monxga32.exe is on my PC, but does not show on freefixer scan
15 views
Skip to first unread message
jason wood
Apr 21, 2010, 8:04:17 AM4/21/10
to FreeFixer User Forum
Hi,
My PC has the monxga32.exe virus/worm. CPU usage is constantly above
50% and the process is present under msconfig > startup.
I did a FreeFixer scan, but it does not show the process monxga32.exe
anywhere in the results and no results are shown for "Autostart
shortcuts" which is where this would be expected to appear.
Scan log is below.
I believe this worm steals FTP access details and injects javascript
into index files on webservers so it is not nice.
Please help if possible?
Many thanks
************************************************************
LOG:
FreeFixer v0.56 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-04-21 12:52
Suspicious file names
C:\WINDOWS\system32\twunk_16.exe
C:\WINDOWS\system32\twunk_32.exe
AppInit_DLLs
C:\WINDOWS\SYSTEM32\ZOLALABU.DLL (file is missing)
C:\WINDOWS\SYSTEM32\DIBORIBU.DLL (file is missing)
C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
Autorun.inf files
d:\autorun.inf, open = "Start.exe"
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program Files\Bonjour
\mdnsNSP.dll
Browser Helper Objects (6 whitelisted)
{4febb54e-5b35-4956-8050-844ac7241091}, , C:\WINDOWS
\system32\kufuhufo.dll (file is missing)
{5C255C8A-E604-49b4-9D64-90988571CECB}, , (no file specified)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}, , (no file specified)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class,
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{F81D52BF-F2F1-4F49-BF5F-05664E803039}, IEButton Class, C:\Program
Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
Internet Explorer toolbars (1 whitelisted)
HKLM\..\Toolbar\{4064EA35-578D-4073-A834-C96D82CBCF40} - &Save Flash -
C:\Program Files\Save Flash\SaveFlash.dll
HKLM\..\Toolbar\{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand
Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
Basic Internet Explorer settings
HKCU\..\Main, Start Page = http://www.google.com/
HKCU\..\Main, Search Page = http://www.google.com
HKLM\..\Search, SearchAssistant = http://www.google.com/ie
HKCU\..\Desktop\General, Wallpaper = C:\Documents and Settings
\BigPockets\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Registry Startups (8 whitelisted)
HKLM\..\Run, SoundMAX = "C:\Program Files\Analog Devices\SoundMAX
\Smax4.exe" /tray
HKLM\..\Run, Google Desktop Search = "C:\Program Files\Google\Google
Desktop Search\GoogleDesktop.exe" /startup
HKLM\..\Run, Seagull Drivers = ssdal_nc.exe startup
HKCU\..\Run, Google Update = "C:\Documents and Settings\BigPockets
\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
HKCU\..\Run, feedreader.exe = "C:\Program Files
\FeedReader30\feedreader.exe"
HKCU\..\Run, Taskbar Shuffle = C:\Program Files\Taskbar Shuffle
\taskbarshuffle.exe
HKCU\..\Run, ptidle = "C:\Documents and Settings\BigPockets
\Application Data\ptidle\ptidle.exe"
61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
(file is missing)
HKCU\..\Run, Lqilofihutaf = rundll32.exe "C:\WINDOWS
\kbcnskbd.dll",Startup
HKCU\..\Run, SpybotSD TeaTimer = C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
HOSTS file
127.0.0.1
Processes (35 whitelisted)
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcLog.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\BigPockets\Local Settings\Application Data
\Google\Update\GoogleUpdate.exe
Application modules (86 whitelisted)
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\pdm.dll
C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
C:\Program Files\Bonjour\mdnsNSP.dll
Services (44 whitelisted)
ATI Smart, ATI Smart, c:\windows\system32\ati2sgag.exe
Bonjour Service, ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##,
c:\program files\bonjour\mdnsresponder.exe
ForcewareWebInterface, Forceware Web Interface, c:\program files
