0

Well, I'm not sure what it is... but basically here is everything I've ran into:

- In video games, such as Final Fantasy XI, Jedi Knight II, or GunzOnline I have experienced slow downs performance wise. This was minor and about 1-2 months ago? Nothing major so I ignored it.

- www.yahoo.com (My previous homepage) now appears differently to me on my computer. Also, slimbrowser won't update to a new homepage. (Note: I just reinstalled)

- There used to be random messages about Mytob viruses, and when I hit ok it sent me to a place to download stuff?

- There used to be a window the would pop up when I went into zip files... such as, it would be a download page, and in the URL you'd see the folder I was in as a parameter.

- Random SlimBrowser crashes (that don't happen in IE). Also on certain webpages I get redirected to www.google.com search with profane things... such as 'gay lovers' or other sexual terms.

- Access Crashes (Explained later... very much so a hypothethis)

Basically, that's all the stupid stuff that's happening... and about the access crashes... Basically when I run AdAware or Nod32, they crash. AdAware, ran normally, will freeze and 'won't respond'. Nod32 will just get to a certain point and then crash completely. In safe mode, AdAware will get to a certain point, then just stop. It won't crash or lock up, but it will stop (I let it run all day after it stopped). Nod32 is the same in and out of safe mode.

While following removal instructions from this site, I saw a search for *.tmp. I tried that, and it crashed explorer.exe after awhile. So my theory is that whenever something accesses this virus, it crashes. Very disturbing =(. Also, my mom's computer, connected wirelessly, shows a new homepage version of msn.com. Keep in mind, neither of us changed any sort of settings.

Anyhow, here is the HJT readout:
Logfile of HijackThis v1.99.1
Scan saved at 10:48:06 PM, on 5/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Austin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.32.57.200:50050
O2 - BHO: (no name) - {01190249-0562-4FB5-85E3-381671BAFB5C} - C:\WINDOWS\System32\pmnli.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{787FC45B-3876-46B2-9C12-CBD57DDB6BED}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{B67D7C15-4791-4A71-898D-9C28FEC74934}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O20 - Winlogon Notify: pmnli - C:\WINDOWS\System32\pmnli.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Any help would be great guys, thanks in advance :D (Save me from reformatting !)

4
Contributors
16
Replies
17
Views
11 Years
Discussion Span
Last Post by Burton1
0

Hmm, that definitely sounds like a midrange virus to me.

Let's start with Ewido/CCleaner and see what they take out.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.

Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.

____________________

Now you're ready for Ewido.

Follow up by downloading Ewido Security Suite.

  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Post back with the Ewido log, and a new HJT log.

Thanks.

0

Well, I did the CCleaner bit. I added all the custom folders and all that jazz, and went to Clean... But it crashed in normal Windows mode. Then I went to safe mode and tried it -- another crash. Basically, I'm thinking whenever the virus is accessed, it makes the program that did so crash it. Do you know of anything like this?

0

Wow...not good.

Do you know of anything like this?

Well, I've seen stuff like this before.

Also, if it crashes in safe mode, it either means 2 things.

1) it boots with XP software
or
2) its a hardware/fan problem.
_____

Try running Ewido in Safe mode, see what happens.

Be sure to post back the ewido scan log.

Thanks.

Note: My last post for the nite :)

0

Another thing I just noticed. About every 5 seconds, even when I'm just sitting on the desktop, my processor usage jumps up to 100 percent (which explains the video game lag). This is odd because it's System that's taking the processor... any ideas? ; ;

0

Hmm, well what Im considering now is fixing with HJT first, and then trying the other things later.

BUT, we'll save that for tmr :)

Thanks.

0

O, one more question.

Does the computer itself crash if its just on for a while?

Like, start it up and let it sit for a bit. Does it crash?

Thanks.

(and Im really gonne leave this time heh)

0

1. A question about this HJT log entry:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.32.57.200:50050

That entry indicates you are routing through network port 50050 on a proxy server with the IP address of 61.32.57.200. Does any of that sound familiar to you? If not, include the above line in the list of HijackThis fixes given in step #2 below.


2. Run another HijackThis scan, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button (close HJT when it completes the fixes):

O2 - BHO: (no name) - {01190249-0562-4FB5-85E3-381671BAFB5C} - C:\WINDOWS\System32\pmnli.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/n...etizen/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/n...rypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{787FC45B-3876-46B2-9C12-CBD57DDB6BED}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{B67D7C15-4791-4A71-898D-9C28FEC74934}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A89AF12-67AB-45B0-856D-C166FC75D94D}: NameServer = 85.255.116.131,85.255.112.165
O20 - Winlogon Notify: pmnli - C:\WINDOWS\System32\pmnli.dll

3. Download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, VundoFix will prompt that it will shutdown your computer; click "OK".


4. Boot your computer normally and run HJT again. Post the contents of C:\vundofix.txt and the new HiJackThis log.

0

First off, ewido crashed in safe mode O.o

Secondly, no I don't crash...

now, for Vundo.txt:

VundoFix V4.2.74

Checking Java version...

Java version is 1.5.0.4

Scan started at 4:11:15 PM 5/10/2006

Listing files found while scanning....


C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\pmnli.dll
Attempting to delete C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnli.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.74

Checking Java version...

Java version is 1.5.0.4

Scan started at 4:15:27 PM 5/10/2006

Listing files found while scanning....


No infected files were found.

And now HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:18:15 PM, on 5/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Austin\Desktop\Comp Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/npx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

0

Woah, sorry JediSange, no clu how ya slipped by us.

I'm sorry ;)

_________________

If ya can, post a new HJT log and we'll look at that.

Thanks again.

0

I am sorry i do not mean to Hijack this post, but i don't think everything is booting up therefore you might not be able to see all.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

He might be running a selective start-up

Please follow these instructions

Click the START button > Select Run > type in " msconfig" (without the quotes) and press OK > Select Normal Startup - load all device drivers and services > Then click Apply and then OK. It will give you two options: Restart and Exit Without Restart, select Restart.

0

but i don't think everything is booting up therefore you might not be able to see all.

Thanks, didn't catch that :)

Welcome to Daniweb by the way. O ya, and feel free to step into threads and such,, it's the common practice here :cheesy: (and by that, I mean it in a good way heh)

Thanks.

0

Thanks im glad to be helping. I usually don't hijack threads. Policy from other forums i work at. Just thought that would help.

0

Roger that.

And I apolegize if this seems nosy, but at what other forums do ya work? :)

And ya, I'm sorry again for detracting from the thread.

Thanks.

0

Well right now im a upperclassmen at GeeksTogo.com. Burton1. I am currently working on my live Logs.

0

:lol: Well acually its on the poster he has to follow my instructions to make sure nothing is hiding. :rolleyes:

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.