Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

View previous topic View next topic Go down

Win32/Nuqel.E Virus!!!(Updated with Registry search tool results)

Post by Zorx on 17th February 2009, 1:23 am

Actually I'm trying to help my friend out he has a virus or worm or Trojan not sure which

His Computer is Win XP
my Friend's wireless modem is connected but when i try to surf internet explorer it says i can't connect, pop ups everywhere.


Here is His Hijack This results. Please help us out because i think his personal information is in jeopardy. Thanks in advance. Her says he needs help quickly, so if you guys can respond as so as possible that would be really appreciated.
------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:48 PM, on 2/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
F:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Vhaxu] rundll32.exe "C:\WINDOWS\Iyiroluracanar.dll",e
O4 - HKLM\..\Run: [Gqofedigojeruqa] rundll32.exe "C:\WINDOWS\efeyiqopacajuhi.dll",e
O4 - HKLM\..\Run: [c89d06ef] rundll32.exe "C:\WINDOWS\system32\epliyelh.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\WINDOWS\system32\mst122.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL klnlnz.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 4313 bytes
---------------------


Last edited by Zorx on 26th February 2009, 1:44 am; edited 4 times in total

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 17th February 2009, 2:00 am

Hello.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
    O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
    O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
    O4 - HKLM\..\Run: [Vhaxu] rundll32.exe "C:\WINDOWS\Iyiroluracanar.dll",e
    O4 - HKLM\..\Run: [Gqofedigojeruqa] rundll32.exe "C:\WINDOWS\efeyiqopacajuhi.dll",e
    O4 - HKLM\..\Run: [c89d06ef] rundll32.exe "C:\WINDOWS\system32\epliyelh.dll",b
    O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
    O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
    O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
    O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
    O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\WINDOWS\system32\mst122.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL klnlnz.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Here is the mbam-log report after cleaning

Post by Zorx on 17th February 2009, 3:28 am

Thanks for your help as you requested here is the log file from the Malwarebytes program:

Note: this program was run once in Safe Mode and computer was rebooted to delete the rest of the infected files as Malwarebytes suggest, i just copied this log file.

Let me know if should do another scan.


-----------------------------------
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/16/2009 9:50:07 PM
mbam-log-2009-02-16 (21-50-07).txt

Scan type: Quick Scan
Objects scanned: 58494
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 33
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 5
Files Infected: 55

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\urqQkLbB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\klnlnz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vtUnkjGv.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-

9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtunkjgv (Trojan.Vundo.H) -> Delete on

reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad9e89fa-44c0-496a-b9bc-

664de880af06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad9e89fa-44c0-496a-b9bc-664de880af06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc00d45b-f71b-4b11-ab8d-

21bfc8412a4d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fc00d45b-f71b-4b11-ab8d-21bfc8412a4d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-

8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ad9e89fa-44c0-496a-b9bc-664de880af06}

(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486}

(Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-

fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}

(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56}

(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb}

(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-

9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted

successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32

\urqqklbb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32

\urqqklbb -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Waledac) -> Data: digeste.dll ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data:

c:\windows\system32\twex.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twex.exe

-> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad:

(C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\orville\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\vtUnkjGv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\klnlnz.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urqQkLbB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\BbLkQqru.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BbLkQqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epliyelh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hleyilpe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnsisvwm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwvsisnx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Common\_helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agcapfco.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhqgbjqb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imxqit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipykeldn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jamzth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ksrwto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kylakmyn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lizmww.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odirhhvk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfadlnws.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\plybbv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrugyklp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtvomy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rmqlfd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svschost.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svŮshost.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmhmjohi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ungrgb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnajujjs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\waqbqbgl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xedpkr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xtsmnywj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyywtQj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zygsbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\orville\Local Settings\Temp\KB86.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl21.tmp (Trojan.Injector) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl34.tmp (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\orville\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\orville\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\orville\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\GetPack27.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\GetPack28.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule34.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule35.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv561232248235.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

-----------------------------

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Please i need to determine if this computer is cleaned

Post by Zorx on 17th February 2009, 1:04 pm

He wants to use his internet as soon as possible thanks

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 17th February 2009, 2:26 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Here is the DDS.txt log file

Post by Zorx on 18th February 2009, 1:05 am

I didn't download it to his desktop because i didn't want to go online with his infected computer, so i downloaded it to my USB and ran the program on his computer from the USB drive. Anyway here is the log file. Tell me what you think.

thanks once again, I appreciate all the hard work done on this problem.


