DLL's: clnacln.dll and abqkjfim.dll. Urgent help needed, really.

-------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:53:06, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\cfalci\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O2 - BHO: (no name) - {A7FD0477-20A1-4E0B-9274-BB11D05B206D} - c:\windows\system32\abqkjfim.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Business Objects\JRE\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181779182984
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8828585-1F63-4E97-B5EA-2EC941E64E9A}: NameServer = 200.204.0.10,200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ncrtyxgo - C:\WINDOWS\SYSTEM32\clnacln.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 June 2007 - 04:21 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.


Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

Edited by rookie147, 19 June 2007 - 04:21 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 June 2007 - 07:38 AM

Thanks for the support. Looks like both BHO are still there though.

VUNDO Log
-------------

VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 09:35:25 19/06/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



HJT Log
----------
Logfile of HijackThis v1.99.1
Scan saved at 09:37:20, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Program Files\Business Objects\Crystal Reports 11\crw32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O2 - BHO: (no name) - {A7FD0477-20A1-4E0B-9274-BB11D05B206D} - c:\windows\system32\abqkjfim.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Business Objects\JRE\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181779182984
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8828585-1F63-4E97-B5EA-2EC941E64E9A}: NameServer = 200.204.0.10,200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ncrtyxgo - C:\WINDOWS\SYSTEM32\clnacln.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 June 2007 - 07:42 AM

Charles,

I'm pretty sure its those two guys:

O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O2 - BHO: (no name) - {A7FD0477-20A1-4E0B-9274-BB11D05B206D} - c:\windows\system32\abqkjfim.dll

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 June 2007 - 07:52 AM

Yes it is, the first one is related to the Vundo infection, that's why we ran Vundofix. However, it did not detect it, so we will try using another method to get rid of it. If this does not work, we can try something a little stronger.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entry below into the top box (no arrow):

--> C:\WINDOWS\system32\ssqro.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 June 2007 - 08:11 AM

Charles,

Did exactly what you told. Not yet though.

HJT LOG
----------

Logfile of HijackThis v1.99.1
Scan saved at 10:06:18, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O2 - BHO: (no name) - {A7FD0477-20A1-4E0B-9274-BB11D05B206D} - c:\windows\system32\abqkjfim.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Business Objects\JRE\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181779182984
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8828585-1F63-4E97-B5EA-2EC941E64E9A}: NameServer = 200.204.0.10,200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ncrtyxgo - C:\WINDOWS\SYSTEM32\clnacln.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




VUF LOG
----------


VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 09:35:25 19/06/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 09:57:43 19/06/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 June 2007 - 08:16 AM

Hi there,
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O2 - BHO: (no name) - {A7FD0477-20A1-4E0B-9274-BB11D05B206D} - c:\windows\system32\abqkjfim.dll
O20 - Winlogon Notify: ncrtyxgo - C:\WINDOWS\SYSTEM32\clnacln.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\clnacln.dll
C:\WINDOWS\SYSTEM32\abqkjfim.dll


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Then scan again with HijackThis and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 June 2007 - 12:12 PM

Charles,

Did it like you said. One of those files are not listing anymore on HJT log, but sometimes he is there, sometimes not. I'm not confident he vanished. Should i format?


HJT Log
---------

Logfile of HijackThis v1.99.1
Scan saved at 14:11:25, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\WINDOWS\system32\dllhost.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {901E43B0-5BF5-4379-827A-E5FDDAB70A27} - c:\windows\system32\clnacln.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Business Objects\JRE\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181779182984
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8828585-1F63-4E97-B5EA-2EC941E64E9A}: NameServer = 200.204.0.10,200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ncrtyxgo - C:\WINDOWS\SYSTEM32\clnacln.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 June 2007 - 03:29 PM

No don't format, we'll remove it eventually.
Download Combofix to your Desktop. It is really important that combofix.exe is on your Desktop, not somewhere else!
Then go to Start | Run and copy and paste this command in the field:
"C:\Documents and Settings\Administrator\Desktop\combofix.exe" /v clnacln
Hit enter. This should start Combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log (combofix.txt), please include this in your next reply.

Post back the Combofix and a new HJT log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 June 2007 - 05:20 PM

Charles,

You are the man already.

It was removed!

Windows Explorer and IE are fully responsive right now.

Thanks a ton and i hope this solution help the other people on this forum.

Thanks again, really.


ComboFIX Log
------------------


2007-06-17 03:18	  12416	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wikcwxfn.sys.vir
2007-06-17 03:18	  74752	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\clnacln.dll.bak.vir
2007-06-17 03:23	  74240	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\clnacln.dll.vir
2007-06-19 19:11	  1076	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_MQZUEJJA.reg.cf
2007-06-19 19:11	  1132	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_EBGYVQEN.reg.cf
2007-06-19 19:11	  151880	--a------	C:\Qoobox\Quarantine\catchme2007-06-19_191458.54.zip
2007-06-19 19:11	  2122	--a------	C:\Qoobox\Quarantine\Registry_backups\services_mqzuejja.reg.cf
2007-06-19 19:11	  270	--a------	C:\Qoobox\Quarantine\Registry_backups\services_RpcApi.reg.cf
2007-06-19 19:11	  501	--a------	C:\Qoobox\Quarantine\catchme.log
2007-06-19 19:11	  7928	--a------	C:\Qoobox\Quarantine\Registry_backups\services_ebgyvqen.reg.cf


Folder PATH listing
Volume serial number is 8C81-1FCB
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-06-19_191458.54.zip
	|   
	+---C
	|   \---WINDOWS
	|	   \---system32
	|		   |   clnacln.dll.bak.vir
	|		   |   clnacln.dll.vir
	|		   |   
	|		   \---drivers
	|				   wikcwxfn.sys.vir
	|				   
	\---Registry_backups
			LEGACY_EBGYVQEN.reg.cf
			LEGACY_MQZUEJJA.reg.cf
			services_ebgyvqen.reg.cf
			services_mqzuejja.reg.cf
			services_RpcApi.reg.cf



HJT Log
---------

Logfile of HijackThis v1.99.1
Scan saved at 19:18:04, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Business Objects\JRE\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181779182984
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8828585-1F63-4E97-B5EA-2EC941E64E9A}: NameServer = 200.204.0.10,200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 June 2007 - 05:51 PM

Could I have the other Combofix log please (which should be located under C:\combofix.txt) just to make sure there is no other malware hiding on your computer, before I let you go.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 falci

falci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 20 June 2007 - 07:18 AM

There you Go Charles.

ComboFix 07-06-18.2 - C:\Documents and Settings\cfalci\Desktop\combofix.exe
"cfalci" - 2007-06-19 19:09:38 - Service Pack 2  NTFS  
Command switches used :: /v clnacln


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\clnacln.dll
C:\WINDOWS\system32\clnacln.dll.bak
C:\WINDOWS\system32\drivers\wikcwxfn.sys


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EBGYVQEN
-------\LEGACY_MQZUEJJA
-------\ebgyvqen
-------\mqzuejja
-------\RpcApi


(((((((((((((((((((((((((   Files Created from 2007-05-20 to 2007-06-20  )))))))))))))))))))))))))))))))


