Hi can anyone help me with advise on how to remove a virus my PC seemed to get 2 days ago, its called `Backdoor:Win32.Nuwar.A` and seems to be in at least one folder `AppData/local.asam. and possibly in AppData/local.syssvc too (according to Microsft Security Essentials, as it asks me to send info on those files everytime it has to clean Backdoor/Win32.Nuwar.A from system)
My Microsoft Security Essentials, has detected, deleted this virus over and over in the past 48hrs since it showed up, but it just keeps repeated popping back and having to repeat scans and deletes time after time.
Im stumped on what to do, i rarely ever get any viruses or any cause for Microsoft Security Essentials to be called into action, however past rare problems have been dealt with and deleted 1st time no probs, but this virus just keeps coming back for more, and ive no idea what to do since Microsoft Security Essentials doesnt seem to be able to deal with it this time.
Many Thanks.
Allison.
Im really sorry, I should have read more carefully what info i needed to include with my description, im a noob, i apologise, after re-reading more carefully the "before you post" topic before my 1st post above, Ionly hope i now get it right and put the bits in right in this second post, or my secret identity as a Blonde air-head will be blown. lol.... here goes...
DDS (Ver_10-03-17.01) - NTFSx86
Run by Allison at 1:17:22.41 on 14/05/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.867 [GMT 1:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Allison\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QP0OFCO2\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [dwdttuvn] c:\users\allison\appdata\local\xxaimewmp\lrijxgmtssd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\allison\appdata\roaming\mozilla\firefox\profiles\v1soe1id.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\allison\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows
presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
=============== Created Last 30 ================
2010-05-13 07:28:45 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-12 02:37:40 157634354 ----a-w- c:\windows\MEMORY.DMP
2010-05-01 02:58:20 0 d-----w- c:\programdata\1468
2010-04-27 23:09:52 0 d-----w- c:\program files\common files\DivX Shared
2010-04-27 23:09:06 0 d-----w- c:\program files\DivX
2010-04-27 23:08:36 0 d-----w- c:\programdata\DivX
2010-04-27 16:55:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-20 09:46:04 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-04-20 09:46:03 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-04-20 09:46:00 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-04-20 09:45:58 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-04-20 09:35:41 0 d--h--w- c:\windows\msdownld.tmp
2010-04-20 09:35:35 0 d-----w- c:\windows\system32\directx
2010-04-19 17:18:27 0 d-----w- c:\program files\Microsoft Security Essentials
==================== Find3M ====================
2010-04-20 15:35:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-20 15:25:39 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-20 15:25:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-17 17:24:40 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 17:26:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-05 12:27:47 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-18 17:00:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 1:18:24.26 ===============