-------------------------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by orville at 19:29:28.48 on Tue 02/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.155 [GMT -5:00]

AV: avast! antivirus 4.7.942 [VPS 000703-1] *On-access scanning enabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - [You must be registered and logged in to see this link.]
Filter: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - c:\windows\system32\mst122.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-6-12 15424]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-16 132736]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-6-12 552064]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-16 255616]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-16 370304]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-12 29744]

=============== Created Last 30 ================

2009-02-16 21:55 --d----- c:\program files\Microsoft Common
2009-02-16 21:41 --d----- c:\docume~1\orville\applic~1\Malwarebytes
2009-02-16 21:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-16 21:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 21:41 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 21:41 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 18:18 --d----- c:\windows\pss
2009-02-11 19:37 120 ---sh--- c:\windows\system32\tmwtsrno.ini
2009-02-11 19:26 120 ---sh--- c:\windows\system32\oyiimiuc.ini
2009-02-09 16:52 120 ---sh--- c:\windows\system32\qknpocao.ini
2009-01-26 20:02 --dsh--- c:\windows\system32\twain32
2009-01-26 20:01 1,530,740 ---sh--- c:\windows\system32\eqiyhkpu.ini
2009-01-24 20:45 136,704 a------- c:\windows\efeyiqopacajuhi.dll
2009-01-24 19:27 41,472 a------- c:\windows\Iyiroluracanar.dll
2009-01-24 19:15 1,526,355 ---sh--- c:\windows\system32\ykjesidk.ini
2009-01-23 18:56 1,435,294 ---sh--- c:\windows\system32\jfvlwsds.ini
2009-01-21 17:37 1,435,294 ---sh--- c:\windows\system32\wlnmfxkf.ini
2009-01-20 17:29 1,435,294 ---sh--- c:\windows\system32\evvfbyik.ini
2009-01-20 17:27 129,024 a------- c:\windows\system32\vfoebn.dll
2009-01-20 17:27 129,024 a------- c:\windows\system32\cxqnnbbu.dll

==================== Find3M ====================


============= FINISH: 19:29:52.49 ===============

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 18th February 2009, 1:09 am

Hello.
The machine looks a lot better, there's only a few leftovers to clean up, then we can update Java to stop this Vundo getting back in.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\tmwtsrno.ini
    c:\windows\system32\oyiimiuc.ini
    c:\windows\system32\qknpocao.ini
    c:\windows\system32\eqiyhkpu.ini
    c:\windows\efeyiqopacajuhi.dll
    c:\windows\Iyiroluracanar.dll
    c:\windows\system32\ykjesidk.ini
    c:\windows\system32\jfvlwsds.ini
    c:\windows\system32\wlnmfxkf.ini
    c:\windows\system32\evvfbyik.ini
    c:\windows\system32\vfoebn.dll
    c:\windows\system32\cxqnnbbu.dll
    c:\windows\system32\mst122.dll


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 18th February 2009, 1:37 am

I will have to get back to you tomorrow because my friend has to take care of a view things tonight. So tomorrow i should have a log file ready to get looked at by your staff.
Hopefully that would be the end of this virus business. He's already exhausted he's had this for 3 weeks and had to call his CC company to change cards because their might had been some information stealing involved.
If all goes well you'll hear from me tomorrow.
Later.

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

OTMoveit log

Post by Zorx on 18th February 2009, 11:34 pm

Here is the log file from



Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02182009_181713

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 18th February 2009, 11:36 pm

Don't think you copied/pasted it right.
Make sure there are no extra spaces before/after what is written.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

I posted it wrong sorry

Post by Zorx on 19th February 2009, 1:02 am

Don't know what was wrong i think i posted it wrong , i don't know but i'm trying to post it again but the path gets deleted when posted for some reason maybe i should post a screen shot.

