Can't get rid of win32/NSAnti from my PC

[pskelley]

I sent you a private message and have not received a response as of this morning?

[lyrehc]

I've attached the scan results in the email I sent to you. Sorry again for not realizing the private message earlier.

[lyrehc]

Hi Phil, here is the latest Kaspersky scan results.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 2:09:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 489903
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45943
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:53:49

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\kavo0.dll Infected: Trojan-PSW.Win32.OnLineGames.ora skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kavo1.dll Infected: Trojan-PSW.Win32.OnLineGames.ora skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Cheryl Choong\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\927wgsjb.dll Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\~DFD0B.tmp Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\jjqz.dll Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\75b5uhxa.dll Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\~DFD40.tmp Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\~DF8340.tmp Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\~DF836D.tmp Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\~DF6B5B.tmp Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\History\History.IE5\MSHist012008012020080121\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Temporary Internet Files\Content.IE5\BZTN2LHL\zz[2].exe Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Microsoft\Windows Live Contacts\cheryl_cym@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Microsoft\Windows Live Contacts\cheryl_cym@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Local Settings\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\parent.lock Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\cert8.db Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\key3.db Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\history.dat Object is locked skipped
C:\Documents and Settings\Cheryl Choong\Application Data\Mozilla\Firefox\Profiles\8ckt6t2x.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Cheryl Choong\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{B55E05E4-D024-453C-BF06-EE68C2BA6F2E}\RP1\change.log Object is locked skipped
C:\g2p3s.exe Object is locked skipped
C:\copetttt.com Object is locked skipped
D:\g2p3s.exe Object is locked skipped
D:\copetttt.com Object is locked skipped

Scan process completed.

[pskelley]

Thanks for returning your scan results

C:\g2p3s.exe
C:\copetttt.com
I am not liking the looks of these two files, would you use one or more of these free online scans and post the results.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

You may need to unhide file and folders to see those:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

C:\Documents and Settings\Cheryl Choong\Local Settings\Temp\ <<< delete the contents of that folder

C:\Documents and Settings\Cheryl Choong\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder

C:\WINDOWS\system32\kavo0.dll <<< delete that file

C:\WINDOWS\system32\kavo1.dll <<< delete that file

Run another Kaspersky scan, I do not need to see a clean scan, just let me know, tell me how the computer is running, and post a new HJT log.

Thanks...Phil

[lyrehc]

Phil, I don't seem to be able to find these 2 files C:\g2p3s.exe and C:\copetttt.com) even after I try to unhide file and folders. Therefore, I can't do the online scans as well.

Also, I deleted the temp and temporary internet file already..but again, can't find this -

C:\WINDOWS\system32\kavo0.dll

C:\WINDOWS\system32\kavo1.dll

What should I do next?

[pskelley]

With your files and folders unhidden, use Search Companion to locate the files.

Start > Search > All Files and folder. Allow time, it takes a while to search all of your files.

Thanks

[lyrehc]

Sorry, Phil...but I still can't locate the files using the search companion...but just to let you know, the notification from AVG about the virus seems to have stopped popping up..so I' m not too sure if my pc is totally clean yet or not...

[pskelley]

How is the computer running? Do we need to run aditional scans? If not:

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.