How to Remove Win32.NSAnti, logs included

**kaytkayt** · 2008-01-03, 11:40

Hello,

My Computer is infected with Win32.NSAnti.
When I click on a disk in Windows My Computer
window, AVG 7.5 gives the notification about the
Win32.NSAnti virus, I move it to the vault but
the problem continues.
Also, some directories in Windows are not
reachable wrom My Computer window, such as
the one where Outlook Express keeps the dbx
files.

I run combofix.exe and alternativ.exe (hijackthis)

It seems that I don't get the AVG notification
any more. I am told to produce the related
logs and ask for help from the experts.

I run AVG 7.5.

Below is the related log files.

Thanks in advance.

kaytkayt

--------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:43:20 AM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySQL - Unknown owner - F:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Log file of ComboFix
---------------------------------------------
ComboFix 08-01-03.4 - x 2008-01-03 11:32:24.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1254.90.1055.18.166 [GMT 2:00]
Running from: C:\Documents and Settings\x\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 11:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 11:28 . 2008-01-03 11:28 <DIR> d-------- C:\HJT
2008-01-02 12:27 . 2008-01-03 11:09 107,985 -r-hs---- C:\semo2x.exe
2008-01-02 12:27 . 2008-01-03 11:09 54,784 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2008-01-02 12:26 . 2008-01-03 11:09 107,985 -r-hs---- C:\WINDOWS\system32\amvo.exe
2008-01-02 12:26 . 2007-12-28 08:42 105,216 -r-hs---- C:\80avp08.com
2008-01-02 12:26 . 2008-01-03 11:37 54,784 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-01-02 11:15 . 2008-01-02 11:16 <DIR> d-------- C:\Documents and Settings\x\.nbi
2007-12-18 11:58 . 2007-12-18 11:58 <DIR> d-------- C:\Documents and Settings\x\WebApplication3
2007-12-18 11:39 . 2007-12-18 11:39 <DIR> d-------- C:\Documents and Settings\x\JSTLExample
2007-12-17 13:08 . 2007-12-17 13:08 <DIR> d-------- C:\Documents and Settings\x\Application Data\Talkback
2007-12-17 13:08 . 2007-12-17 13:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-05 10:41 . 2007-12-05 10:41 <DIR> d-------- C:\Documents and Settings\x\GUIFormExamples

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 10:17 3,079,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:56 8,460,288 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:01 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-10-25 08:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:00 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,720 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-19 08:57 25,144 ----a-w C:\Documents and Settings\x\Application Data\GDIPFONTCACHEV1.DAT
2007-01-05 07:48 30,601 ----a-w C:\Documents and Settings\x\x.exe
2006-03-16 10:24 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-03-16 10:24 56 --sh--r C:\WINDOWS\system32\A436161D3A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:45 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"amva"="C:\WINDOWS\system32\amvo.exe" [2008-01-03 11:37 107985]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 15:50 98304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11 114688]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2005-08-18 16:50 24576]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-24 11:37 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:45 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 08:21 219136]

R2 RTWTKRNL;Real-Time Windows Target;C:\WINDOWS\system32\drivers\RTWTKRNL.sys [2004-04-13 18:13]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S4 Cllml$sqsck;Cllml$sqsck;C:\WINDOWS\system32\drivers\usbd.sys [2003-05-08 12:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e53e9ca-8061-11db-85fa-000ea65b1513}]
\Shell\AutoRun\command - G:\80avp08.com
\Shell\explore\Command - G:\80avp08.com
\Shell\open\Command - G:\80avp08.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c7be9f8-7181-11dc-86ca-000ea65b1513}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d1246f0-901d-11db-8608-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d3f1d08-a7d9-11dc-870b-000ea65b1513}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{796d041d-e3ca-11da-855f-000ea65b1513}]
\Shell\AutoRun\command - "E:\COMMAND.EXE" /StartExplorer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a4b8ca2-1341-11dc-867b-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91c147e4-b8fb-11dc-8717-000ea65b1513}]
\Shell\AutoRun\command - G:\xfoolavp.com
\Shell\explore\Command - G:\xfoolavp.com
\Shell\open\Command - G:\xfoolavp.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9938f5aa-8a6a-11db-8603-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f90942e-f3dc-11db-865f-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f909435-f3dc-11db-865f-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5c6cd2c-7ece-11db-85f8-000ea65b1513}]
\Shell\Auto\command - G:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2153ec-9812-11dc-86f7-000ea65b1513}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\open\Command - activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2153ed-9812-11dc-86f7-000ea65b1513}]
\Shell\Auto\command - G:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - G:\activexdebugger32.exe f
\Shell\open\Command - G:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfbe30b5-8f3b-11db-8606-000ea65b1513}]
\Shell\Auto\command - G:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e64289d0-a38d-11da-8504-000ea65b1513}]
\Shell\AutoRun\command - G:\ie.exe
\Shell\explore\Command - G:\ie.exe
\Shell\open\Command - G:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7e734e4-64d5-11db-85d7-000ea65b1513}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f98da299-4d3a-11db-85c4-000ea65b1513}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-04-17 08:03:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 11:37:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\amvo0.dll
.
Completion time: 2008-01-03 11:40:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 09:40:12
.
2007-12-24 11:09:27 --- E O F ---

Thanks,

Kayt.

**pskelley** · 2008-01-03, 18:24

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Be handy if you would try reading the directions first, they are posted above and pinned to the top of this forum.
I can see from here that you have a nasty trojan at least:
C:\WINDOWS\system32\amvo.exe
http://www.prevx.com/filenames/13607.../AMVO.EXE.html

Read the directions and post a new HJT log using version 2.0.2 and the scan results from Kaspersky as required and I will be glad to take another look.

Thanks

**kaytkayt** · 2008-01-03, 20:21

I have the "can't unhiding files and folders" problem.

I had files autorun.inf and semo??.exe (?spelling) in all my disc partitions. When I deleted them I had them reappear in some seconds.

I had the virus in \windows\system32\amvo.exe (as you pointed)

I removed amvo.exe and amvo1.dll from \windows\system32

Then I deleted autorun.inf and semo??.exe.

Now, they don't reappear.

But, I still have the problem "can't unhiding" continuing.

I also had Win32/NSAnti virus detected (but cant be cleaned).
(That was the point where I understood that my computer was infected).l

And also some other kind of virus notifications (by AVG).

But, after I removed amvo.exe I might have gotten rid of
some of them (which ones I don't know).

But "can't unhiding problem continues".

Below is given a new HJT log produced with
version 2.0.2.

But I didn't scan with Kaspersky since it requires
to remove my AVG 7.5. (I will remove it if you
still want kaspersky run)

thanks

kaytkayt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:54 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\notepad.exe
C:\HJT\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5076 bytes

**pskelley** · 2008-01-03, 21:03

You have me a bit confused here, all I asked for was:

Read the directions and post a new HJT log using version 2.0.2 and the scan results from Kaspersky as required and I will be glad to take another look.

I can wait on the Kaspersky scan, but you are the first person who told be that and I get a load of Kaspersky scans from folks running AVG antivirus 7.5?
Wait until I ask for the scan.

Let's try this first to see how it goes:

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave the first item if you set your Start Page like this on purpose)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\amvo.exe <<< delete that file

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and some feedback.

Thanks

If you need it, I found this:
Found a nice little script that restores the options here:
http://www.kellys-korner-xp.com/xp_tweaks.htm

368. Folder Options/View Empty - Restore Now
http://www.kellys-korner-xp.com/regs...derrestore.reg

**kaytkayt** · 2008-01-03, 21:37

First, thanks for help,

I did what you instructed about unhiding files and folders
(from Tools-->Folder Options .....).
It did not work (still can't unhide).

Then I opened HijackThis and chose "Do a system scan only" then checked the box in front of the following line items:

(I left the first item since I set my Start Page like this on purpose)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

Then, I tried to locate amvo.exe, but couldn't find it (I suppose
the procedure on my previous post worked and I deleted it before).

Then, I run ATF cleaner.

I don't know if I still have Win32/NSAnti and other viruses,
but "can't unhiding problem" continues.

And the latest HJT log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:11 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4925 bytes

Thanks,

kayt

**pskelley** · 2008-01-03, 21:48

What about the script I posted instructions for, you said nothing about trying it?

That item is gone from the HJT log, likely HJT remove it.

Let's run a Kaspersky scan to see if anything hidden is left. Turn off your antivirus program until you get Kaspersky downloaded and updated, use these settings please.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from
http://www.kaspersky.com/kos/eng/par...avwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

**kaytkayt** · 2008-01-04, 06:33

First, I run the scripts that you told.
Now, I got rid of the "can't unhiding" problem unbelievably

Then, I run the Kaspersky on line scanner, as you instructed.

I got virus notifications.

I removed AVG 7.5 and installed the trial edition
of Kaspersky 7.0. (Didn't let me install without removing).

I run the Kaspersky 7.0 and disinfected the problems.

Now, I don't seem to have problems left.

Thank you a lot for your kind help.

Just for your info, below is given the scan log
of my running the Kaspersky on line scanner
and getting the infection notifications (also attached).

After the weekend, if I notice any problems,
I will let you know.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 04, 2008 5:57:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 469199
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 383895
Number of viruses found: 4
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 06:34:46

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AE46A5F.exe Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\581E7DD1.exe Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\682A5028.exe Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A563158.exe Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7d8.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_247.trc Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129285.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129327.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129328.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129340.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129343.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129353.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129354.DLL Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0129675.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130640.dll Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130641.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130647.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130648.DLL Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130664.dll Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130668.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130671.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130672.dll Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0132167.dll Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0132172.DLL Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\change.log Object is locked skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129356.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129371.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129372.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129373.exe Infected: Worm.Win32.AutoRun.blq skipped
C:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP466\A0129495.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129330.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129345.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129358.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129374.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP466\A0129497.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0129677.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130643.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130669.exe Infected: Worm.Win32.AutoRun.blq skipped
D:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129332.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP464\A0129347.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129360.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP465\A0129375.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP466\A0129499.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0129679.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130645.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\A0130670.exe Infected: Worm.Win32.AutoRun.blq skipped
F:\System Volume Information\_restore{9485ACBD-FE69-44D5-B79E-397A0D9F80AC}\RP467\change.log Object is locked skipped

Scan process completed.

Thanks,

Kaytkayt

**pskelley** · 2008-01-04, 13:11

Thanks for the feedback, I have not suggested you download the Kaspersky "Trial" version, only the "Kaspersky Online Scanner" Once we finish, unless you wish to pay for Kaspersky, I would uninstall that "Trial" version and install AVG from Grisoft again, I run that program myself:
http://free.grisoft.com/doc/2/

KASPERSKY ONLINE SCANNER REPORT Friday, January 04, 2008 5:57:48 AM

You have four items quarantine and many infected System Restore files (can't harm you unless you do a Restore) which we will now clean.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\ <<< delete the contents of that quarantine folder.
http://service1.symantec.com/SUPPORT...00041213443506

Empty the Recycle Bin on your Desktop.
http://www.microsoft.com/resources/d....mspx?mfr=true

Restart your computer and follow these directions:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky scan to be sure you are clean. Do not post a clean scan, just let me know and I will post valuable closing information for you.

Thanks...Phil

**kaytkayt** · 2008-01-04, 15:32

Hello,

Regarding the following instruction:
********************************************
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\ <<< delete the contents of that quarantine folder.
http://service1.symantec.com/SUPPORT...00041213443506

Empty the Recycle Bin on your Desktop.
http://www.microsoft.com/resources/d....mspx?mfr=true
*********************************************
I also received notifications from Kaspersky before your last post. I already removed the whole folder "C:\Documents and Settings\All Users\Application Data\Symantec"

My Recycle Bin is already empty.

I already received infection notifications from Kaspersky
about the System Volume Information folders in disk partitions c:, d:, and f: (my disk partitions).

That folder in c: was accessible. I made that folder in d:
and f: accessible as well.

I run a Kaspersky 7.0 Trial scan on those
System Volume Information folders and after getting the
infection notifications, I let Kaspersky 7.0 Trial Ed. remove these infected files.

That was all before your last post.

Now, I continue with your final instructions about
system restore. (I Turned OFF System Restore, Reboot
and Turned ON System Restore).

Before I run Kaspersky "Online Scanner", I decided
to first give the above information to you.

Now, I will run Kaspersky Online Scanner.
Then, I will remove Kaspersky 7.0 Trial Ed.
And, I will install AVG 7.5 again (as you suggest)
And let you know about the situation.

Sorry for intermediate steps that you didn't
instruct.

Thanks for help.

Kaytkayt

**pskelley** · 2008-01-04, 15:38

No problem, I will suggest it is best to have only one individual instructing you because of the complexities that can be caused as instructions may conflict. Had I known you were receiving instructions from Kaspersky, I would have opted out.

Asuming your HJT log is clean when you scan and that you have no additional issues, I will leave you with this important information.

Have a great 2008

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thread: How to Remove Win32.NSAnti, logs included

Thread Tools

Display

How to Remove Win32.NSAnti, logs included

Tried to remove amvo.exe

Feedback comes

Kaspersky run

Following instructions

Posting Permissions