Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

View previous topic View next topic Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on Fri Feb 20, 2009 2:56 am

***I removes old versions and JAVA said it was updated: when i ran JRE6 u12, & JAVARa. I updated using JUCHECK.exe***


I almost forgot while I ran hijackthis i also had my USB plugged into his comp, i still say the "mst122.dll" i keep checking that box and clicking FIXED but still everytime i ran hijackthis it was still there over and over again.

I'm thinking it was just because i had my USB plugged in i don't know


Here is the log file
------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:01 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\WINDOWS\system32\mst122.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5131 bytes


Last edited by Zorx on Fri Feb 20, 2009 3:03 am; edited 1 time in total

Zorx
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-02-17
OS : vista 64bit

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on Fri Feb 20, 2009 3:02 am

Do a registry search for the CLSID.

Download the Registry Search Tool from [You must be registered and logged in to see this link.]

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens, enter the following:
{cc6e3e31-2bd8-48c7-86fb-7f5302833add}

Press 'OK'

The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.

I'll answer this in the morning, 3am here and I need sleep.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Zorx on Fri Feb 20, 2009 3:05 am

LOL i understand get some rest. You'll need it. Later

When you come back in the morning i posted this in my last thread just wanted to make sure that you saw it , when i was updating my thread you were posting LOL Thanks cya:

-----------
***I removes old versions and JAVA said it was updated: when i ran JRE6 u12, & JAVARa. I updated using JUCHECK.exe***
-----------------

Zorx
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-02-17
OS : vista 64bit

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on Fri Feb 20, 2009 2:51 pm

Okay, it should be fine then.

Now, lets leave this alone and move onto that other machine.
Still want to work on the other machine?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Here is the results for Registry search Tool

Post by Zorx on Thu Feb 26, 2009 1:31 am

Ok
I ran that program you mentioned "Registry Search Tool"

And here are the results:

-----------------------

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "{cc6e3e31-2bd8-48c7-86fb-7f5302833add}" 2/25/2009 6:07:48 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}\InProcServer32]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{cc6e3e31-2bd8-48c7-86fb-7f5302833add}"

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}\InProcServer32]

[HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{cc6e3e31-2bd8-48c7-86fb-7f5302833add}"

Zorx
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-02-17
OS : vista 64bit

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on Thu Feb 26, 2009 9:29 am


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006\Software\Classes\PROTOCOLS\Filter\text/html]
    "CLSID"=-
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [-HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\CLSID\{cc6e3e31-2bd8-48c7-86fb-7f5302833add}]
    [HKEY_USERS\S-1-5-21-1842323384-1664087808-2548592241-1006_Classes\PROTOCOLS\Filter\text/html]
    "CLSID"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

The item should be removed now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Ok will do this last step

Post by Zorx on Sat Feb 28, 2009 1:55 am

Thanks for all your help on this issue really appreciate it. I plan on moving now to the other computer i have an updated Hijackthis . Bow or Thanks

Zorx
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-02-17
OS : vista 64bit

View user profile

Back to top Go down

Re: Win32/Nuqel.E Virus!!!(Updated with Registry search tool res

Post by Belahzur on Sat Feb 28, 2009 2:00 am

Okay. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum