|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
02-29-2008, 08:13 PM
|
#21 (permalink) |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Hi, Ried.
Here is the textfile after dragging n dropping the CFScript (avpo0.dll) into the combofix (it ran automatically just as i finished dropping the script into the ComboFix): ComboFix 08-02-25.2 - WinXp 2008-02-29 21:32:30.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.628 [GMT 7:00] Running from: C:\Documents and Settings\WinXp\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\WinXp\Desktop\cfscript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\avpo0.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\kavo.exe C:\WINDOWS\system32\kavo0.dll . ((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 ))))))))))))))))))))))))))))))) . 2008-02-29 21:01 . 2008-02-28 09:25 118,958 -r-hs---- C:\6qe.com 2008-02-22 22:00 . 2008-02-20 11:02 1,333 --a------ C:\showhiddenfiles.vbs 2008-02-22 21:53 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2008-02-22 21:53 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\Deckard 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-22 21:29 . 2008-02-25 20:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-02-22 21:29 . 2005-01-07 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-02-20 21:39 . 2008-02-20 21:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-15 22:24 . 2008-02-15 22:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems 2008-02-15 21:15 . 2008-02-15 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser 2008-02-02 22:04 . 2008-02-12 23:03 135 --a------ C:\WINDOWS\Mp3ACutjoin.ini 2008-02-02 22:03 . 2008-02-02 22:03 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter 2008-02-02 22:03 . 2008-02-12 23:01 <DIR> d-------- C:\My Music 2008-02-02 21:59 . 2008-02-12 23:03 5 --a------ C:\WINDOWS\system32\SySMACJ.dat 2008-02-02 21:58 . 2008-02-02 21:58 <DIR> d-------- C:\Program Files\HiFisoftware 2008-02-02 21:58 . 2004-12-08 13:21 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll 2008-02-02 21:58 . 2004-08-02 15:09 450,560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll 2008-02-02 21:58 . 2004-12-01 14:43 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll 2008-02-02 21:58 . 2003-08-07 14:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-02-02 21:58 . 2004-05-20 14:24 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2008-02-02 21:58 . 2003-12-08 12:49 116,304 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx 2008-02-01 22:11 . 2008-02-01 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth 2008-02-01 22:04 . 2008-02-01 22:04 <DIR> d-------- C:\Program Files\IVT Corporation 2008-02-01 22:04 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-29 14:01 --------- d-----w C:\Documents and Settings\WinXp\Application Data\AVG7 2008-02-17 17:09 --------- d-----w C:\Documents and Settings\Phin\Application Data\AVG7 2008-02-01 15:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-22 17:18 --------- d-----w C:\Program Files\Common Files\Sandlot Shared 2008-01-22 17:07 --------- d-----w C:\Program Files\Alwil Software 2007-08-15 15:54 45,056 --sha-w C:\WINDOWS\word.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00 1694208] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57 847872] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 07:00 15360] "BolaMata"="D:\DELPHI\data\New Folder\mata\BOLAMATA.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-26 10:22 589824] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 23:07 5529600] "nwiz"="nwiz.exe" [2005-01-26 23:07 1490944 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 23:07 86016] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "SoundMan"="SOUNDMAN.EXE" [2004-10-27 13:49 73728 C:\WINDOWS\SOUNDMAN.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 02:33 53248 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-03-11 16:33 147456 C:\WINDOWS\system32\VTTrayp.exe] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-03-22 09:39 167936] "DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30 1106944] "Folder Keeper"="D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 16:25 6731312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 21:38 219136] C:\Documents and Settings\WinXp\Start Menu\Programs\Startup\ Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-20 13:12:57 45056] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 13:23] R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-11-29 