SOS.. Help!! Win32/NSAnti virus.. Touch ! people! help me!

BullGuard Antivirus Forum > Virus Removal > Removal Tools > SOS.. Help!! Win32/NSAnti virus.. Touch ! people! help me!

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Faisal_Jordan
New Member

Date Joined Feb 2008
Total Posts : 3

Posted 2-21-2008 8:36 (GMT +1)

hi all

i have a problem which seems to be common around here..
My AVG antivirus detected a virus named win32/NSAnti.. though it reports it moved it to vault.. it keeps poping up again..
My Yahoo Messenger stopped working... which i learnt is caused by this ugly nasty virus..
please people help me.. i dont want to format my Laptop and lose everything..

i read on other related threads about what i have to do. so i downloaded combofix and Hijackthis.. made the scans as recommended by the user Touch.. and here i incorporate the scan results in my first thread..

please people help..

___________________

ComboFix 08-02-21 - Faisal 2008-02-21 10:15:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.210 [GMT 3:00]
Running from: C:\Documents and Settings\Faisal \Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-21 10:01 . 2008-02-21 10:08 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 10:01 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-21 10:01 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-21 10:01 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-21 10:01 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-21 10:00 . 2008-02-21 10:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-21 10:00 . 2008-02-21 10:00 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\PC Tools
2008-02-21 09:44 . 2008-02-21 09:56 <DIR> d-------- C:\inshallah
2008-02-21 07:25 . 2008-02-21 10:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 07:25 . 2008-02-21 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 20:34 . 2008-02-20 20:34 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-20 20:33 . 2008-02-20 22:07 <DIR> d-------- C:\Sysclean
2008-02-20 16:43 . 2008-02-20 16:43 <DIR> d-------- C:\Program Files\Google
2008-02-20 16:32 . 2008-02-20 16:32 <DIR> d-------- C:\TEMP
2008-02-20 16:32 . 2008-02-20 16:32 <DIR> d-------- C:\MSI2a278.tmp
2008-02-20 16:06 . 2008-02-20 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-20 15:57 . 2008-02-20 16:41 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-20 15:53 . 2008-02-20 15:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 15:53 . 2008-02-21 09:26 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\AVG7
2008-02-20 15:53 . 2008-02-20 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 15:53 . 2008-02-20 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-20 15:53 . 2008-02-20 15:53 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-20 15:53 . 2008-02-20 15:53 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-20 15:47 . 2008-02-20 15:47 <DIR> d-------- C:\Program Files\JetAudio
2008-02-20 15:42 . 2008-02-20 15:42 <DIR> d-------- C:\Program Files\Skype
2008-02-20 15:42 . 2008-02-21 10:10 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\Skype
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Real
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-20 15:38 . 2008-02-20 15:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-20 15:36 . 2008-02-20 15:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-20 15:35 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-20 15:35 . 2008-02-20 15:35 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-20 15:34 . 2008-02-20 15:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-20 15:34 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-20 15:33 . 2008-02-20 15:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-20 15:33 . 2008-02-20 15:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-20 15:31 . 2008-02-20 15:31 <DIR> dr-h----- C:\MSOCache
2008-02-20 15:28 . 2008-02-20 15:28 <DIR> d---s---- C:\Documents and Settings\Faisal \UserData
2008-02-20 15:20 . 2008-02-20 15:20 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-02-20 15:20 . 2008-02-20 15:20 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-02-20 15:20 . 2008-02-20 15:20 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-02-20 15:20 . 2008-02-20 15:20 107,221 -r-hs---- C:\oufddh.exe
2008-02-20 15:20 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-20 15:20 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-20 15:20 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-20 15:20 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-02-20 12:11 . 2008-02-20 06:42 107,052 -r-hs---- C:\gumkrhf.bat
2008-02-20 12:07 . 2006-11-06 10:13 80,176 -ra------ C:\WINDOWS\system32\drivers\btwavdt.sys
2008-02-20 12:07 . 2006-11-06 12:37 78,128 -ra------ C:\WINDOWS\system32\drivers\btwaudio.sys
2008-02-20 12:01 . 2008-02-20 12:01 <DIR> d-------- C:\Program Files\WIDCOMM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 12:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-20 08:58 --------- d-----w C:\Program Files\Marvell
2008-02-20 08:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-20 08:54 --------- d-----w C:\Program Files\Synaptics
2008-02-20 08:52 --------- d-----w C:\Program Files\Realtek
2008-02-20 08:48 --------- d-----w C:\Program Files\Intel
2008-02-20 08:40 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 04:57 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 04:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 04:57 118784]
"SkyTel"="SkyTel.EXE" [2006-07-19 04:42 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 04:42 16248320 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 04:41 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-20 15:41 180269]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-20 15:53 579072]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 00:22 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 15:53 219136]

S3 btwaudio;Bluetooth Audio Device Service;C:\WINDOWS\system32\drivers\btwaudio.sys [2006-11-06 12:37]
S3 btwavdt;Bluetooth AVDT;C:\WINDOWS\system32\drivers\btwavdt.sys [2006-11-06 10:13]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 10:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 10:16:15
ComboFix-quarantined-files.txt 2008-02-21 07:16:13

_____________________________________________

Hijackthis Log::

______

Logfile of HijackThis v1.99.1
Scan saved at 10:22:15 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\FAISAL~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\hjt\alternativ.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

_________________________________________

Please people.. help urgently.. jumpin

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 2-21-2008 9:37 (GMT +1)

Hello

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with new combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Faisal_Jordan
New Member

Date Joined Feb 2008
Total Posts : 3

Posted 2-21-2008 11:38 (GMT +1)

Touch ! thanks for the quick reply.. i am sure you are the best. :D

here's the Malwarebytes' scan log followed by the new combofix scan log........

i hope this can be useful though maware tells me it didnt find anything infected :(

___________

Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 64300
Time elapsed: 23 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________

ComboFix 08-02-21 - Faisal 2008-02-21 13:28:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.176 [GMT 3:00]
Running from: C:\Documents and Settings\Faisal \Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-21 13:08 . 2008-02-21 13:08 <DIR> d-------- C:\Documents and Settings\Faisal \Bluetooth Software
2008-02-21 13:03 . 2008-02-21 13:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 13:03 . 2008-02-21 13:03 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\Malwarebytes
2008-02-21 13:03 . 2008-02-21 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 10:21 . 2008-02-21 10:22 <DIR> d-------- C:\hjt
2008-02-21 10:01 . 2008-02-21 10:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 10:01 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-21 10:01 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-21 10:01 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-21 10:01 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-21 10:00 . 2008-02-21 10:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-21 10:00 . 2008-02-21 10:00 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\PC Tools
2008-02-21 09:44 . 2008-02-21 09:56 <DIR> d-------- C:\inshallah
2008-02-21 07:25 . 2008-02-21 10:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 07:25 . 2008-02-21 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 20:34 . 2008-02-20 20:34 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-20 20:33 . 2008-02-20 22:07 <DIR> d-------- C:\Sysclean
2008-02-20 16:43 . 2008-02-20 16:43 <DIR> d-------- C:\Program Files\Google
2008-02-20 16:32 . 2008-02-20 16:32 <DIR> d-------- C:\TEMP
2008-02-20 16:32 . 2008-02-20 16:32 <DIR> d-------- C:\MSI2a278.tmp
2008-02-20 16:06 . 2008-02-20 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-20 15:57 . 2008-02-20 16:41 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-20 15:53 . 2008-02-20 15:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 15:53 . 2008-02-21 09:26 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\AVG7
2008-02-20 15:53 . 2008-02-20 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 15:53 . 2008-02-20 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-20 15:53 . 2008-02-20 15:53 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-20 15:53 . 2008-02-20 15:53 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-20 15:47 . 2008-02-20 15:47 <DIR> d-------- C:\Program Files\JetAudio
2008-02-20 15:42 . 2008-02-20 15:42 <DIR> d-------- C:\Program Files\Skype
2008-02-20 15:42 . 2008-02-21 13:05 <DIR> d-------- C:\Documents and Settings\Faisal \Application Data\Skype
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Real
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-20 15:41 . 2008-02-20 15:41 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-20 15:38 . 2008-02-20 15:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-20 15:36 . 2008-02-20 15:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-20 15:35 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-20 15:35 . 2008-02-20 15:35 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-20 15:34 . 2008-02-20 15:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-20 15:34 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-20 15:33 . 2008-02-20 15:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-20 15:33 . 2008-02-20 15:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-20 15:31 . 2008-02-20 15:31 <DIR> dr-h----- C:\MSOCache
2008-02-20 15:28 . 2008-02-20 15:28 <DIR> d---s---- C:\Documents and Settings\Faisal \UserData
2008-02-20 15:20 . 2008-02-20 15:20 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-02-20 15:20 . 2008-02-20 15:20 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-02-20 15:20 . 2008-02-20 15:20 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-02-20 15:20 . 2008-02-20 15:20 107,221 -r-hs---- C:\oufddh.exe
2008-02-20 15:20 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-20 15:20 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-20 15:20 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-20 15:20 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-02-20 12:07 . 2006-11-06 10:13 80,176 -ra------ C:\WINDOWS\system32\drivers\btwavdt.sys
2008-02-20 12:07 . 2006-11-06 12:37 78,128 -ra------ C:\WINDOWS\system32\drivers\btwaudio.sys
2008-02-20 12:01 . 2008-02-20 12:01 <DIR> d-------- C:\Program Files\WIDCOMM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

S3 btwaudio;Bluetooth Audio Device Service;C:\WINDOWS\system32\drivers\btwaudio.sys [2006-11-06 12:37]
S3 btwavdt;Bluetooth AVDT;C:\WINDOWS\system32\drivers\btwavdt.sys [2006-11-06 10:13]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 13:29:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 13:29:56
ComboFix-quarantined-files.txt 2008-02-21 10:29:53
ComboFix2.txt 2008-02-21 07:16:15

Sandile
New Member

Date Joined Feb 2008
Total Posts : 2

Posted 2-21-2008 11:51 (GMT +1)

Hi There i've also had the same Virus on my network for the past few days. Now on my PC at home
Here's what ive done maybe this will help you. First off you probably got it via a USB Memory stick
and on the memory stick was "8ng8w.com" and another bat file i can't remmeber the name of at the
moment and and "autorun.inf" file. On the latter the are commands which i gather copy the two files to
each root drive you have "once you autorun the USB". Now what ive done is run hijack this to find the exe
i.e' AMVO.exe stop the process and run spybot(imunisize my system). Mutilated the 2 files i've spoken of before
with notepad(Put jibberish test in them). You'll have to find you own way of doing this, mine has worked this way so far.
I'm really disappointed that it actually got that far without bieng detected. But thats what you get. THis is a little rough
cause i've been pulling my hair out trying everything and i only recall this info above hope it helps.
At the end of the day though I aam going home to do a repair and delete those 2 files on each one of my partitions
at home so it wins

Faisal_Jordan
New Member

Date Joined Feb 2008
Total Posts : 3

Posted 2-21-2008 12:11 (GMT +1)

hey once again people

i just ran yahoo messenger and it worked...

and when i access my C partition, AVG doesnt give me the note that there is a virus named win32/NSAnti (this used to happened just before the last scan with combofix and malwarebyte)...

does this mean that i have got rid of the virus??

is it gone this easy ?

i thought i have to wait till someone reads the new scans log and then he/ she tells me to delete other files or whatever .

in short..

have i got rid of the virus?? or its just doing some kind of maneuver ?
?

how to make sure it doesnt happen again ?

thanks alot people .. you were really helpful..

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 2-25-2008 7:27 (GMT +1)

Looks clean to Me smile

Please read Tony Klein's excellent article about how to prevent against spyware/hijackers in the future

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Saturday, November 22, 2008 3:36 PM (GMT +1)
There are a total of 64.053 posts in 15.836 threads.
In the last 3 days there were 26 new threads and 156 reply posts. View Active Threads