PDA

View Full Version : Scots thread{NSIS media}



Scott
2006-10-15, 16:36
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BACC17E-BDF7-405B-BC68-ECB506395118}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89688C0-370E-4E5D-A473-299B383A41E5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7DDB794-65BF-452C-BBA8-D063078B42F4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89C49C15-72D0-4949-9355-9CD109A2DC2C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{72BA6BE1-A20E-4E9E-9305-D9FC1561F888}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B889F851-86CD-4BF2-A5BF-F1E98ED83BE5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wwmdma.nsis]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"=-
"{F89688C0-370E-4E5D-A473-299B383A41E5}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{45A9B2C0-0D04-4AE6-B2F6-544B5C5E1EF3}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
[-HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45A9B2C0-0D04-4AE6-B2F6-544B5C5E1EF3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Proxy.ProxyExt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Proxy.ProxyExt.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\ShellEx\ContextMenuHandlers\ProxyExt]
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.



Restart your PC.
C:\Program Files\Common Files\NSIS < delete if present
C:\WINDOWS\System32\wmproxt.dll < delete
C:\Program Files\Mozilla Firefox\chrome\nsis.jar < delete

Keep and eye out to see if that nsis folder comes back or if there are any nsis popups ?

Thanks. I have tried this and so far so good (no popups, no nsis folder). Note, I'm running Windows 2003 x64 so they were in "Program Files (x86)" and there was no wmproxt.dll.

LonnyRJones
2006-10-15, 16:44
Hi

Does windows 2003 have findstr.exe ?
check go start run type cmd press ok or enter type in
findstr /?
what do you see ?

Scott
2006-10-15, 16:51
Hi

Does windows 2003 have findstr.exe ?
check go start run typoe cmd press ok or enter type in
findstr /?
what do you see ?


Microsoft Windows
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Scott>findstr /?
Searches for strings in files.

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/N] [/M] [/O] [/P] [/F:file]
[/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]]
strings [[drive:][path]filename[ ...]]

/B Matches pattern if at the beginning of a line.
/E Matches pattern if at the end of a line.
/L Uses search strings literally.
/R Uses search strings as regular expressions.
/S Searches for matching files in the current directory and all
subdirectories.
/I Specifies that the search is not to be case-sensitive.
/X Prints lines that match exactly.
/V Prints only lines that do not contain a match.
/N Prints the line number before each line that matches.
/M Prints only the filename if a file contains a match.
/O Prints character offset before each matching line.
/P Skip files with non-printable characters.
/OFF[LINE] Do not skip files with offline attribute set.
/A:attr Specifies color attribute with two hex digits. See "color /?"
/F:file Reads file list from the specified file(/ stands for console).
/C:string Uses specified string as a literal search string.
/G:file Gets search strings from the specified file(/ stands for console).
/D:dir Search a semicolon delimited list of directories
strings Text to be searched for.
[drive:][path]filename
Specifies a file or files to search.

Use spaces to separate multiple search strings unless the argument is prefixed
with /C. For example, 'FINDSTR "hello there" x.y' searches for "hello" or
"there" in file x.y. 'FINDSTR /C:"hello there" x.y' searches for
"hello there" in file x.y.

Regular expression quick reference:
. Wildcard: any character
* Repeat: zero or more occurrences of previous character or class
^ Line position: beginning of line
$ Line position: end of line
[class] Character class: any one character in set
[^class] Inverse class: any one character not in set
[x-y] Range: any characters within the specified range
\x Escape: literal use of metacharacter x
\<xyz Word position: beginning of word
xyz\> Word position: end of word

For full information on FINDSTR regular expressions refer to the online Command
Reference.

C:\Documents and Settings\Scott>

No ads yet...it's looking good. :D

LonnyRJones
2006-10-15, 16:56
Good

If you would
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
Echo.
Echo searching please wait....
(echo off
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.exe
For %%i in (%systemdrive%) do findstr /S /M /C:"cydoor" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /M /C:"cydoor" %%i\*.exe
)>>logit.txt 2>nul
start notepad logit.txt

Run check.bat and post back with the text that will (eventualy) open

Scott
2006-10-15, 18:28
Good

If you would
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
Echo.
Echo searching please wait....
(echo off
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.exe
For %%i in (%systemdrive%) do findstr /S /M /C:"cydoor" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /M /C:"cydoor" %%i\*.exe
)>>logit.txt 2>nul
start notepad logit.txt

Run check.bat and post back with the text that will (eventualy) open

One result...


C:\RECYCLER\S-1-5-21-2920657935-1670670156-3160386410-1003\Dc23\ns88.dll


No more popups. :)

LonnyRJones
2006-10-16, 04:00
Thanks
I had expected to see atleast one file, the one in the RECYCLER folder is inconsequential.

Post back in a few days to let us know if all is still ok

LonnyRJones
2006-10-16, 14:03
Hi Scott

Slight revision in batch
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
Echo.
Echo searching please wait....
(echo off
For %%i in (%systemdrive%) do findstr /S /L /I /M /C:"cydoor_shell_project" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /L /I /M /C:"cydoor_shell_project" %%i\*.exe
)>>logit.txt 2>nul
start notepad logit.txt

Run check.bat and post back with the text

Scott
2006-10-16, 20:30
Oh no. I just had another popup. :(
I'll run this script and let you know.

Thanks.

Scott
2006-10-16, 21:08
Oh no. I just had another popup. :(
I'll run this script and let you know.

Thanks.

Just 1 result ...
C:\WINDOWS\SysWOW64\oleac32.dll

LonnyRJones
2006-10-17, 02:38
Zip up and end me that file please

Send it to submitlonnyATsubratam.org
Replace AT with @ , include a link back to this thread.

Scott
2006-10-17, 19:59
Zip up and end me that file please

Send it to submitlonnyATsubratam.org
Replace AT with @ , include a link back to this thread.

The file has gone now but the popups remain. I'll run the check.bat again.

Scott
2006-10-17, 20:26
It's in C:\WINDOWS\SysWOW64\ftsash.dll now. Emailed. Thanks!

LonnyRJones
2006-10-18, 04:16
It changed from oleac32.dll to ftsash.dll ?

Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
C:\WINDOWS\SysWOW64\ftsash.dlll
Answer yes to the prompt to reboot the PC

C:\Program Files\Common Files\NSIS < delete if present

Post a HijackThis 1.99.1 log

First Make a new folder, example C:\AntiSpyWare
and download/Save HijackThis, to that new folder.
This is necessary to ensure you have backups should anything go wrong
http://www.merijn.org/files/HijackThis.exe
Double click HijackThis.exe, Hit None of the above, just start the program.
Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.

MisterW
2006-10-18, 10:50
Hi Scott,

do you know how you get infected by nsis? I am still searching for the roots of that crap...

Thanks,
Markus

Scott
2006-10-18, 19:34
It changed from oleac32.dll to ftsash.dll ?

Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
C:\WINDOWS\SysWOW64\ftsash.dlll
Answer yes to the prompt to reboot the PC

C:\Program Files\Common Files\NSIS < delete if present

Post a HijackThis 1.99.1 log

First Make a new folder, example C:\AntiSpyWare
and download/Save HijackThis, to that new folder.
This is necessary to ensure you have backups should anything go wrong
http://www.merijn.org/files/HijackThis.exe
Double click HijackThis.exe, Hit None of the above, just start the program.
Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.

Thanks, I re-ran the check.bat today and it was still in the same file so I went ahead and removed it with HijackThis. Rebooted, scanned with Spybot, Ad-aware and Windows Defender and they have all shown nothing. check.bat shows nothing this time.

Here is my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 17:31:12, on 18/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\SysWOW64\dllhost.exe
C:\Program Files (x86)\Acronis\BackupServer\backupserver.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files (x86)\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\SysWOW64\vmnat.exe
C:\WINDOWS\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SysWOW64\rundll32.exe
C:\Program Files (x86)\ClamWin\bin\ClamTray.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files (x86)\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files (x86)\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files (x86)\Eset\nod32kui.exe
C:\Program Files (x86)\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe
C:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files (x86)\BitComet\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files (x86)\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~2\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files (x86)\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files (x86)\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [FireflyMini] "C:\Program Files (x86)\SnapStream Media\Firefly Mini\FireflyMini.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files (x86)\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files (x86)\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files (x86)\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~2\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~2\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files (x86)\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159129984254
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files (x86)\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files (x86)\Eset\nod32krn.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Windows Media Services (WMServer) - Unknown owner - C:\WINDOWS\system32\Windows Media\Server\WMServer.exe (file missing)


Hi Scott,

do you know how you get infected by nsis? I am still searching for the roots of that crap...

Thanks,
Markus

Hey Markus, no idea. Sorry!

Scott
2006-10-18, 19:36
Also, I ran the .reg file again before the reboot and after & deleted the NSIS folder and nsis.jar in the Firefox/chrome folder. A Windows search shows up no more "nsis" files. So far no popups.

LonnyRJones
2006-10-19, 03:57
Looks fine

Post back in a few days and let us know how that PC is please.

Scott
2006-10-19, 13:47
Looks fine

Post back in a few days and let us know how that PC is please.

will do thanks!

LonnyRJones
2006-10-21, 14:46
I hope all is well ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

LonnyRJones
2006-10-29, 01:16
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).