Below is what i typed in when i try to copy and paste. What was transfered into the results column it looked like what i posted before. Here is what i copy and pasted
-----------------
c:\windows\system32\tmwtsrno.ini
c:\windows\system32\oyiimiuc.ini
c:\windows\system32\qknpocao.ini
c:\windows\system32\eqiyhkpu.ini
c:\windows\efeyiqopacanar.dll
c:\windows\Iyiroluracanar.dll
c:\windows\system32\ykjesidk.ini
c:\windows\system32\jfvlwsds.ini
c:\windows\system32\wlnmfxkf.ini
c:\windows\system32\evvfbyik.ini
c:\windows\system32\vfoebn.dll
c:\windows\system32\cxqnnbbu.dl
c:\windows\system32\mst122.dll


Last edited by Zorx on 19th February 2009, 1:09 am; edited 2 times in total

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 19th February 2009, 1:07 am

Ah, that's why.
You have to tell OTMoveIt they are files, so that's why it has to have :files above what is listed.

:files
some files go here

^^^ like that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 19th February 2009, 1:11 am

so when i enter the text i must type ":files" without the quotes at the top then the paths of the files to be moved?

like this

------------

:files
c:\windows\system32\tmwtsrno.ini

(and the rest of the files follow here)


Last edited by Zorx on 19th February 2009, 1:12 am; edited 1 time in total

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 19th February 2009, 1:12 am

Yep, that's it. Right On!


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 19th February 2009, 1:21 am

Thanks Belahzur

Unfortunately between yesterday and today my friend let someone access the internet and reinfect the computer. the OTMoveIT log was posted before that happened. But i did use Hijackthis to remove some files that i thought that looked infected from the last time. In addition i ran Malwarebytes deleted a few things as well. then ran DDS obtained a log from that and then ran OTMoveIt and my above post was the result. But with the new info from you i will run it again with the \":files\" attribute.


Below i have posted the results from each program except for OTMoveIT Malwarebytes i forgot to get that one i will try to get this one. My friend does not live that close. I\'m just trying to help him out.

------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:20 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\Program Files\\Malwarebytes\' Anti-Malware\\mbam.exe
F:\\HiJackThis.exe

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = [You must be registered and logged in to see this link.]
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\program files\\google\\googletoolbar1.dll
O4 - HKLM\\..\\Run: [VTTimer] VTTimer.exe
O4 - HKLM\\..\\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\\..\\Run: [Sunkist2k] C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe
O4 - HKLM\\..\\Run: [nod32kui] \"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] \"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"
O4 - HKLM\\..\\Run: [Google Desktop Search] \"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup
O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime
O4 - HKLM\\..\\Run: [HP Software Update] \"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\"
O4 - HKLM\\..\\Run: [HP Component Manager] \"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"
O4 - HKLM\\..\\Run: [avast!] C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe
O4 - HKLM\\..\\RunOnce: [Malwarebytes Anti-Malware (reboot)] \"C:\\Program Files\\Malwarebytes\' Anti-Malware\\mbam.exe\" /runcleanupscript
O4 - HKCU\\..\\Run: [MSMSGS] \"C:\\Program Files\\Messenger\\msmsgs.exe\" /background
O4 - HKCU\\..\\Run: [swg] C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [qr5v6k46i8bdy] C:\\DOCUME~1\\orville\\LOCALS~1\\Temp\\jc3dj9oqleln.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\\Program Files\\Sandisk\\Common\\Bin\\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\\Program Files\\RALINK\\Common\\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\\WINDOWS\\system32\\mst122.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\\Program Files\\Alwil Software\\Avast4\\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\\WINDOWS\\system32\\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\\Program Files\\Eset\\nod32krn.exe

--
End of file - 4267 bytes


-----------------------------



DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by orville at 19:21:44.22 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.282 [GMT -5:00]