2007-06-19 19:09	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-06-19 12:23	6,016	--a------	C:\WINDOWS\system32\drivers\vnccom.SYS
2007-06-19 12:23	4,736	--a------	C:\WINDOWS\system32\drivers\vncdrv.sys
2007-06-19 12:23	<DIR>	d--------	C:\Program Files\UltraVNC
2007-06-19 10:26	<DIR>	d--------	C:\!KillBox
2007-06-19 10:25	92,672	--a------	C:\KillBox.exe
2007-06-19 09:31	107,520	--a------	C:\VundoFix.exe
2007-06-19 09:31	<DIR>	d--------	C:\VundoFix Backups
2007-06-19 09:29	<DIR>	d--------	C:\Hijackthis
2007-06-19 09:24	<DIR>	d--------	C:\Program Files\MSXML 4.0
2007-06-18 14:49	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-18 14:48	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2007-06-18 14:48	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\SUPERAntiSpyware.com
2007-06-18 12:01	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\Help
2007-06-18 11:47	<DIR>	d--------	C:\Program Files\Security Task Manager
2007-06-18 11:47	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-18 11:19	87,584	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-06-18 11:19	4,874,272	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-18 11:19	<DIR>	d--------	C:\Program Files\Kaspersky Lab
2007-06-18 11:19	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-18 10:23	<DIR>	d--------	C:\Program Files\Alwil Software
2007-06-18 09:48	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\GlobalSCAPE
2007-06-18 00:16	<DIR>	d--------	C:\WINDOWS\pss
2007-06-17 03:28	147,729	--a------	C:\WINDOWS\system32\libssl32.dll
2007-06-17 03:23	750,592	--a------	C:\WINDOWS\system32\duetdmwx.dll
2007-06-17 03:23	141,312	--a------	C:\WINDOWS\system32\csnqlrrl.dll
2007-06-17 03:18	154,112	--a------	C:\WINDOWS\system32\Onuq67.sys
2007-06-16 11:02	<DIR>	d--------	C:\VB4Run
2007-06-15 10:12	<DIR>	d--------	C:\Program Files\O97
2007-06-14 11:12	<DIR>	d--------	C:\DOCUME~1\cfalci\VSWebCache
2007-06-14 10:17	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\AdobeUM
2007-06-14 10:03	<DIR>	d--------	C:\Program Files\Skype
2007-06-14 10:03	<DIR>	d--------	C:\Program Files\Common Files\Skype
2007-06-14 10:03	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\Skype
2007-06-14 10:03	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-06-14 10:01	<DIR>	d--------	C:\DOCUME~1\cfalci\Contacts
2007-06-14 00:17	40,960	-r-------	C:\WINDOWS\system32\ChCfg.exe
2007-06-14 00:17	294,912	-r-------	C:\WINDOWS\alcupd.exe
2007-06-14 00:17	200,704	-r-------	C:\WINDOWS\alcrmv.exe
2007-06-14 00:17	2,319,680	-r-------	C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-06-14 00:17	<DIR>	d--------	C:\Program Files\Realtek Sound Manager
2007-06-14 00:17	<DIR>	d--------	C:\Program Files\AvRack
2007-06-14 00:12	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2007-06-14 00:12	<DIR>	d--------	C:\Program Files\MSN Messenger
2007-06-13 23:36	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-06-13 23:24	9,709,568	-ra------	C:\WINDOWS\RTLCPL.EXE
2007-06-13 23:24	77,824	-r-------	C:\WINDOWS\soundman.exe
2007-06-13 23:24	69,632	-ra------	C:\WINDOWS\ALCMTR.EXE
2007-06-13 23:24	4,353,024	-ra------	C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-06-13 23:24	364,544	-ra------	C:\WINDOWS\RtlUpd.exe
2007-06-13 23:24	2,879,488	-ra------	C:\WINDOWS\SkyTel.exe
2007-06-13 23:24	2,808,832	-ra------	C:\WINDOWS\ALCWZRD.EXE
2007-06-13 23:24	2,158,592	-ra------	C:\WINDOWS\MicCal.exe
2007-06-13 23:24	16,261,632	-ra------	C:\WINDOWS\RTHDCPL.EXE
2007-06-13 22:03	<DIR>	d--------	C:\Program Files\THQ
2007-06-13 21:55	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-13 21:53	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$
2007-06-13 21:47	<DIR>	d--------	C:\Program Files\GlobalSCAPE
2007-06-13 21:42	<DIR>	d--------	C:\DOCUME~1\cfalci\APPLIC~1\Ventrilo
2007-06-13 21:40	<DIR>	d--------	C:\Program Files\Ventrilo
2007-06-13 21:40	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-13 21:31	<DIR>	d--------	C:\Program Files\Common Files\Adobe Systems Shared
2007-06-13 21:31	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-06-13 21:28	<DIR>	d--------	C:\WINDOWS\Cache
2007-06-13 21:27	<DIR>	d--------	C:\Program Files\Common Files\Macromedia Shared
2007-06-13 21:27	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-06-13 20:29	<DIR>	d--------	C:\WINDOWS\system32\Lang
2007-06-13 20:27	356,352	-r-------	C:\WINDOWS\system32\JMRaidTool.exe
2007-06-13 20:27	327,168	--a------	C:\WINDOWS\IsUninst.exe
2007-06-13 20:27	248,192	--a------	C:\WINDOWS\system32\drivers\yk51x86.sys
2007-06-13 20:27	139,264	-r-------	C:\WINDOWS\system32\JMRaidAPI.dll
2007-06-13 20:27	<DIR>	d--------	C:\WINDOWS\JM
2007-06-13 20:27	<DIR>	d--------	C:\Program Files\GIGABYTE
2007-06-13 20:26	82,944	--a------	C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-13 20:26	7,552	--a------	C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-13 20:26	60,800	--a------	C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-13 20:26	6,400	--a------	C:\WINDOWS\system32\drivers\splitter.sys
2007-06-13 20:26	54,272	--a------	C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-13 20:26	52,864	--a------	C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-13 20:26	5,376	--a------	C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-13 20:26	4,992	--a------	C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-13 20:26	2,944	--a------	C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-13 20:26	171,776	--a------	C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-13 20:26	142,464	--a------	C:\WINDOWS\system32\drivers\aec.sys
2007-06-13 20:26	<DIR>	d--h-----	C:\Program Files\InstallShield Installation Information
2007-06-13 20:25	60,288	--a------	C:\WINDOWS\system32\drivers\drmk.sys
2007-06-13 20:25	4,096	--a------	C:\WINDOWS\system32\ksuser.dll
2007-06-13 20:25	<DIR>	d--------	C:\Program Files\Common Files\InstallShield
2007-06-13 20:23	<DIR>	d--------	C:\Program Files\Intel
2007-06-13 20:21	2,359,296	--ah-----	C:\DOCUME~1\cfalci\NTUSER.DAT
2007-06-13 20:21	<DIR>	d--------	C:\WINDOWS\SoftwareDistribution
2007-06-13 20:21	<DIR>	d--------	C:\WINDOWS\Prefetch
2007-06-13 20:20	262,144	--ah-----	C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-06-13 20:20	225,280	--ah-----	C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-06-13 20:17	225,280	--ah-----	C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-06-13 20:17	112,128	--a------	C:\WINDOWS\system32\mapi32.dll
2007-06-13 20:17	0	-rahs----	C:\MSDOS.SYS
2007-06-13 20:17	0	-rahs----	C:\IO.SYS
2007-06-13 20:17	0	--a------	C:\CONFIG.SYS
2007-06-13 20:17	0	--a------	C:\AUTOEXEC.BAT


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-19 20:26:00	888,832	----a-w	C:\WINDOWS\system32\nvmobls.dll
2007-04-19 20:26:00	86,016	----a-w	C:\WINDOWS\system32\nvmctray.dll
2007-04-19 20:26:00	794,624	----a-w	C:\WINDOWS\system32\nvcplui.exe
2007-04-19 20:26:00	7,700,480	----a-w	C:\WINDOWS\system32\nvcpl.dll
2007-04-19 20:26:00	581,632	----a-w	C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 20:26:00	5,644,288	----a-w	C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 20:26:00	5,619,712	----a-w	C:\WINDOWS\system32\nvdisps.dll
2007-04-19 20:26:00	466,944	----a-w	C:\WINDOWS\system32\nvshell.dll
2007-04-19 20:26:00	45,056	----a-w	C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 20:26:00	442,368	----a-w	C:\WINDOWS\system32\nvappbar.exe
2007-04-19 20:26:00	425,984	----a-w	C:\WINDOWS\system32\keystone.exe
2007-04-19 20:26:00	4,543,616	----a-w	C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 20:26:00	35,840	----a-w	C:\WINDOWS\system32\nvcodins.dll
2007-04-19 20:26:00	35,840	----a-w	C:\WINDOWS\system32\nvcod.dll
2007-04-19 20:26:00	311,296	----a-w	C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 20:26:00	3,035,136	----a-w	C:\WINDOWS\system32\nvgames.dll
2007-04-19 20:26:00	286,720	----a-w	C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 20:26:00	229,376	----a-w	C:\WINDOWS\system32\nvmccs.dll
2007-04-19 20:26:00	212,992	----a-w	C:\WINDOWS\system32\nvapi.dll
2007-04-19 20:26:00	188,416	----a-w	C:\WINDOWS\system32\nvmccss.dll
2007-04-19 20:26:00	159,810	----a-w	C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 20:26:00	147,456	----a-w	C:\WINDOWS\system32\nvcolor.exe
2007-04-19 20:26:00	1,474,560	----a-w	C:\WINDOWS\system32\nview.dll
2007-04-19 20:26:00	1,339,392	----a-w	C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 20:26:00	1,011,712	----a-w	C:\WINDOWS\system32\nvcpluir.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Business Objects\JRE\bin\jusched.exe" [2004-02-22 23:44]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-11 20:41]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cfalci^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\cfalci\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
C:\WINDOWS\system32\JMRaidTool.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - netsvcs
mqzuejja


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 19:14:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Onuq67]
"ImagePath"="\SystemRoot\System32\Onuq67.sys"

Completion time: 2007-06-19 19:16:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 19:15

	--- E O F ---


#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 20 June 2007 - 10:17 AM

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\duetdmwx.dll
C:\WINDOWS\system32\csnqlrrl.dll
C:\WINDOWS\system32\Onuq67.sys
C:\WINDOWS\system32\ChCfg.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 01 July 2007 - 03:06 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users