what should i fix...? help pls

Viruses and worms
1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:51 PM, on 12/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [autoMe] wscript.exe “C:\WINDOWS\auto.vbs”
O4 - HKLM..\Run: [NBKeyScan] “C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221369157859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221369342671
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe


End of file - 5599 bytes

2

This one could be suspicious …

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

… but is required for some online games.

Otherwise, I see no obvious problems. Why are you asking? Is there some problem you are experiencing?

3

PnkBstrA.exe is identified as PunkBuster, an anti-cheat software used to monitor online gamers to prevent cheating. If one gamer is caught cheating, that gamer is banned from all PunkBuster enabled games by a hardware ban.

4

Thanks for the added info, Jtaylor. :slight_smile:

5

Hi Obeshi,

Here is a survey of your system tasks running, and a consideration for punkbuster:


smss.exe
System task	Session Manager Subsystem
winlogon.exe
System task	Microsoft Windows Logon Process
services.exe
System task	Windows Service Controller
lsass.exe
System task	Local Security Authority Service
svchost.exe
System task	Microsoft Service Host Process
svchost.exe
System task	Microsoft Service Host Process
aswUpdSv.exe
Virusscan	Avast Anti-Virus Component
ashServ.exe
Virusscan	Avast
Explorer.EXE
System task	Microsoft Windows Explorer
spoolsv.exe
System task	Microsoft Printer Spooler Service
wscript.exe
System task	Microsoft Windows Script Host
ashDisp.exe
Virusscan	Avast AntiVirus
daemon.exe
Backgroundtask	Background application that is used to map an image file, such as .iso and so forth, to a virtual CD or DVD drive.
svchost.exe
System task	Microsoft Service Host Process
LSSrvc.exe
Backgroundtask	NERO Light Scribe Module
nvsvc32.exe
Application	NVIDIA Driver Helper Service
PnkBstrA.exe
Suspicious task	pnkbstra.exe  Download the following program:

http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe

Open the program above and click the "Uninstall" button. This will remove the PnkBstrA.exe and PnkBstrB.exe service.

Some may need to rmove the registry entries.

Go to START --> RUN .. type regedit

search in these parts

HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Sevices look for PnkBstrA PnkBstrB and PnkBstrK .. just right click on the folder listed on the left and delete.

HKEY_LOCAL_MACHINE\SYSTEM\Controlset003\Services look for PnkBstrA PnkBstrB and PnkBstrK .. just right click on the folder listed on the left and delete.

We had the same problem with Americas Army and all other PB related games.

GL!

Also in C:\windows\system32\drivers is PnkBstrK.sys .. safe to delete.

svchost.exe
System task	Microsoft Service Host Process
MediaServer.exe
Backgroundtask	Media Server
ashMaiSv.exe
Virusscan	Avast Anti-Virus Component
ashWebSv.exe
Virusscan	avast! Web Scanner
wscntfy.exe
System task	Microsoft Windows Security Center
YahooMessenger.exe
Application	Yahoo! Messenger
firefox.exe
Application	Mozilla Firefox
HijackThis.exe
Application	Merijn Hijackthis

polonus

6

my problem is my registry editing is disable and my task manager to… ive try to fix this by accessing gpedit.msc but still the problem appears… so i think its a virus or malware…

7

Hi Obeshi:
There must be a malicious driver somewhere in C:\WINDOWS\System32\drivers\example.exe
We gonna see with a scan what that may be. First tackle your Task Manager problem.
Please let me know later if you encountered any problems finding or deleting the file.C:\WINDOWS\System32\drivers????.exe
So download DDS from here: http://download.bleepingcomputer.com/sUBs/dds.scr Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports attach.txt and dds.txt to your desktop, and attach to as a txt file to your next posting,

Let’s do this next to fix your Task Manager problem.

Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop

It should look like the picture I attached…

Double-click on it and when it asks you if you want to merge the contents to the registry, click “Yes” or “OK”. You should receive a message that it was successful.

REBOOT afterwards… really important!
Please download CCleaner from: http://www.ccleaner.com/download/
(freeware) and save it to your desktop:
Run the CCleaner installer.
During installation process, please UNCHECK “Add CCleaner Yahoo! Toolbar”.
Once installed, run CCleaner and click the Windows tab.
Select the following:
Check everything under the Internet Explorer section.
Check everything under the Windows Explorer section.
Check everything under the System section.
Check ONLY Old Prefetch data under the Advanced section.
Then, click the Applications tab:
UNCHECK everything there.
Next, click the Options button, then click the Advanced button:
UNCHECK : “Only delete files in Windows Temp folders older than 48 hours”.
Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system,

pol

8

here’s the report

9

what should i do with this…?

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000
“**del.DisableTaskMgr”=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“DisableTaskMgr”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“DisableCAD”=dword:00000000

10

Hi there your LSA keys will need fixing and also the regedit options

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the Radio button for Rootkit check YES
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EventViewer Errors/Warnings (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

11

Hi Obeshi,

Do as “essexboy” has instructed, and you will be out of the woods. We will see to it your problem is straightened out,

polonus

12

http://www.mediafire.com/?sharekey=e90367313004dde8d2db6fb9a8902bda

13

Start OTScanit. Copy/Paste the information in the attached text file into the pane where it says “Paste fix here” and then click the Run Fix button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

14

OT Scan
and hijack this (updated)

15

Finaly to clear any waifs and strays

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

On completion of this let me know how your computer is running now

16

wow thanks… ;D my problem is solve!!! thanks again… :-*

17

And now lucky you gets to listen to the mandatory be good speech ;D

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[]Secunia Software inspector To check your programme update status
[]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

18

ok thx again… whats javara for…? what does it do…? hehe ;D

19

It removes old versions of JAVA, if you still had old versions installed then it would still have the vulnerabilities associated with it (the very reason to update) and then checks for updates.

As essexboy said.

Please download JavaRa to your desktop and unzip it to its own folder 
* Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
* Accept any prompts.
* Open JavaRa.exe again and select Search For Updates.
* Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. </blockquote>
20

the problem appears again :‘( and when i run the anti malware it detects the problem and when i delete it… it will prompt that the computer needs to be restarted… and when the windows loads… and i try to ctrl atl del… or type in run regedit… its disable again… :-[ run again the anti malware… detects it then i delete it restart again… and still the problem occurs… :’(