19:50] R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-11-29 19:50] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b6d98b4-5af8-11dc-9a91-0013d3feae51}] \Shell\AutoRun\command - G:\6qe.com \Shell\explore\Command - G:\6qe.com \Shell\open\Command - G:\6qe.com . Contents of the 'Scheduled Tasks' folder "2007-04-19 16:11:17 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-29 21:33:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-02-29 21:34:17 ComboFix-quarantined-files.txt 2008-02-29 14:34:09 ComboFix2.txt 2008-02-28 14:08:42 ComboFix3.txt 2008-02-28 13:57:18 ComboFix4.txt 2008-02-25 13:50:16 ComboFix5.txt 2008-02-20 16:16:22 And here is the textfile of ComboFix after i ran (double-clicked) it manually: ComboFix 08-02-25.2 - WinXp 2008-02-29 21:35:08.8 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT 7:00] Running from: C:\Documents and Settings\WinXp\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 ))))))))))))))))))))))))))))))) . 2008-02-29 21:01 . 2008-02-28 09:25 118,958 -r-hs---- C:\6qe.com 2008-02-22 22:00 . 2008-02-20 11:02 1,333 --a------ C:\showhiddenfiles.vbs 2008-02-22 21:53 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2008-02-22 21:53 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\Deckard 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-22 21:29 . 2008-02-25 20:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-02-22 21:29 . 2005-01-07 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-02-20 21:39 . 2008-02-20 21:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-15 22:24 . 2008-02-15 22:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems 2008-02-15 21:15 . 2008-02-15 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser 2008-02-02 22:04 . 2008-02-12 23:03 135 --a------ C:\WINDOWS\Mp3ACutjoin.ini 2008-02-02 22:03 . 2008-02-02 22:03 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter 2008-02-02 22:03 . 2008-02-12 23:01 <DIR> d-------- C:\My Music 2008-02-02 21:59 . 2008-02-12 23:03 5 --a------ C:\WINDOWS\system32\SySMACJ.dat 2008-02-02 21:58 . 2008-02-02 21:58 <DIR> d-------- C:\Program Files\HiFisoftware 2008-02-02 21:58 . 2004-12-08 13:21 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll 2008-02-02 21:58 . 2004-08-02 15:09 450,560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll 2008-02-02 21:58 . 2004-12-01 14:43 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll 2008-02-02 21:58 . 2003-08-07 14:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-02-02 21:58 . 2004-05-20 14:24 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2008-02-02 21:58 . 2003-12-08 12:49 116,304 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx 2008-02-01 22:11 . 2008-02-01 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth 2008-02-01 22:04 . 2008-02-01 22:04 <DIR> d-------- C:\Program Files\IVT Corporation 2008-02-01 22:04 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-29 14:01 --------- d-----w C:\Documents and Settings\WinXp\Application Data\AVG7 2008-02-17 17:09 --------- d-----w C:\Documents and Settings\Phin\Application Data\AVG7 2008-02-01 15:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-22 17:18 --------- d-----w C:\Program Files\Common Files\Sandlot Shared 2008-01-22 17:07 --------- d-----w C:\Program Files\Alwil Software 2007-08-15 15:54 45,056 --sha-w C:\WINDOWS\word.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00 1694208] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57 847872] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 07:00 15360] "BolaMata"="D:\DELPHI\data\New Folder\mata\BOLAMATA.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-26 10:22 589824] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 23:07 5529600] "nwiz"="nwiz.exe" [2005-01-26 23:07 1490944 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 23:07 86016] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "SoundMan"="SOUNDMAN.EXE" [2004-10-27 13:49 73728 C:\WINDOWS\SOUNDMAN.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 02:33 53248 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-03-11 16:33 147456 C:\WINDOWS\system32\VTTrayp.exe] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-03-22 09:39 167936] "DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30 1106944] "Folder Keeper"="D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 16:25 6731312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 21:38 219136] C:\Documents and Settings\WinXp\Start Menu\Programs\Startup\ Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-20 13:12:57 45056] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 13:23] R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-11-29 19:50] R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-11-29 19:50] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b6d98b4-5af8-11dc-9a91-0013d3feae51}] \Shell\AutoRun\command - G:\6qe.com \Shell\explore\Command - G:\6qe.com \Shell\open\Command - G:\6qe.com . Contents of the 'Scheduled Tasks' folder "2007-04-19 16:11:17 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-29 21:35:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-02-29 21:36:18 ComboFix-quarantined-files.txt 2008-02-29 14:36:03 ComboFix2.txt 2008-02-29 14:34:18 ComboFix3.txt 2008-02-28 14:08:42 ComboFix4.txt 2008-02-28 13:57:18 ComboFix5.txt 2008-02-25 13:50:16 P.S.: * I am not sure whether or not the failure of booting that happened to my pc after i finished running the combofix (manually) and restarting my pc, is related to this cleaning process. --after i finished running the comboFix, i restarted my pc. The pc was successfully (with no problem) shut down, but when it booted, there was only loud noise (or maybe like a loud 'beep' sound from the cpu) and the booting screen did not appear as it seemed to be failed in booting. when i tried to power-on the pc again, it didn't want to respond. I left it idle for about 10-15 minutes, then powered-it-on, and it booted,loaded,logged in as usual with no problem at all. Does it mean my pc is still infected? or it's just because of something else regarding to my hardware stuff in the CPU?? FYI, i bought the pc one year ago. |
|
     |
|
02-29-2008, 08:31 PM
|
#22 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Win32/NSANTI
Hi Jo,
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code:
File::
C:\6qe.com
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b6d98b4-5af8-11dc-9a91-0013d3feae51}]
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here. Quote:
|
|
|
|
|
|
02-29-2008, 08:52 PM
|
#23 (permalink) | ||
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Quote:
I believe the only spyware program that was running was AVG_AS, and before performing the dropping script, i already unchecked all antivirus and antispyware program by using TuneUpUtilities>TuneUpStartUp. I don't know why the avgas did not stop running. However, it's not in "active" resident shield (it is real-time anymore as it's over the trial period). Does it affect comboFix eventhough it's not "active"? (But the tray icon is still there). As you've already known it...  I'll have to take this overnight and provide you the fresh textfile tomorrow.Quote:
Any idea what was happening? |
||
|
|
|
|
02-29-2008, 08:55 PM
|
#24 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Win32/NSANTI
Not sure--it just could have been that you didn't wait long enough before trying to turn it back on. Let's see if it happens again.
No worries about AVG A-S |
|
|
|
|
02-29-2008, 09:08 PM
|
#25 (permalink) |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Ok, i'll let you know the update of my pc's behaviour in the next reply along with the fresh textfile (with no running antivirus/antispyware/malware programmes).
Btw, may I know how you found out that my antivirus/antispyware was running?? |
|
|
|
|
02-29-2008, 09:37 PM
|
#27 (permalink) | |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Quote:
O yeah, i forgot that tomorrow is Sunday (in here), on which i don't go to the office, and therefore makes me not able to provide you the textfile tomorrow. I shall do it on the day after tomorrow. Hope you don't mind...  |
|
|
|
|
|
02-29-2008, 09:43 PM
|
#28 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Win32/NSANTI
I'm looking at the Running Processes and the programs that are slated to run at Startup. Avast is not one of them.
It's simpler if you were to look at the HijackThis log. It lists the Running Processes first, then pay close attention to the O4 entries--those are the programs that run at startup. |
|
|
|
|
02-29-2008, 09:49 PM
|
#29 (permalink) |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Ok, thanks for the info.
I wish you could tell me more of how to understand the logfile/textfile when this is over. Or do you know any source(s) that might have this kind of info to be read/studied? |
|
|
|
|
03-02-2008, 08:30 PM
|
#30 (permalink) |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Hi, Ried.
Here is the textfile after running the deletion of 6qe.com: ComboFix 08-02-25.2 - WinXp 2008-03-01 22:09:40.11 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT 7:00] Running from: C:\Documents and Settings\WinXp\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\WinXp\Desktop\CFScript.txt * Created a new restore point FILE :: C:\6qe.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\6qe.com . ((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 ))))))))))))))))))))))))))))))) . 2008-02-22 22:00 . 2008-02-20 11:02 1,333 --a------ C:\showhiddenfiles.vbs 2008-02-22 21:53 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2008-02-22 21:53 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\Deckard 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite 2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-22 21:29 . 2008-02-25 20:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-02-22 21:29 . 2005-01-07 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-02-20 21:39 . 2008-02-20 21:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-15 22:24 . 2008-02-15 22:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems 2008-02-15 21:15 . 2008-02-15 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser 2008-02-02 22:04 . 2008-02-12 23:03 135 --a------ C:\WINDOWS\Mp3ACutjoin.ini 2008-02-02 22:03 . 2008-02-02 22:03 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter 2008-02-02 22:03 . 2008-02-12 23:01 <DIR> d-------- C:\My Music 2008-02-02 21:59 . 2008-02-12 23:03 5 --a------ C:\WINDOWS\system32\SySMACJ.dat 2008-02-02 21:58 . 2008-02-02 21:58 <DIR> d-------- C:\Program Files\HiFisoftware 2008-02-02 21:58 . 2004-12-08 13:21 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll 2008-02-02 21:58 . 2004-08-02 15:09 450,560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll 2008-02-02 21:58 . 2004-12-01 14:43 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll 2008-02-02 21:58 . 2003-08-07 14:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-02-02 21:58 . 2004-05-20 14:24 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2008-02-02 21:58 . 2003-12-08 12:49 116,304 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx 2008-02-01 22:11 . 2008-02-01 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth 2008-02-01 22:04 . 2008-02-01 22:04 <DIR> d-------- C:\Program Files\IVT Corporation 2008-02-01 22:04 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-01 14:31 --------- d-----w C:\Documents and Settings\WinXp\Application Data\AVG7 2008-02-17 17:09 --------- d-----w C:\Documents and Settings\Phin\Application Data\AVG7 2008-02-01 15:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-22 17:18 --------- d-----w C:\Program Files\Common Files\Sandlot Shared 2008-01-22 17:07 --------- d-----w C:\Program Files\Alwil Software 2007-08-15 15:54 45,056 --sha-w C:\WINDOWS\word.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00 1694208] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57 847872] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 07:00 15360] "BolaMata"="D:\DELPHI\data\New Folder\mata\BOLAMATA.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-26 10:22 589824] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 23:07 5529600] "nwiz"="nwiz.exe" [2005-01-26 23:07 1490944 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 23:07 86016] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "SoundMan"="SOUNDMAN.EXE" [2004-10-27 13:49 73728 C:\WINDOWS\SOUNDMAN.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 02:33 53248 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-03-11 16:33 147456 C:\WINDOWS\system32\VTTrayp.exe] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-03-22 09:39 167936] "DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30 1106944] "Folder Keeper"="D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 21:38 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 13:23] R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-11-29 19:50] R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-11-29 19:50] . Contents of the 'Scheduled Tasks' folder "2007-04-19 16:11:17 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-01 22:10:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-01 22:11:30 ComboFix-quarantined-files.txt 2008-03-01 15:11:22 ComboFix2.txt 2008-02-29 16:15:00 ComboFix3.txt 2008-02-29 16:13:11 ComboFix4.txt 2008-02-29 14:36:19 ComboFix5.txt 2008-02-29 14:34:18 My pc still tends to shut down occasionally by itself. Yesterday, when i turned it on, my avg started the running process and did a scan automatically, which is a usual thing to happen as before, but in the middle of scanning process, my pc shut down by itself...and could not be restarted and had to wait for about 10-15 minutes before i could power it on again. what to do? |
|
|
|
|
03-03-2008, 10:21 AM
|
#31 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Win32/NSANTI
Hi Jo,
Your log is now clean, so malware is not at the root of your restarting issues. There can be many causes for the symptoms you're now experiencing. As such, you'd do best discussing that issue with the folks in the Windows XP Support section of this forum. --------------------------------------------- As this PC never sees the internet, I've edited my usual Closing Speech a bit for you. The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- Seeing as this PC became infected from a flash drive used on your work computer, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls [COLOR]DarkRed]**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.[/color] ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. |
|
|
|
|
03-04-2008, 08:21 PM
|
#32 (permalink) |
|
Registered User
Join Date: Jan 2007
Posts: 33
OS: WinXP
|
Re: Win32/NSANTI
Thanks, Ried....
Thanks to you, my pc is now clean (at least from any malwares issue)...... Hopefully I can keep it clean to avoid future infections, which is actually easy--no flashdisk usage ^_^--by following the articles given. Thanks a million. So long, Jo. |
|
|
|
