PDA

View Full Version : Win32/NSAnti Virus Removal


dastipatakha
2008-02-22, 13:50
Whenever I open up a hard drive in My Computer, AVG displays a message saying that a virus has been detected. The name of the virus is Win32/NSAnti. The file path is as follows:

C:\DOCUME~1\Ali\LOCALS~1\Temp\qc7r.dll

I can't seem to get rid of it through AVG. I have created a HijackThis log. Can someone analyze this for me and tell me what to do?

2060
Blade81
2008-02-24, 18:34
Hi

Are you using usb flash drive? Please have it inserted so that it will be cleaned too (in case it was used in infected machine).


1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh hjt log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
dastipatakha
2008-02-25, 06:02
Thanks for the reply.

Here are the logs:

2065
2066
Blade81
2008-02-25, 17:00
Hi


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following files to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\kiss.CAB
C:\WINDOWS\Fonts\error.exe
C:\Documents and Settings\Ali\My Documents\Exam Papers\pdf\8943_y02_sf_5206 .exe


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\oufddh.exe
J:\oufddh.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ca4173-e1ea-11dc-9592-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{663c39f7-e091-11dc-958c-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a190f49-dbd7-11dc-9567-00300aa1f042}]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post also a fresh hjt log.
If the results of the anti virus scan itself will take more than one post to contain, you may attach it as a file.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.


Summary of logs to be posted:
-Kaspersky online scanner report
-Combofix resultant log
-a fresh hjt log
-scanning results of those three files.
dastipatakha
2008-02-27, 17:02
I couldn't find the file:

C:\WINDOWS\Fonts\error.exe

The other two files tested clean. Anyway, here are the logs you asked for.

Kaspersky Online Scanner Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 1:55:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 535822
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 134593
Number of viruses found: 4
Number of infected objects: 55
Number of suspicious objects: 0
Duration of the scan process: 01:34:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\history.dat Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\key3.db Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ali\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\~DF281.tmp Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ali\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ali\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\oufddh.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP31\A0011752.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016993.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016994.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017993.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017994.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018005.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018090.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018092.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018119.dll Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018125.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018199.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP36\A0020269.dll Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP36\A0020281.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021327.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021329.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021339.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021355.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021407.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021408.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021428.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021429.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021501.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021504.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021533.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021534.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021535.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\A0024533.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\4d20b0ecc4994a955a6e289b5b41\update\update.exe Object is locked skipped
D:\4d20b0ecc4994a955a6e289b5b41\update\updspapi.dll Object is locked skipped
D:\a5d8d4571c1c4ab4af9150171a14\update\update.exe Object is locked skipped
D:\a5d8d4571c1c4ab4af9150171a14\update\updspapi.dll Object is locked skipped
D:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{13375365-1D97-4735-BFC2-468849F5F8B1}\RP212\A0239559.com Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016996.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017996.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018094.exe Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018127.exe Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021331.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021357.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021410.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021431.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021506.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\Fraps\HELP\Jesse.Jane.Lust.XviD-SPiCE\Sample\spice-jjlsmp.avi Object is locked skipped
E:\Fraps\HELP\Jesse.Jane.Lust.XviD-SPiCE\spice-jjl.part44.rar Object is locked skipped
E:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{13375365-1D97-4735-BFC2-468849F5F8B1}\RP214\A0242763.com Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016998.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017998.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018096.exe Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018129.exe Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021333.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021359.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021412.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021433.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021508.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
F:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017000.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018000.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018098.exe Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018131.exe Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021335.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021361.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021414.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021436.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021510.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
G:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017002.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018100.exe Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018133.exe Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021337.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021363.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021416.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021438.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021512.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped

Scan process completed.

2069
2070


Thanks
Blade81
2008-02-27, 17:10
Hi


Open notepad and copy/paste the text in the quotebox below into it:



File::
D:\oufddh.exe
E:\oufddh.exe
F:\oufddh.exe
G:\oufddh.exe



Save this as
CFScript (overwrite previous one)


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
dastipatakha
2008-02-28, 07:04
I am still getting the 'Trojan-PSW.Win32.OnLineGames.fry' virus alert. All other problems seem to be resolved.

Here is the log you asked for.

2072

Thanks
Blade81
2008-02-28, 14:55
Hi

It's your infected flash drive causing all the trouble.


Open notepad and copy/paste the text in the quotebox below into it:



File::
I:\Autorun.exe
J:\oufddh.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ca4173-e1ea-11dc-9592-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{663c39f7-e091-11dc-958c-00300aa1f042}]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Run also Kaspersky online scanner again and post back its report.
Blade81
2008-03-03, 22:22
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.