• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Win32/NSAnti Virus Removal

D

dastipatakha

New member
Whenever I open up a hard drive in My Computer, AVG displays a message saying that a virus has been detected. The name of the virus is Win32/NSAnti. The file path is as follows:

C:\DOCUME~1\Ali\LOCALS~1\Temp\qc7r.dll

I can't seem to get rid of it through AVG. I have created a HijackThis log. Can someone analyze this for me and tell me what to do?

View attachment 2060
 
Hi

Are you using usb flash drive? Please have it inserted so that it will be cleaned too (in case it was used in infected machine).


1. Download this file -
combofix.exe to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh hjt log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
 
Hi


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following files to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\kiss.CAB
C:\WINDOWS\Fonts\error.exe
C:\Documents and Settings\Ali\My Documents\Exam Papers\pdf\8943_y02_sf_5206 .exe


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\oufddh.exe
J:\oufddh.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ca4173-e1ea-11dc-9592-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{663c39f7-e091-11dc-958c-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a190f49-dbd7-11dc-9567-00300aa1f042}]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:​
  • Extended (If available, otherwise Standard)
Scan Options:​
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post also a fresh hjt log.
  • If the results of the anti virus scan itself will take more than one post to contain, you may attach it as a file.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.


Summary of logs to be posted:
-Kaspersky online scanner report
-Combofix resultant log
-a fresh hjt log
-scanning results of those three files.
 
I couldn't find the file:

C:\WINDOWS\Fonts\error.exe

The other two files tested clean. Anyway, here are the logs you asked for.

Kaspersky Online Scanner Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 1:55:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 535822
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 134593
Number of viruses found: 4
Number of infected objects: 55
Number of suspicious objects: 0
Duration of the scan process: 01:34:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\history.dat Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\key3.db Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ali\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla\Firefox\Profiles\ltw1lgs6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temp\~DF281.tmp Object is locked skipped
C:\Documents and Settings\Ali\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ali\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ali\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\oufddh.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP31\A0011752.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016993.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016994.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017993.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017994.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018005.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018090.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018092.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018119.dll Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018125.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018199.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP36\A0020269.dll Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP36\A0020281.exe Object is locked skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021327.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021329.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021339.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021355.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021407.dll Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021408.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021428.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021429.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021501.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021504.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021533.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021534.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP39\A0021535.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\A0024533.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\4d20b0ecc4994a955a6e289b5b41\update\update.exe Object is locked skipped
D:\4d20b0ecc4994a955a6e289b5b41\update\updspapi.dll Object is locked skipped
D:\a5d8d4571c1c4ab4af9150171a14\update\update.exe Object is locked skipped
D:\a5d8d4571c1c4ab4af9150171a14\update\updspapi.dll Object is locked skipped
D:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{13375365-1D97-4735-BFC2-468849F5F8B1}\RP212\A0239559.com Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016996.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017996.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018094.exe Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018127.exe Object is locked skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021331.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021357.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021410.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021431.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
D:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021506.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\Fraps\HELP\Jesse.Jane.Lust.XviD-SPiCE\Sample\spice-jjlsmp.avi Object is locked skipped
E:\Fraps\HELP\Jesse.Jane.Lust.XviD-SPiCE\spice-jjl.part44.rar Object is locked skipped
E:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{13375365-1D97-4735-BFC2-468849F5F8B1}\RP214\A0242763.com Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0016998.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017998.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018096.exe Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018129.exe Object is locked skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021333.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021359.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021412.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021433.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021508.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
E:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
F:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017000.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018000.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018098.exe Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018131.exe Object is locked skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021335.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021361.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021414.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021436.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021510.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
F:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped
G:\oufddh.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0017002.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018100.exe Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP35\A0018133.exe Object is locked skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP37\A0021337.exe Infected: Trojan-PSW.Win32.OnLineGames.rmm skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021363.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021416.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021438.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP38\A0021512.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
G:\System Volume Information\_restore{81157CD8-CBA4-4C26-AA52-8B43CE1852E1}\RP41\change.log Object is locked skipped

Scan process completed.

View attachment 2069
View attachment 2070


Thanks
 
Hi


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
D:\oufddh.exe
E:\oufddh.exe
F:\oufddh.exe
G:\oufddh.exe


Save this as
CFScript (overwrite previous one)


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Hi

It's your infected flash drive causing all the trouble.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
I:\Autorun.exe
J:\oufddh.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ca4173-e1ea-11dc-9592-00300aa1f042}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{663c39f7-e091-11dc-958c-00300aa1f042}]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Run also Kaspersky online scanner again and post back its report.
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top