1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan/popups/desktop problem

Discussion in 'Virus & Other Malware Removal' started by ReVo, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. ReVo

    ReVo Thread Starter

    Joined:
    Jul 27, 2005
    Messages:
    18
    Hello, I seem to have a problem with my desktop changing and I'm getting lots of popups. And somehow my taskmanager got locked so I can't open it annymore. I used ad aware and spybot and it found some stuff but it still isn't completely fixed. Can somebody help me

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:51:23, on 13/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\CCleaner\ccleaner.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.239.116.23:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Telemeter 3.0] "C:\Program Files\Telemeter 3.0\telemeter3.exe"
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [kn8Y4b6gsq] C:\Documents and Settings\All Users.WINDOWS\Application Data\qtwbyxcx\yjilwdkn.exe
    O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=0.4&pass=20U91UA8&id=menu_ie_image
    O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_wi...e&exversion=0.4&pass=20U91UA8&id=menu_ie_link
    O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...xversion=0.4&pass=20U91UA8&id=menu_ie_exclude
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
    O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168376047500
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5026/mcfscan.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O24 - Desktop Component 0: (no name) - http://www.mafia-game.com/images/walpapers/wallpaper06.jpg
    O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

    --
    End of file - 5606 bytes
     
  2. ReVo

    ReVo Thread Starter

    Joined:
    Jul 27, 2005
    Messages:
    18
    Combofix log:

    ComboFix 08-04-13.1 - Tom 2008-04-13 22:42:02.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.196 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\Tom.COMPUTER\Mijn documenten\Set Up ALPHA\comp probs\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\Documents and Settings\Tom.COMPUTER\err.log
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\rs.txt
    C:\WINDOWS\system32\geBtqNhH.dll
    C:\WINDOWS\system32\nnnNfCro.dll
    C:\WINDOWS\system32\orCfNnnn.ini
    C:\WINDOWS\system32\orCfNnnn.ini2
    C:\WINDOWS\system32\pmnmNgGy.dll
    C:\WINDOWS\system32\ssqPiiiG.dll
    C:\WINDOWS\system32\tnrkukow.ini
    C:\WINDOWS\system32\urqPjHyy.dll
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\win\nha-66-66.log
    C:\WINDOWS\system32\win\screenshot9.bmp


    (((((((((((((((((((( Bestanden Gemaakt van 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))


    2008-04-13 21:51 . 2008-04-13 21:51 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-13 21:41 . 2008-04-13 22:19 <DIR> dr-h----- C:\Documents and Settings\Tom.COMPUTER\Onlangs geopend
    2008-04-13 20:29 . 2008-04-13 21:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
    2008-04-13 20:14 . 2008-04-13 20:14 <DIR> d-------- C:\Documents and Settings\Tom.COMPUTER\Application Data\TmpRecentIcons
    2008-04-13 19:50 . 2008-04-13 19:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ad Muncher
    2008-04-13 18:59 . 2008-04-13 18:59 3,648 --a------ C:\WINDOWS\system32\keyvwulr.dll
    2008-04-13 18:55 . 2008-04-13 19:21 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
    2008-04-13 18:52 . 2008-04-13 15:08 258,048 --a------ C:\WINDOWS\nslbvxpgrno.dll
    2008-04-13 18:52 . 2008-04-13 15:08 151,552 --a------ C:\WINDOWS\sgoblxtm.dll
    2008-04-13 18:52 . 2008-04-13 15:08 81,920 --a------ C:\WINDOWS\spnkfwad.exe
    2008-04-13 18:51 . 2008-04-13 18:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\qtwbyxcx
    2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
    2008-03-27 21:49 . 2008-04-02 13:13 <DIR> d-------- C:\Program Files\Shockwave.com
    2008-03-19 15:02 . 2008-03-27 21:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
    2008-03-14 20:12 . 2008-04-11 22:37 <DIR> d-------- C:\Program Files\Xfire
    2008-03-14 20:12 . 2008-04-13 18:45 <DIR> d-------- C:\Documents and Settings\Tom.COMPUTER\Application Data\Xfire