\nvidia corporation\networkaccessmanager\apache group\apache2\bin
\apache.exe
nSvcIp, ForceWare IP service, c:\program files\nvidia corporation
\networkaccessmanager\bin\nsvcip.exe
nSvcLog, ForceWare user log service, c:\program files\nvidia
corporation\networkaccessmanager\bin\nsvclog.exe
Svchost.exe Modules (202 whitelisted)
C:\Program Files\Bonjour\mdnsNSP.dll
Explorer.exe Modules (137 whitelisted)
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopDeskbar2.dll
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopResources_en_gb.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
C:\WINDOWS\kbcnskbd.dll
C:\Program Files\Bonjour\mdnsNSP.dll
C:\Program Files\Taskbar Shuffle\tbhookin.dll
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
C:\Program Files\WinRAR\rarext.dll
C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\Google\Google SketchUp 7\ThumbsUp.dll
C:\Program Files\Google\Google SketchUp 7\xerces-c_2_6.dll
Rundll Modules (30 whitelisted)
C:\WINDOWS\kbcnskbd.dll
Drivers (30 whitelisted)
wqbvtthorxmbcren, , C:\WINDOWS\system32\drivers\wqbvtthorxmbcren.sys
(file is missing)
Windows XP Firewall authorized apps (11 whitelisted)
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
Firefox Extensions
United States English Dictionary, C:\Documents and Settings\BigPockets
\Application Data\Mozilla\Firefox\Profiles\rufqd21q.default\extensions
\en...@dictionaries.addons.mozilla.org\install.rdf
Personas, C:\Documents and Settings\BigPockets\Application Data\Mozilla
\Firefox\Profiles\rufqd21q.default\extensions
\pers...@christopher.beard\install.rdf
Save Session, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions
\saves...@noasobi.net\install.rdf
ReloadEvery, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions\{888d99e7-
e8b5-46a3-851e-1ec45da1e644}\install.rdf
Web Developer, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions\{c45c406e-
ab73-11d8-be73-000a95be3b12}\install.rdf
Java Console, C:\Program Files\Mozilla Firefox\extensions\
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\install.rdf
Java Console, C:\Program Files\Mozilla Firefox\extensions\
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\install.rdf
Recently created/modified files (22 whitelisted)
28 minutes, c:\Program Files\FreeFixer\Uninstall.exe
28 minutes, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup(2).exe
34 minutes, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup.exe
34 minutes, c:\Documents and Settings\BigPockets\Local Settings
\Application Data\Mozilla\Firefox\Profiles\rufqd21q.default\Cache
\445D3B07d01
2 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2825u2823mb.bin
19 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2823u2822va.bin
19 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\x8xplsb_151d150ka.bin
22 hours, c:\Program Files\Panda Security\ActiveScan 2.0\pssyschk.dll
The following errors occurred during the scan:
An unexpected exception occurred in the Autostart plugin:
Failed to duplicate handle using 'DuplicateHandle'. System error
message: Access is denied. Error code: 5.
End of FreeFixer log
--
You received this message because you are subscribed to the Google Groups "FreeFixer User Forum" group.
To post to this group, send email to freefix...@googlegroups.com.
To unsubscribe from this group, send email to freefixer-for...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/freefixer-forum?hl=en.
My PC has the monxga32.exe virus/worm. CPU usage is constantly above
50% and the process is present under msconfig > startup.
I did a FreeFixer scan, but it does not show the process monxga32.exe
anywhere in the results and no results are shown for "Autostart
shortcuts" which is where this would be expected to appear.
Scan log is below.
I believe this worm steals FTP access details and injects javascript
into index files on webservers so it is not nice.
Please help if possible?
