1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hypinit32.exe prauge DVDRam Version 2.3A

Discussion in 'Virus & Other Malware Removal' started by nzer2425, Sep 30, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. nzer2425

    nzer2425 Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    16
    Hi there,

    I am opening a new thread because the last hypinit thread was closed after 45 days on inactivity

    I have the hypinit32.exe virus and I have used HJT to check these two files

    O4 - HKCU\..\Run: [Prauge DVDRam Version 2.3A] C:\WINDOWS\system32\spfx\hypinit32.exe
    O4 - HKCU\..\RunOnce: [*Prauge DVDRam Version 2.3A*] C:\WINDOWS\system32\spfx\hypinit32.exe


    I have then tried to delete the c:\windows\system32\spfx directory through rmdir /s /q c:\windows\system32\spfx but I do not have admin rights and receive the following message

    I don't have a windows xp CD/DVD and when I have rebooted my laptop in the past it was through Acer e-recovery management

    c:\windows\system32\spfx\mstlsapi.dll - Access is denied.
    c:\windows\system32\spfx\pfsbase32.dll - Access is denied.
    The process cannot access the file because if is being used by another process.

    I have also tried attrib -r -a -s -h c:\windows\system32\spfx\mstlsapi.dll and del mstlsapi.dll which again says Access is denied.

    And attrib -r -a -s -h c:\windows\system32\spfx\hypinit32.exe which says Could Not Find

    Many thanks to anyone who can help

    Cheers

    Nzer2425
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  3. nzer2425

    nzer2425 Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    16
    Hi Derek

    Thanks for your advice, I've installed and run MalwareBytes and the following log was created

    Malwarebytes' Anti-Malware 1.28
    Database version: 1222
    Windows 5.1.2600 Service Pack 3
    1/10/2008 9:29:00 a.m.
    mbam-log-2008-10-01 (09-29-00).txt
    Scan type: Quick Scan
    Objects scanned: 59494
    Time elapsed: 7 minute(s), 4 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 14
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    Folders Infected:
    C:\WINDOWS\system32\nScan (Backdoor.Bot) -> Quarantined and deleted successfully.
    Files Infected:
    C:\WINDOWS\system32\nScan\ecls.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\ekrn.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\ekrnAmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\ekrnEmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\ekrnEpfw.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\ekrnScan.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em000_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em001_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em002_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em003_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em004_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em005_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\em006_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nScan\mod_comp.dat (Backdoor.Bot) -> Quarantined and deleted successfully.


    It appears I had a second virus called Backdoor.bot that I wasn't aware of

    I then opened command prompt and ran dir/w/a on the c:\windows\system32\spfx directory and the following appeared

    2 dirs . and ..
    4 files mstlsapi.dll, pfsbase.dll, hypinit32.exe, and olcserv32.dll

    Using the attrib command, these files are all hidden with the H prefix

    What do I need to do next?

    Cheers

    Nzer2425
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  5. nzer2425

    nzer2425 Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    16
    Hi Derek,

    When you mentioned the word recovery I decided to reboot using the Acer e-recovery tool that I have in the past, this is a bit of a hassle but at least I'd done it before

    The virus has gone, I ran MalwareBytes and the following log appeared

    Malwarebytes' Anti-Malware 1.28
    Database version: 1226
    Windows 5.1.2600 Service Pack 2
    5/10/2008 1:01:14 p.m.
    mbam-log-2008-10-05 (13-01-14).txt
    Scan type: Quick Scan
    Objects scanned: 42392
    Time elapsed: 2 minute(s), 59 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)


    I also ran in dos cd c:\windows\system32\spfx and the folder was not found

    Many thanks for your help Derek I'll definitely come to this forum again if i have malware or virus concerns in the future

    Nzer2425
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754736

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice