Win32 NSAnti removal [Archive] - Safer-Networking Forums

torpee

2008-02-23, 10:21

hi...
i am new here and maybe you guys can help me.
i use AVG and it has been telling me that i have the Win32.NSAnti virus in my Temp folder (filename ly2u.dll) everytime i try to access my C drive.
i cant unhide my hidden folders and i cant remove the infection. i used avg and avast (which doesnt detect it). i even turned off my system restore which did not remove it.

i am hoping you guys can help me.
i read the "Do this first" post here so...

Kaspersky log ( only included the files that came out as infected according to the online scan):

Scan Statistics
Total number of scanned objects 21255
Number of viruses found 1
Number of infected objects 59
Number of suspicious objects 0
Duration of the scan process 00:35:39

C:\g2lbn.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP12\change.log Object is locked skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000132.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000136.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000161.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000177.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000178.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000179.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0000183.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0001179.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0001180.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0001181.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP6\A0001187.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP6\A0002179.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP6\A0002180.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002185.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002215.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002216.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002217.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002252.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002377.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002378.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002379.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002383.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002391.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002392.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002394.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002402.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002403.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002405.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped

C:\WINDOWS\system32\fool0.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ieso0.dll Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
C:\WINDOWS\system32\kxvo.exe Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000124.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000163.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP4\A0000181.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0000185.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP5\A0001183.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP6\A0001189.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP6\A0002183.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002187.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP7\A0002219.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002254.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP8\A0002381.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002385.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002396.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{59A6205C-BABA-49A5-AEF6-65035FAA923F}\RP9\A0002407.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP337\A0082849.exe Object is locked skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP338\A0082870.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP338\A0082973.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP338\A0082995.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP338\A0083010.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP339\A0083143.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP340\A0083165.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP340\A0083167.exe Object is locked skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP340\A0083181.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP340\A0083207.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP341\A0083215.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP342\A0083220.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP342\A0083301.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
D:\System Volume Information\_restore{7DCC4F1E-FC95-4366-B488-D0C06FEA83F6}\RP342\A0083317.cmd Infected: Trojan-PSW.Win32.OnLineGames.rmk skipped
Scan process completed.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:17 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4124 bytes

tnx for any help you can give me

Shaba

2008-02-25, 12:13

Hi torpee

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Shaba

2008-03-01, 12:29

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.