Many thanks
************************************************************
LOG:
FreeFixer v0.56 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-04-21 12:52
Suspicious file names
C:\WINDOWS\system32\twunk_16.exe
C:\WINDOWS\system32\twunk_32.exe
AppInit_DLLs
C:\WINDOWS\SYSTEM32\ZOLALABU.DLL (file is missing)
C:\WINDOWS\SYSTEM32\DIBORIBU.DLL (file is missing)
C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
Autorun.inf files
d:\autorun.inf, open = "Start.exe"
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program Files\Bonjour
\mdnsNSP.dll
Browser Helper Objects (6 whitelisted)
{4febb54e-5b35-4956-8050-844ac7241091}, , C:\WINDOWS
\system32\kufuhufo.dll (file is missing)
{5C255C8A-E604-49b4-9D64-90988571CECB}, , (no file specified)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}, , (no file specified)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class,
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{F81D52BF-F2F1-4F49-BF5F-05664E803039}, IEButton Class, C:\Program
Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
Internet Explorer toolbars (1 whitelisted)
HKLM\..\Toolbar\{4064EA35-578D-4073-A834-C96D82CBCF40} - &Save Flash -
C:\Program Files\Save Flash\SaveFlash.dll
HKLM\..\Toolbar\{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand
Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
Basic Internet Explorer settings
HKCU\..\Main, Start Page = http://www.google.com/
HKCU\..\Main, Search Page = http://www.google.com
HKLM\..\Search, SearchAssistant = http://www.google.com/ie
HKCU\..\Desktop\General, Wallpaper = C:\Documents and Settings
\BigPockets\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Registry Startups (8 whitelisted)
HKLM\..\Run, SoundMAX = "C:\Program Files\Analog Devices\SoundMAX
\Smax4.exe" /tray
HKLM\..\Run, Google Desktop Search = "C:\Program Files\Google\Google
Desktop Search\GoogleDesktop.exe" /startup
HKLM\..\Run, Seagull Drivers = ssdal_nc.exe startup
HKCU\..\Run, Google Update = "C:\Documents and Settings\BigPockets
\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
HKCU\..\Run, feedreader.exe = "C:\Program Files
\FeedReader30\feedreader.exe"
HKCU\..\Run, Taskbar Shuffle = C:\Program Files\Taskbar Shuffle
\taskbarshuffle.exe
HKCU\..\Run, ptidle = "C:\Documents and Settings\BigPockets
\Application Data\ptidle\ptidle.exe"
61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
(file is missing)
HKCU\..\Run, Lqilofihutaf = rundll32.exe "C:\WINDOWS
\kbcnskbd.dll",Startup
HKCU\..\Run, SpybotSD TeaTimer = C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
HOSTS file
127.0.0.1
Processes (35 whitelisted)
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcLog.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\BigPockets\Local Settings\Application Data
\Google\Update\GoogleUpdate.exe
Application modules (86 whitelisted)
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\pdm.dll
C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
C:\Program Files\Bonjour\mdnsNSP.dll
Services (44 whitelisted)
ATI Smart, ATI Smart, c:\windows\system32\ati2sgag.exe
Bonjour Service, ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##,
c:\program files\bonjour\mdnsresponder.exe
ForcewareWebInterface, Forceware Web Interface, c:\program files
\nvidia corporation\networkaccessmanager\apache group\apache2\bin
\apache.exe
nSvcIp, ForceWare IP service, c:\program files\nvidia corporation
\networkaccessmanager\bin\nsvcip.exe
nSvcLog, ForceWare user log service, c:\program files\nvidia
corporation\networkaccessmanager\bin\nsvclog.exe
Svchost.exe Modules (202 whitelisted)
C:\Program Files\Bonjour\mdnsNSP.dll
Explorer.exe Modules (137 whitelisted)
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopDeskbar2.dll
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopResources_en_gb.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
C:\WINDOWS\kbcnskbd.dll
C:\Program Files\Bonjour\mdnsNSP.dll
C:\Program Files\Taskbar Shuffle\tbhookin.dll
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
C:\Program Files\WinRAR\rarext.dll
C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\Google\Google SketchUp 7\ThumbsUp.dll
C:\Program Files\Google\Google SketchUp 7\xerces-c_2_6.dll
Rundll Modules (30 whitelisted)
