Virus Stuff

Kesava

Kesava

Active Member
ok so i have a virus or 2 so i installed avg 8 and that didnt find anything and just now i got this screen:

1216301405.jpg


i am scanning with AVG again but i dont think it will find anything.
i ran hijackthis earlier and removed one of the virus entries... but according to windows defender, things are still around, so im not sure whats going on. heres my current hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:17 PM, on 7/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: QXK Olive - {4561EA3D-3CF2-4630-960F-EB36F485A198} - C:\Windows\kgxmotapdkx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CE87D022-9468-4431-B67A-C4499C32D4D8} - C:\Windows\system32\fCRjGApQ.dll
O3 - Toolbar: qndsfmao - {A3BEDCF8-21BC-47FC-B55D-FA7ABDE658B5} - C:\Windows\qndsfmao.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTunerWrapper.exe" /S
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\byXNeFuS.dll,#1
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [58e9d8d9] rundll32.exe "C:\Windows\system32\coscekpl.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1215312052466
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: kvxqmtre - {EB9995CB-343F-4998-87D0-57BA4E5A794C} - C:\Windows\kvxqmtre.dll
O21 - SSODL: evgratsm - {D21FAC17-D087-4CA7-A156-127A2D653D14} - C:\Windows\evgratsm.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FAH@C:+Program Files+Folding@home+Folding@home-cpu 2+FAH504-Console.exe - Unknown owner - C:\Program Files\Folding@home\Folding@home-cpu 2\FAH504-Console.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 5818 bytes



so any ideas on what is going on and how to get rid of these? im about to scan with spybot.
 
Kesava

Kesava

Active Member
even when i delete: O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\byXNeFuS.dll,#1

it just comes back. should i boot into safe mode?
 
GameMaster

GameMaster

New Member
Hi! Your log shows signs of Vundo infection.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Kesava

Kesava

Active Member
combofix doesnt appear to be starting....
i have clicked it a few times now and tried to run as admin. do i need to be in safe mode?
 
GameMaster

GameMaster

New Member
Hi, could you download another from one of the other links?
Be sure to delete the downloaded one.

Just in case, rename ComboFix.exe to Bundeva.exe
 
Kesava

Kesava

Active Member
still not working. it loads like with a little bar that says combofix... but after that nothing happends. i cant rename it cos it says file in use...
 
GameMaster

GameMaster

New Member
Because it was the first thing that came up to my mind :D Besides, it means ...well I forgot. But that's what you have in your house on the Halloween night :D
 
cohen

cohen

New Member
Kesava said:
still not working. it loads like with a little bar that says combofix... but after that nothing happends. i cant rename it cos it says file in use...
Click to expand...

end the process under the task manager, rename it and then try again
 
Kesava

Kesava

Active Member
what has the renaming got to do with it? ill download from the 3rd link then rename and run it...
 
GameMaster

GameMaster

New Member
Do it. If you have a serious infection, some viruses may stop you from running any antivirus program. In most serious cases, when you start one, that reboots your computer, but...I don't think that's the thing now.

Basically, if you rename ComboFix and HijackThis, the virus won't recognize it and you'll be able to run it.

Believe me, it works unless you have some other serious problems.
 
Kesava

Kesava

Active Member
i booted into safe mode and renamed it... still didnt work.
hah the virus keeps changing its name...
what else can i try and do?
 
Kesava

Kesava

Active Member
come on this is getting worse... explorer is crashing and internet keeps cutting out and system is running slow... any solutions?
 
GameMaster

GameMaster

New Member
Please go HERE to run Panda ActiveScan 2.0
  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply
 
You must log in or register to reply here.
Top