AV: avast! antivirus 4.7.942 [VPS 090218-0] *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\\WINDOWS\\system32\\svchost -k DcomLaunch
svchost.exe
C:\\WINDOWS\\system32\\svchost.exe -k netsvcs
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\ctfmon.exe
F:\\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\\program files\\google\\googletoolbar1.dll
uRun: [MSMSGS] \"c:\\program files\\messenger\\msmsgs.exe\" /background
uRun: [swg] c:\\program files\\google\\googletoolbarnotifier\\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\\windows\\system32\\ctfmon.exe
uRun: [qr5v6k46i8bdy] c:\\docume~1\\orville\\locals~1\\temp\\jc3dj9oqleln.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Sunkist2k] c:\\program files\\multimedia card reader\\shwicon2k.exe
mRun: [nod32kui] \"c:\\program files\\eset\\nod32kui.exe\" /WAITSERVICE
mRun: [SunJavaUpdateSched] \"c:\\program files\\java\\jre1.6.0_01\\bin\\jusched.exe\"
mRun: [Google Desktop Search] \"c:\\program files\\google\\google desktop search\\GoogleDesktop.exe\" /startup
mRun: [QuickTime Task] \"c:\\program files\\quicktime\\qttask.exe\" -atboottime
mRun: [HP Software Update] \"c:\\program files\\hp\\hp software update\\HPWuSchd.exe\"
mRun: [HP Component Manager] \"c:\\program files\\hp\\hpcoretech\\hpcmpmgr.exe\"
mRun: [avast!] c:\\progra~1\\alwils~1\\avast4\\ashDisp.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] \"c:\\program files\\malwarebytes\' anti-malware\\mbam.exe\" /runcleanupscript
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\wincin~1.lnk - c:\\program files\\sandisk\\common\\bin\\WinCinemaMgr.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\hpdigi~1.lnk - c:\\program files\\hp\\digital imaging\\bin\\hpqtra08.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\kodake~1.lnk - c:\\program files\\kodak\\kodak easyshare software\\bin\\EasyShare.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\ralink~1.lnk - c:\\program files\\ralink\\common\\RaUI.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\\program files\\messenger\\msmsgs.exe
LSP: c:\\windows\\system32\\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - [You must be registered and logged in to see this link.]
Filter: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - c:\\windows\\system32\\mst122.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\\program files\\hp\\hpcoretech\\comp\\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\\windows\\system32\\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S1 nod32drv;nod32drv;c:\\windows\\system32\\drivers\\nod32drv.sys [2007-6-12 15424]
S2 avast! Antivirus;avast! Antivirus;c:\\program files\\alwil software\\avast4\\ashServ.exe [2009-2-16 132736]
S2 NOD32krn;NOD32 Kernel Service;c:\\program files\\eset\\nod32krn.exe [2007-6-12 552064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\\program files\\alwil software\\avast4\\ashMaiSv.exe [2009-2-16 255616]
S3 avast! Web Scanner;avast! Web Scanner;c:\\program files\\alwil software\\avast4\\ashWebSv.exe [2009-2-16 370304]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\\program files\\google\\google desktop search\\GoogleDesktop.exe [2007-11-12 29744]

=============== Created Last 30 ================

2009-02-16 21:41 --d----- c:\\docume~1\\orville\\applic~1\\Malwarebytes
2009-02-16 21:41 15,504 a------- c:\\windows\\system32\\drivers\\mbam.sys
2009-02-16 21:41 38,496 a------- c:\\windows\\system32\\drivers\\mbamswissarmy.sys
2009-02-16 21:41 --d----- c:\\program files\\Malwarebytes\' Anti-Malware
2009-02-16 21:41 --d----- c:\\docume~1\\alluse~1\\applic~1\\Malwarebytes
2009-02-16 18:18 --d----- c:\\windows\\pss
2009-02-11 19:37 120 ---sh--- c:\\windows\\system32\\tmwtsrno.ini
2009-02-11 19:26 120 ---sh--- c:\\windows\\system32\\oyiimiuc.ini
2009-02-09 16:52 120 ---sh--- c:\\windows\\system32\\qknpocao.ini
2009-01-26 20:02 --dsh--- c:\\windows\\system32\\twain32
2009-01-26 20:01 1,530,740 ---sh--- c:\\windows\\system32\\eqiyhkpu.ini
2009-01-24 20:45 136,704 a------- c:\\windows\\efeyiqopacajuhi.dll
2009-01-24 19:15 1,526,355 ---sh--- c:\\windows\\system32\\ykjesidk.ini
2009-01-23 18:56 1,435,294 ---sh--- c:\\windows\\system32\\jfvlwsds.ini
2009-01-21 17:37 1,435,294 ---sh--- c:\\windows\\system32\\wlnmfxkf.ini
2009-01-20 17:29 1,435,294 ---sh--- c:\\windows\\system32\\evvfbyik.ini
2009-01-20 17:27 129,024 a------- c:\\windows\\system32\\vfoebn.dll
2009-01-20 17:27 129,024 a------- c:\\windows\\system32\\cxqnnbbu.dll

==================== Find3M ====================


============= FINISH: 19:22:04.79 ===============


Last edited by Zorx on 19th February 2009, 1:32 am; edited 1 time in total

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 19th February 2009, 1:26 am

Okay, lets kill this all at once.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [qr5v6k46i8bdy] C:\DOCUME~1\orville\LOCALS~1\Temp\jc3dj9oqleln.exe
    O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\WINDOWS\system32\mst122.dll


  • Press "Fix Checked"
  • Close Hijack This.