C:\WINDOWS\kbcnskbd.dll
Drivers (30 whitelisted)
wqbvtthorxmbcren, , C:\WINDOWS\system32\drivers\wqbvtthorxmbcren.sys
(file is missing)
Windows XP Firewall authorized apps (11 whitelisted)
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
Firefox Extensions
United States English Dictionary, C:\Documents and Settings\BigPockets
\Application Data\Mozilla\Firefox\Profiles\rufqd21q.default\extensions
\en...@dictionaries.addons.mozilla.org\install.rdf
Personas, C:\Documents and Settings\BigPockets\Application Data\Mozilla
\Firefox\Profiles\rufqd21q.default\extensions
\pers...@christopher.beard\install.rdf
Save Session, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions
\saves...@noasobi.net\install.rdf
ReloadEvery, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions\{888d99e7-
e8b5-46a3-851e-1ec45da1e644}\install.rdf
Web Developer, C:\Documents and Settings\BigPockets\Application Data
\Mozilla\Firefox\Profiles\rufqd21q.default\extensions\{c45c406e-
ab73-11d8-be73-000a95be3b12}\install.rdf
Java Console, C:\Program Files\Mozilla Firefox\extensions\
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\install.rdf
Java Console, C:\Program Files\Mozilla Firefox\extensions\
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\install.rdf
Recently created/modified files (22 whitelisted)
28 minutes, c:\Program Files\FreeFixer\Uninstall.exe
28 minutes, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup(2).exe
34 minutes, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup.exe
34 minutes, c:\Documents and Settings\BigPockets\Local Settings
\Application Data\Mozilla\Firefox\Profiles\rufqd21q.default\Cache
\445D3B07d01
2 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2825u2823mb.bin
19 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2823u2822va.bin
19 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\x8xplsb_151d150ka.bin
22 hours, c:\Program Files\Panda Security\ActiveScan 2.0\pssyschk.dll
The following errors occurred during the scan:
An unexpected exception occurred in the Autostart plugin:
Failed to duplicate handle using 'DuplicateHandle'. System error
message: Access is denied. Error code: 5.
End of FreeFixer log
--
You received this message because you are subscribed to the Google Groups "FreeFixer User Forum" group.
To post to this group, send email to freefix...@googlegroups.com.
To unsubscribe from this group, send email to freefixer-for...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/freefixer-forum?hl=en.
Roger Karlsson
Apr 21, 2010, 9:44:52 AM4/21/10
to freefix...@googlegroups.com
Hello Jason,
At the end of the log FreeFixer reports that the plugin that scans the
autostart shortcut failed. That's why it does not appear in the log. How
annoying :( I'll review the FreeFixer code to see if I can make some
improvement there.
Anyway, I reviewed your log and noticed another suspicios file:
Registry Startups (8 whitelisted)
--> HKCU\..\Run, Lqilofihutaf = rundll32.exe
"C:\WINDOWS\kbcnskbd.dll",Startup
Please upload C:\WINDOWS\kbcnskbd.dll to VirusTotal.com and verify that
it's malware. If so, select it for removal.
There are also some left-overs from the malware in the registry which
you can select for removal:
AppInit_DLLs
--> C:\WINDOWS\SYSTEM32\ZOLALABU.DLL (file is missing)
--> C:\WINDOWS\SYSTEM32\DIBORIBU.DLL (file is missing)
Browser Helper Objects (6 whitelisted)
--> {4febb54e-5b35-4956-8050-844ac7241091}, ,
--> wqbvtthorxmbcren, , C:\WINDOWS\system32\drivers\wqbvtthorxmbcren.sys
(file is missing)
After removing these items, please restart your machine and run a
FreeFixer scan again. Please post the new log. Then, let's figure out a
way to get rid of monxga32.exe.
/Roger
At the end of the log FreeFixer reports that the plugin that scans the
autostart shortcut failed. That's why it does not appear in the log. How
annoying :( I'll review the FreeFixer code to see if I can make some
improvement there.
Anyway, I reviewed your log and noticed another suspicios file:
Registry Startups (8 whitelisted)
--> HKCU\..\Run, Lqilofihutaf = rundll32.exe
"C:\WINDOWS\kbcnskbd.dll",Startup
Please upload C:\WINDOWS\kbcnskbd.dll to VirusTotal.com and verify that
it's malware. If so, select it for removal.
There are also some left-overs from the malware in the registry which
you can select for removal:
AppInit_DLLs
--> C:\WINDOWS\SYSTEM32\ZOLALABU.DLL (file is missing)
--> C:\WINDOWS\SYSTEM32\DIBORIBU.DLL (file is missing)
Browser Helper Objects (6 whitelisted)
C:\WINDOWS\system32\kufuhufo.dll (file is missing)
Drivers (30 whitelisted)
--> wqbvtthorxmbcren, , C:\WINDOWS\system32\drivers\wqbvtthorxmbcren.sys
(file is missing)
After removing these items, please restart your machine and run a
FreeFixer scan again. Please post the new log. Then, let's figure out a
way to get rid of monxga32.exe.
/Roger
jason wood
Apr 21, 2010, 10:19:44 AM4/21/10
to FreeFixer User Forum
Thanks Roger for the advice...
I managed to get the scan working so it showed up the autostart items.
I had downloaded PrevX virus scanner, (which was the only one I could
find which spotted this virus in the first place). It was the free
version which detected the monxga32.exe file but did not delete it.
However, I suspect perhaps since Prevx was running it stopped
FreeFixer from accessing the file. Just my guess. I uninstalled PrevX
and then your program could find the monxga32.exe file.
Anyway, I have managed to remove monxga32.exe now but my PC still
seems to be running a little slowly.
I will check the files you suggested and report back here.
Thanks again!
I managed to get the scan working so it showed up the autostart items.
I had downloaded PrevX virus scanner, (which was the only one I could
find which spotted this virus in the first place). It was the free
version which detected the monxga32.exe file but did not delete it.
However, I suspect perhaps since Prevx was running it stopped
FreeFixer from accessing the file. Just my guess. I uninstalled PrevX
and then your program could find the monxga32.exe file.
Anyway, I have managed to remove monxga32.exe now but my PC still
seems to be running a little slowly.
I will check the files you suggested and report back here.
Thanks again!
jason wood
Apr 21, 2010, 10:44:50 AM4/21/10
to FreeFixer User Forum
Thanks for your reply.
I managed to find monxga32.exe with your program after I uninstalled
Prevx virus scanner. Perhaps that prevented the file being accessed or
something.
So I have now removed the monxga32.exe along with the suggestions you
made.
I checked kbcnskbd.dll on the VirusTotal.com site. Something like 6
out of 40 results staid it was bad, so I removed it too.
On restarting my PC a warning popped uo: error loading kbcnskbd.dll,
could not be found. But my PC does not seem to have been affected by
removing this file.
Below is a copy of my new log. I hope all is now OK?
Once again, thank you for your help.
JAson
**************************
New LOG:
Log dated 2010-04-21 15:34
Suspicious file names
C:\WINDOWS\system32\twunk_16.exe
C:\WINDOWS\system32\twunk_32.exe
AppInit_DLLs
HOSTS file
127.0.0.1
Processes (33 whitelisted)
Application modules (77 whitelisted)
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\install.rdf
Recently created/modified files (17 whitelisted)
38 minutes, c:\WINDOWS\system32\ffnd.exe
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\msvcp71.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\jmc.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\msvcr71.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\17\6d0ad391-71053ae3-n\decora-d3d.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\17\6d0ad391-71053ae3-n\decora-sse.dll
3 hours, c:\Program Files\FreeFixer\Uninstall.exe
3 hours, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup(2).exe
3 hours, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup.exe
3 hours, c:\Documents and Settings\BigPockets\Local Settings
\avg8\update\download\u9iavi2825u2823mb.bin
22 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\x8xplsb_151d150ka.bin
22 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2823u2822va.bin
History
-C:\Documents and Settings\BigPockets\Start Menu\Programs\Startup
\monxga32.exe (on reboot)
-C:\Documents and Settings\BigPockets\Start Menu\Programs\Startup
\monxga32.exe (on reboot)
+HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows,
AppInit_DLLs = , C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{4febb54e-5b35-4956-8050-844ac7241091}
-HKLM\SOFTWARE\Classes\CLSID\{4febb54e-5b35-4956-8050-844ac7241091}
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Lqilofihutaf
-C:\WINDOWS\kbcnskbd.dll (on reboot)
-HKLM\SYSTEM\CurrentControlSet\Services\wqbvtthorxmbcren
I managed to find monxga32.exe with your program after I uninstalled
Prevx virus scanner. Perhaps that prevented the file being accessed or
something.
So I have now removed the monxga32.exe along with the suggestions you
made.
I checked kbcnskbd.dll on the VirusTotal.com site. Something like 6
out of 40 results staid it was bad, so I removed it too.
On restarting my PC a warning popped uo: error loading kbcnskbd.dll,
could not be found. But my PC does not seem to have been affected by
removing this file.
Below is a copy of my new log. I hope all is now OK?
Once again, thank you for your help.
JAson
**************************
New LOG:
Log dated 2010-04-21 15:34
Suspicious file names
C:\WINDOWS\system32\twunk_16.exe
C:\WINDOWS\system32\twunk_32.exe
AppInit_DLLs
C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
Autorun.inf files
d:\autorun.inf, open = "Start.exe"
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program Files\Bonjour
\mdnsNSP.dll
Browser Helper Objects (6 whitelisted)
Autorun.inf files
d:\autorun.inf, open = "Start.exe"
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program Files\Bonjour
\mdnsNSP.dll
Browser Helper Objects (6 whitelisted)
{5C255C8A-E604-49b4-9D64-90988571CECB}, , (no file specified)
HKCU\..\Run, SpybotSD TeaTimer = C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
Destroy\TeaTimer.exe
HKCU\..\Run, Lqilofihutaf = rundll32.exe "C:\WINDOWS
\kbcnskbd.dll",Startup (file is missing)
HOSTS file
127.0.0.1
Processes (33 whitelisted)
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcLog.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
\nSvcLog.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group
\Apache2\bin\apache.exe
\Apache2\bin\apache.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FreeFixer\freefixer.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Application modules (77 whitelisted)
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\pdm.dll
C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
C:\Program Files\Bonjour\mdnsNSP.dll
Services (43 whitelisted)
C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
C:\Program Files\Bonjour\mdnsNSP.dll
ATI Smart, ATI Smart, c:\windows\system32\ati2sgag.exe
Bonjour Service, ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##,
c:\program files\bonjour\mdnsresponder.exe
ForcewareWebInterface, Forceware Web Interface, c:\program files
\nvidia corporation\networkaccessmanager\apache group\apache2\bin
\apache.exe
nSvcIp, ForceWare IP service, c:\program files\nvidia corporation
\networkaccessmanager\bin\nsvcip.exe
nSvcLog, ForceWare user log service, c:\program files\nvidia
corporation\networkaccessmanager\bin\nsvclog.exe
Svchost.exe Modules (198 whitelisted)
Bonjour Service, ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##,
c:\program files\bonjour\mdnsresponder.exe
ForcewareWebInterface, Forceware Web Interface, c:\program files
\nvidia corporation\networkaccessmanager\apache group\apache2\bin
\apache.exe
nSvcIp, ForceWare IP service, c:\program files\nvidia corporation
\networkaccessmanager\bin\nsvcip.exe
nSvcLog, ForceWare user log service, c:\program files\nvidia
corporation\networkaccessmanager\bin\nsvclog.exe
C:\Program Files\Bonjour\mdnsNSP.dll
Explorer.exe Modules (81 whitelisted)
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopDeskbar2.dll
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopResources_en_gb.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
\GoogleDesktopDeskbar2.dll
C:\Program Files\Google\Google Desktop Search
\GoogleDesktopResources_en_gb.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
C:\Program Files\Taskbar Shuffle\tbhookin.dll
Recently created/modified files (17 whitelisted)
38 minutes, c:\WINDOWS\system32\ffnd.exe
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\msvcp71.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\jmc.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\54\1a209876-57ca37a5-n\msvcr71.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\17\6d0ad391-71053ae3-n\decora-d3d.dll
1 hour, c:\Documents and Settings\BigPockets\Application Data\Sun\Java
\Deployment\SystemCache\6.0\17\6d0ad391-71053ae3-n\decora-sse.dll
3 hours, c:\Program Files\FreeFixer\Uninstall.exe
3 hours, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup(2).exe
3 hours, c:\Documents and Settings\BigPockets\My Documents\Downloads
\freefixersetup.exe
3 hours, c:\Documents and Settings\BigPockets\Local Settings
\Application Data\Mozilla\Firefox\Profiles\rufqd21q.default\Cache
\445D3B07d01
4 hours, c:\Documents and Settings\All Users\Application Data
\445D3B07d01
\avg8\update\download\u9iavi2825u2823mb.bin
22 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\x8xplsb_151d150ka.bin
22 hours, c:\Documents and Settings\All Users\Application Data
\avg8\update\download\u9iavi2823u2822va.bin
History
-C:\Documents and Settings\BigPockets\Start Menu\Programs\Startup
\monxga32.exe (on reboot)
-C:\Documents and Settings\BigPockets\Start Menu\Programs\Startup
\monxga32.exe (on reboot)
+HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows,
AppInit_DLLs = , C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{4febb54e-5b35-4956-8050-844ac7241091}
-HKLM\SOFTWARE\Classes\CLSID\{4febb54e-5b35-4956-8050-844ac7241091}
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Lqilofihutaf
-C:\WINDOWS\kbcnskbd.dll (on reboot)
-HKLM\SYSTEM\CurrentControlSet\Services\wqbvtthorxmbcren
Roger Karlsson
Apr 21, 2010, 12:55:23 PM4/21/10
to freefix...@googlegroups.com
Good to hear FreeFixer reported and removed the monxga32.exe malware.
To get rid of the "error loading kbcnskbd.dll" message. Check this item
for removal:
Registry Startups (8 whitelisted)
-->HKCU\..\Run, Lqilofihutaf = rundll32.exe
which is configured to run d:\Start.exe. I cannot tell from the name
(start.exe) what it is. Do you know what it is? If you think it looks
suspicious, please upload it to virustotal for a scan.
/Roger
-----Original Message-----
From: freefix...@googlegroups.com
[mailto:freefix...@googlegroups.com] On Behalf Of jason wood
Sent: den 21 april 2010 16:45
To: FreeFixer User Forum
Subject: Re: monxga32.exe is on my PC, but does not show on freefixer
scan
To get rid of the "error loading kbcnskbd.dll" message. Check this item
for removal:
Registry Startups (8 whitelisted)
-->HKCU\..\Run, Lqilofihutaf = rundll32.exe
"C:\WINDOWS\kbcnskbd.dll",Startup (file is missing)
Something that you also might want to check is the the d:\autorun.inf,
which is configured to run d:\Start.exe. I cannot tell from the name
(start.exe) what it is. Do you know what it is? If you think it looks
suspicious, please upload it to virustotal for a scan.
/Roger
-----Original Message-----
From: freefix...@googlegroups.com
[mailto:freefix...@googlegroups.com] On Behalf Of jason wood
Sent: den 21 april 2010 16:45
To: FreeFixer User Forum
Subject: Re: monxga32.exe is on my PC, but does not show on freefixer
scan
jason wood
Apr 22, 2010, 4:22:55 AM4/22/10
to FreeFixer User Forum
I removed C:\WINDOWS\kbcnskbd.dll",Startup (file is missing)
The file d:....start.exe was from a CD-ROM i had in the D Drive so
that's ok.
Thanks again for your help, you are very kind!
The file d:....start.exe was from a CD-ROM i had in the D Drive so
that's ok.
Thanks again for your help, you are very kind!
Reply all
Reply to author
Forward
0 new messages