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-13 19:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-13 19:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2008-04-13 17:59 --------- d-----w C:\Program Files\Ad Muncher
    2008-04-11 23:12 --------- d-----w C:\Documents and Settings\Tom.COMPUTER\Application Data\DMCache
    2008-04-11 09:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
    2008-04-06 22:55 --------- d-----w C:\Program Files\mIRC
    2008-04-04 20:43 --------- d-----w C:\Program Files\GameSpy Arcade
    2008-04-04 12:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-02 18:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-03-31 18:00 --------- d-----w C:\Program Files\QuickTime
    2008-03-23 13:51 --------- d-----w C:\Documents and Settings\Tom.COMPUTER\Application Data\uTorrent
    2008-03-02 20:11 --------- d-----w C:\Program Files\PowerISO
    2008-03-02 19:47 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
    2008-03-02 18:26 --------- d-----w C:\Program Files\Microsoft.NET
    2008-03-02 16:18 --------- d-----w C:\Program Files\MagicISO
    2008-02-27 21:26 --------- d-----w C:\Documents and Settings\Tom.COMPUTER\Application Data\HLSW
    2008-02-24 18:03 --------- d-----w C:\Program Files\Steam
    2008-02-17 17:28 --------- d-----w C:\Documents and Settings\Tom.COMPUTER\Application Data\chatlog
    2008-02-17 17:24 --------- d-s---w C:\Program Files\HLSW
    2008-02-14 00:05 --------- d-----w C:\Program Files\WESTWOOD
    2007-11-20 00:42 22,328 ----a-w C:\Documents and Settings\Tom.COMPUTER\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03 15360]
    "uxmqfens"="C:\WINDOWS\system32\tsdqhabs.exe" [2008-04-13 22:48 90112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
    "P17Helper"="P17.dll" [2005-05-03 20:38 64512 C:\WINDOWS\system32\P17.dll]
    "NvMediaCenter"="NvMCTray.dll" [2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll]
    "Telemeter 3.0"="C:\Program Files\Telemeter 3.0\telemeter3.exe" [2007-04-16 00:38 1441792]
    "Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2008-04-13 19:59 779776]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "kn8Y4b6gsq"= C:\Documents and Settings\All Users.WINDOWS\Application Data\qtwbyxcx\yjilwdkn.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtqNhH]
    geBtqNhH.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-05-11 04:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
    -ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    --a------ 2003-09-17 11:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    C:\Program Files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
    --a------ 2003-06-02 20:22 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    --a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    --a------ 2005-05-31 02:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "PnkBstrB"=2 (0x2)
    "ose"=3 (0x3)
    "NVSvc"=2 (0x2)
    "nHancer"=2 (0x2)
    "iPod Service"=3 (0x3)
    "Creative Service for CDROM Access"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Xfire\\xfire.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=

    R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 12:45]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\Launcher.exe

    .
    Inhoud van de 'Gedeelde Taken' map
    "2008-04-11 21:34:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-13 22:48:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen ...
    scannen van verborgen autostart items ...
    scannen van verborgen bestanden ...

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Voltooingstijd: 2008-04-13 22:51:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-13 20:51:28
    Pre-Run: 24,254,373,888 bytes beschikbaar
    Post-Run: 24,576,745,472 bytes beschikbaar
    .
    2008-04-12 14:22:59 --- E O F ---
     
  3. ReVo

    ReVo Thread Starter

    Joined:
    Jul 27, 2005
    Messages:
    18
    anything else I should download?
     
  4. ReVo

    ReVo Thread Starter

    Joined:
    Jul 27, 2005
    Messages:
    18
    bump
     
  5. ReVo

    ReVo Thread Starter

    Joined:
    Jul 27, 2005
    Messages:
    18
    I still need help, there is this yilwdkn.exe that keeps starting itself up when I start my comp. Is there anyone here who will help me?
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703371

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice