hypinit32.exe prauge DVDRam Version 2.3A

[nzer2425]

Hi there,

I am opening a new thread because the last hypinit thread was closed after 45 days on inactivity

I have the hypinit32.exe virus and I have used HJT to check these two files

O4 - HKCU\..\Run: [Prauge DVDRam Version 2.3A] C:\WINDOWS\system32\spfx\hypinit32.exe
O4 - HKCU\..\RunOnce: [*Prauge DVDRam Version 2.3A*] C:\WINDOWS\system32\spfx\hypinit32.exe

I have then tried to delete the c:\windows\system32\spfx directory through rmdir /s /q c:\windows\system32\spfx but I do not have admin rights and receive the following message

I don't have a windows xp CD/DVD and when I have rebooted my laptop in the past it was through Acer e-recovery management

c:\windows\system32\spfx\mstlsapi.dll - Access is denied.
c:\windows\system32\spfx\pfsbase32.dll - Access is denied.
The process cannot access the file because if is being used by another process.

I have also tried attrib -r -a -s -h c:\windows\system32\spfx\mstlsapi.dll and del mstlsapi.dll which again says Access is denied.

And attrib -r -a -s -h c:\windows\system32\spfx\hypinit32.exe which says Could Not Find

Many thanks to anyone who can help

Cheers

Nzer2425

 

[dvk01]

Please download Malwarebytes' Anti-Malware to your desktop
from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

 

[nzer2425]

Hi Derek

Thanks for your advice, I've installed and run MalwareBytes and the following log was created

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3
1/10/2008 9:29:00 a.m.
mbam-log-2008-10-01 (09-29-00).txt
Scan type: Quick Scan
Objects scanned: 59494
Time elapsed: 7 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\nScan (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\nScan\ecls.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrn.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnAmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnEmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnEpfw.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnScan.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em000_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em001_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em002_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em003_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em004_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em005_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em006_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\mod_comp.dat (Backdoor.Bot) -> Quarantined and deleted successfully.


It appears I had a second virus called Backdoor.bot that I wasn't aware of

I then opened command prompt and ran dir/w/a on the c:\windows\system32\spfx directory and the following appeared

2 dirs . and ..
4 files mstlsapi.dll, pfsbase.dll, hypinit32.exe, and olcserv32.dll

Using the attrib command, these files are all hidden with the H prefix

What do I need to do next?

Cheers

Nzer2425

 

[dvk01]

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply

 

[nzer2425]

Hi Derek,

When you mentioned the word recovery I decided to reboot using the Acer e-recovery tool that I have in the past, this is a bit of a hassle but at least I'd done it before

The virus has gone, I ran MalwareBytes and the following log appeared

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 2
5/10/2008 1:01:14 p.m.
mbam-log-2008-10-05 (13-01-14).txt
Scan type: Quick Scan
Objects scanned: 42392
Time elapsed: 2 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


I also ran in dos cd c:\windows\system32\spfx and the folder was not found

Many thanks for your help Derek I'll definitely come to this forum again if i have malware or virus concerns in the future

Nzer2425