  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\tmwtsrno.ini
    c:\windows\system32\oyiimiuc.ini
    c:\windows\system32\qknpocao.ini
    c:\windows\system32\eqiyhkpu.ini
    c:\windows\efeyiqopacajuhi.dll
    c:\windows\system32\ykjesidk.ini
    c:\windows\system32\jfvlwsds.ini
    c:\windows\system32\wlnmfxkf.ini
    c:\windows\system32\evvfbyik.ini
    c:\windows\system32\vfoebn.dll
    c:\windows\system32\cxqnnbbu.dll
    C:\WINDOWS\system32\mst122.dll

    :commands
    [emptytemp]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 19th February 2009, 1:38 am

I will do those steps ASAp because like you i want to get this all behind me, this is really a pain LOL. I wish i owned a laptop and could connect at his house.

Before i posted anything today i tried to update java not by going on the internet but by loading it off my USB (with files that i downloaded with the updated JAVA you told me to get) and this is the error i got :

"The system administrator has set policies to prevent this installation"

i don't know how to change that so i'm able to install even though i was using the ADMIN account. Annoyed or Unimpress

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 19th February 2009, 1:44 am

I think I found a solution to that, but lets get rid of the malware first, it's starting to annoy me. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 19th February 2009, 1:46 am

Agreed Roger that

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Updating Java

Post by Zorx on 19th February 2009, 11:13 pm

Hi

I want to finish everything tonight, because he doesn't have internet and i don't want to keep going back and forth between his house and mine. I'll do everything you posted the last time. But Can you tell me how to set up the privileges on the computer so i can update java? Because i want to do it all at once presuming that i removed all the infected files with the OtMoveIt tool.
Here is the error message again. Thanks

----------------------
"The system administrator has set policies to prevent this installation"

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 19th February 2009, 11:21 pm

See here:
[You must be registered and logged in to see this link.]

Run the two commands in the blog post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 19th February 2009, 11:27 pm

thanks I'll report back with updates

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

REsults from OtMove It

Post by Zorx on 20th February 2009, 2:45 am

Here are 2 results from OTmoveIt

--------------


========== FILES ==========
c:\windows\system32\tmwtsrno.ini moved successfully.
c:\windows\system32\oyiimiuc.ini moved successfully.
c:\windows\system32\qknpocao.ini moved successfully.
c:\windows\system32\eqiyhkpu.ini moved successfully.
c:\windows\efeyiqopacajuhi.dll NOT unregistered.
c:\windows\efeyiqopacajuhi.dll moved successfully.
c:\windows\system32\ykjesidk.ini moved successfully.
c:\windows\system32\jfvlwsds.ini moved successfully.
c:\windows\system32\wlnmfxkf.ini moved successfully.
c:\windows\system32\evvfbyik.ini moved successfully.
LoadLibrary failed for c:\windows\system32\vfoebn.dll
c:\windows\system32\vfoebn.dll NOT unregistered.
File move failed. c:\windows\system32\vfoebn.dll scheduled to be moved on reboot.
LoadLibrary failed for c:\windows\system32\cxqnnbbu.dll
c:\windows\system32\cxqnnbbu.dll NOT unregistered.
File move failed. c:\windows\system32\cxqnnbbu.dll scheduled to be moved on reboot.
File/Folder C:\window\system32\mst122.dll not found.
File/Folder :commands not found.
File/Folder [emptytemp] not found.
File/Folder [reboot] not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02192009_190448

Files moved on Reboot...
File c:\windows\system32\vfoebn.dll not found!
File c:\windows\system32\cxqnnbbu.dll not found!



-----------------

SECOND mOVE THAT I DID

---------------
========== FILES ==========
File/Folder c:\windows\system32\tmwtsrno.ini not found.
File/Folder c:\windows\system32\oyiimiuc.ini not found.
File/Folder c:\windows\system32\qknpocao.ini not found.
File/Folder c:\windows\system32\eqiyhkpu.ini not found.
File/Folder c:\windows\efeyiqopacajuhi.dll not found.
File/Folder c:\windows\system32\ykjesidk.ini not found.
File/Folder c:\windows\system32\jfvlwsds.ini not found.
File/Folder c:\windows\system32\wlnmfxkf.ini not found.
File/Folder c:\windows\system32\evvfbyik.ini not found.
File/Folder c:\windows\system32\vfoebn.dll not found.
File/Folder c:\windows\system32\cxqnnbbu.dll not found.
File/Folder C:\WINDOWS\system32\mst122.dll not found.
File/Folder :commands not found.
File/Folder [emptytemp] not found.
File/Folder [reboot] not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02192009_194348

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 20th February 2009, 2:51 am

Just an FYI, i updated the computer (Windows updates) before i left.

When i used my USB on my comp i found the "mst122.dll" Trojan on it. My thinking is that it jumped from his comp to my USB and that is why OtMoveIt said it was not found. I could be wrong.

Any way He called me when he restarted his comp and said even though his cables were plugged in for internet, when he opened his browser it said not connected. I think he's just a computer novice and doesn't know how to enter his Wireless network password. I'm almost positive of this.

Anyway those are the latest info on the problem right now

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 20th February 2009, 2:52 am

Okay. the vundo should be gone, did you update Java?

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 20th February 2009, 2:56 am

***I removes old versions and JAVA said it was updated: when i ran JRE6 u12, & JAVARa. I updated using JUCHECK.exe***


I almost forgot while I ran hijackthis i also had my USB plugged into his comp, i still say the "mst122.dll" i keep checking that box and clicking FIXED but still everytime i ran hijackthis it was still there over and over again.

I'm thinking it was just because i had my USB plugged in i don't know


Here is the log file
------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:01 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\WINDOWS\system32\mst122.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5131 bytes


Last edited by Zorx on 20th February 2009, 3:03 am; edited 1 time in total

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 20th February 2009, 3:02 am

Do a registry search for the CLSID.

Download the Registry Search Tool from [You must be registered and logged in to see this link.]

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens, enter the following:
{cc6e3e31-2bd8-48c7-86fb-7f5302833add}

Press 'OK'

The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.

I'll answer this in the morning, 3am here and I need sleep.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on 20th February 2009, 3:05 am

LOL i understand get some rest. You'll need it. Later

When you come back in the morning i posted this in my last thread just wanted to make sure that you saw it , when i was updating my thread you were posting LOL Thanks cya:

-----------
***I removes old versions and JAVA said it was updated: when i ran JRE6 u12, & JAVARa. I updated using JUCHECK.exe***
-----------------

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 20th February 2009, 2:51 pm

Okay, it should be fine then.

Now, lets leave this alone and move onto that other machine.
Still want to work on the other machine?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Here is the results for Registry search Tool

Post by Zorx on 26th February 2009, 1:31 am

Ok
I ran that program you mentioned "Registry Search Tool"

And here are the results:

-----------------------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{cc6e3e31-2bd8-48c7-86fb-7f5302833add}" 2/25/2009 6:07:48 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}\InProcServer32]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{cc6e3e31-2bd8-48c7-86fb-7f5302833add}"

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}\InProcServer32]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{cc6e3e31-2bd8-48c7-86fb-7f5302833add}"

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 26th February 2009, 9:29 am


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\PROTOCOLS\Filter\text/html]
    "CLSID"=-
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\PROTOCOLS\Filter\text/html]
    "CLSID"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

The item should be removed now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Ok will do this last step

Post by Zorx on 28th February 2009, 1:55 am

Thanks for all your help on this issue really appreciate it. I plan on moving now to the other computer i have an updated Hijackthis . Bow or Thanks

Zorx
Novice
Novice

Posts Posts : 40
Joined Joined : 2009-02-17
OS OS : vista 64bit
Protection Protection : avast
Points Points : 28546
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on 28th February 2009, 2:00 am

Okay. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum