[MikeE023]

I have just recently obtained some viruses on my computer. I can not open task manager because it says it has been disabled by admin, I can not open most programs, and my internet is acting up. I would appreciate any help I can get. I ran many ad-ware/spyware programs, and virus removers, but can not find the problem. Here is my HijackThis log. Thanks in advance



Logfile of HijackThis v1.99.1
Scan saved at 12:10:26 PM, on 10/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\nqigbvpA.exe
C:\Program Files\SpywareBot\Scheduler.exe
C:\WINDOWS\nqigbvp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\$NtUninstallKB1704471$\kavss.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: ASP.NET Helper - {42031715-09B2-3B51-A93F-56C308E48F38} - C:\WINDOWS\system\ctlvxd32.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsm15.dll
O2 - BHO: (no name) - {9848C0FE-5E1F-77E8-45F7-7DE29C767B97} - C:\WINDOWS\System32\mqytj.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [nqigbvpA] C:\WINDOWS\nqigbvpA.exe
O4 - HKLM\..\Run: [nqigbvpA] C:\WINDOWS\nqigbvpA.exe
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: dvb03a - dvb03a.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\ktruog.dll
O21 - SSODL: YbMldrq - {5C23AB76-F689-01DC-F9BD-92CC77A7D88D} - C:\WINDOWS\System32\zzt.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nqigbvp.exe

[Advertisements]

Hello MikeE023,
and thanks to have choosen GeeksToGo !
my name is tirol, as being a "malware student", my replies will be supervised .
I'll be back very soon with instructions to help you.
tirol.

[tirol]

Hello MikeE023,
and thanks to have choosen GeeksToGo !
my name is tirol, as being a "malware student", my replies will be supervised .
I'll be back very soon with instructions to help you.
tirol.

[TonyKlein]

My apologies for gatecrashing this thread, but there's a file we'd like to have a closer look at:

C:\WINDOWS\system\ctlvxd32.dll

It looks to be a new parasite, so we'd like to receive a sample for analysis!

Could I ask you to please go to this forum

There's no need to register. Just start a new topic, titled "File for TonyKlein".

In the topic, simply refer to this GtG forum thread, and use the Attachment box to upload the file.

In fact there's not even a need to actually browse to the file: just copy the full path to the file, in this case:

C:\WINDOWS\system\ctlvxd32.dll

... and paste it in in the attachment box, then press the 'Post' button. The file will be found and uploaded.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them


After that I'll be happy to leave you in tirol's most capable hands!

Thanks!

Edited by TonyKlein, 03 December 2006 - 01:10 PM.

[tirol]

Hello MikeE023,

please, follow Tony's request.
You will make the battle against nasties a step forward . Sure you'd like to miss this distinction

hi Tony,
no problem : in such a short HJT log, so many things underlying there.
I'was searching for this with no significant result
tirol.

[TonyKlein]

Thank you both for your cooperation.

I'was searching for this with no significant result

In fact I just found a forum thread where Panda AV did identify this file, so I have provisorily added it to the list: http://www.castlecop...lvxd32_dll.html

However, I'd still very much like to get my hands on a copy of this file to see where it comes from and what exactly it does; it's bound to be relatively ill detected anyway, so it will probably need to be forwarded to most AV companies.

Edited by TonyKlein, 03 December 2006 - 01:27 PM.

[TonyKlein]

I received the file, thank you very much. As I suspected it is detected by only 2 AVs:

AVG 386 12.03.2006 Downloader.Generic2.ZGJ
Panda 9.0.0.4 12.03.2006 Trj/Downloader.LLE

Tirol, it's all yours now!

[tirol]

Hello MikeE023,

You are currently using HijackThis from the desktop, this can cause problems, as backups can be needed.
At least, create a specific folder on the desktop, and drag-and-drop Hijackthis.exe there, there redo a complete scan
and post the result here.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

thanks,
tirol.

[MikeE023]

Ace Utilities
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
AIM Pro
ATI - Software Uninstall Utility
ATI Display Driver
AviSynth 2.5
BearShare
DivX
DivX Converter
DivX Player
DivX Web Player
Enhanced Browser Overlay
Google Toolbar for Firefox
HijackThis 1.99.1
IGN Download Manager 2.3.3
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 3
Kaspersky Internet Security 6.0
LimeWire 4.12.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
mIRC
Mozilla Firefox (1.5.0.6)
MSN Music Assistant
Project64 1.6
QuickTime
SpywareBot 3.6.0.3
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
World of Warcraft

[tirol]

Hello MikeE023,

Keep all instructions given here on a text file, or print-out as you will be asked to run in safe mode without any Web connection.


1.I don't see any antivirus on your logs!
Please, install an Anti/Virus, these are free for personal use:

• AVG Anti-Virus
• Avast Home Edition

You should also have a good firewall. Here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

2. Downloading

Please download ATF Cleaner by Atribune.
Do not use it yet, you will use it later.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.


3. Deleting bad service
Go to Start > Run and type cmd. In the box that comes up, type the following:
(quotation marks required)!
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"


4. Re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: ASP.NET Helper - {42031715-09B2-3B51-A93F-56C308E48F38} - C:\WINDOWS\system\ctlvxd32.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsm15.dll
O2 - BHO: (no name) - {9848C0FE-5E1F-77E8-45F7-7DE29C767B97} - C:\WINDOWS\System32\mqytj.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [nqigbvpA] C:\WINDOWS\nqigbvpA.exe
O4 - HKLM\..\Run: [nqigbvpA] C:\WINDOWS\nqigbvpA.exe
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot <-- this is optional see point 7.
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O20 - Winlogon Notify: dvb03a - dvb03a.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\ktruog.dll
O21 - SSODL: YbMldrq - {5C23AB76-F689-01DC-F9BD-92CC77A7D88D} - C:\WINDOWS\System32\zzt.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nqigbvp.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

5. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.

6. Deleting bad files/folder

To enable the viewing of Hidden files follow these steps:

• Close all programs so that you are at your desktop.
  
• Double-click on the My Computer icon.
  
• Select the Tools menu and click Folder Options.
  
• After the new window appears select the View tab.
  
• Put a checkmark in the checkbox labeled Display the contents of system folders.
  
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
  
• Press the Apply button and then the OK button and shutdown My Computer.
  
• Now your computer is configured to show all hidden files.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):
C:\WINDOWS\system32\durvil1.dll
C:\WINDOWS\system32\durvil1.exe
C:\WINDOWS\nqigbvpA.exe
C:\WINDOWS\nqigbvp.exe
C:\WINDOWS\system\ctlvxd32.dll
C:\WINDOWS\System32\ipv6mons.dll
C:\WINDOWS\System32\adrotate.dll
C:\WINDOWS\System32\nsm15.dll
C:\WINDOWS\System32\mqytj.dll
C:\WINDOWS\System32\adrotate.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Documents and Settings\All Users\Documents\Settings\desktop.ini.
C:\WINDOWS\System32\ktruog.dll
C:\WINDOWS\System32\zzt.dll

7. Uninstall unwanted programms
SpywareBot is considered as a rogue, see here : http://www.spywarewa...nti-spyware.htm
Then, it is up to you to consider or not the following.
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.
If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
remove the following :
SpywareBot 3.6.0.3

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):
C:\Program Files\SpywareBot\

8. ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

9. AVG antispyware scan

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

10. Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

Post a fresh HijackThis log and the AVG report.
Thanks,
tirol.