Win32/NSANTI

[eagerJO]

Dear all,

My PC seems to be infected by the Win32/Nsanti virus. I've some thread about similar problem, and decided to take into action some of the advice that the administrator gave to the thread starter.

Anyway, about two weeks ago, I scanned my pc manually with avg (7.5;free edition) after being updated; it had not been updated for several months before. To my surprise, avg detected almost a hundred infections in my pc; some of which were able to be moved to vault, some had to be deleted, and few had to be "no action"....then a week after that, after i updated my avg virus database, i tried to run a scan on my pc again. This time, only two infections found, both of which are identified as infected by Win32/nsanti, one of which is located in the TEmp folder. I had them moved to vault. But when i tried to scan again on the day after, the same infections found, this time i 'deleted' them. But the problem persists, until now, every time i run a scan on my pc, especially on local disk (drive C:), the same infections--win32/nsanti--are always detected no matter whether i have had them moved to vault or deleted. What to do then?

Like i said before, i've read some thread about similar problem and taken some into action. I downloaded the latest HijackThis and DSS. Yesterday, I ran dss scanning as administrator, which provided me two notepad logs--main and extra.

Here is the main:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-22 21:32:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-22 14:32:22 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-20 16:32:41 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:02 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Folder Keeper] D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 5565 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R0 RecAgent - c:\windows\system32\drivers\recagent.sys <Not Verified; ; Modem>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; ; Modem>
R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; ; Modem>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys (file missing)
S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 InterBaseGuardian (InterBase Guardian) - c:\program files\borland\interbase\bin\ibguard.exe <Not Verified; Borland Software Corporation; InterBase Server>
R2 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "c:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"
R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem>
R3 InterBaseServer (InterBase Server) - c:\program files\borland\interbase\bin\ibserver.exe <Not Verified; Borland Software Corporation; InterBase Server>

S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2006\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-04-19 23:11:17 388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-01-22 and 2008-02-22 -----------------------------

2008-02-22 21:29:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-22 21:29:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-02-22 21:29:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-22 21:29:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-02-22 21:29:17 0 d-------- C:\WINDOWS\CSC
2008-02-22 21:18:56 0 d-------- C:\2
2008-02-20 21:49:04 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-20 21:49:04 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-20 21:49:04 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-20 21:49:04 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-20 21:39:06 0 d-------- C:\Program Files\Trend Micro
2008-02-15 22:24:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems
2008-02-15 21:15:26 0 d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-02-14 21:07:18 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-14 21:07:18 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-14 21:07:18 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-14 21:07:18 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-02-14 21:07:18 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-14 21:07:18 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-14 21:07:18 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-14 21:07:18 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-02-14 21:07:18 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-14 21:07:18 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-02-14 21:07:18 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-14 21:07:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-14 21:07:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-02 22:03:41 0 d-------- C:\Program Files\Free WMA to MP3 Converter
2008-02-02 22:03:04 0 d-------- C:\My Music
2008-02-02 21:59:04 5 --a------ C:\WINDOWS\system32\SySMACJ.dat
2008-02-02 21:58:58 196608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-02-02 21:58:58 450560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll <Not Verified; NCT Company Ltd.; NCTAudioTransform2 ActiveX DLL>
2008-02-02 21:58:58 315392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; NCT Company Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-02-02 21:58:58 1843200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-02-02 21:58:58 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-02-02 21:58:56 0 d-------- C:\Program Files\HiFisoftware
2008-02-01 22:11:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-02-01 22:04:46 63488 --a------ C:\WINDOWS\system32\drivers\wssbtr1f.sys <Not Verified; National Semiconductor Sweden AB; National Semiconductor Sweden AB BlueCard PCMCIA driver>
2008-02-01 22:04:46 48556 --a------ C:\WINDOWS\system32\drivers\SktBt2k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2008-02-01 22:04:46 77824 --a------ C:\WINDOWS\system32\drivers\SioUi2k.dll <Not Verified; Socket Communications Inc.; 16C950>
2008-02-01 22:04:46 48076 --a------ C:\WINDOWS\system32\drivers\Sio9502k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2008-02-01 22:04:46 40960 --a------ C:\WINDOWS\system32\drivers\SCTray.exe <Not Verified; Socket Communications Inc.; SCTray>
2008-02-01 22:04:46 51169 --a------ C:\WINDOWS\system32\drivers\OXSER.SYS <Not Verified; OEM; OX16C95x>
2008-02-01 22:04:39 11736 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys <Not Verified; IVT Corporation; IVT BlueSoleil>
2008-02-01 22:04:39 82148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys <Not Verified; IVT Corporation; BlueSoleil>
2008-02-01 22:04:39 61312 --a------ C:\WINDOWS\system32\drivers\VComm.sys <Not Verified; IVT Corporation; BlueSoleil>
2008-02-01 22:04:39 11860 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys
2008-02-01 22:04:39 13304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys
2008-02-01 22:04:39 10804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys <Not Verified; IVT Corporation; BlueSoleil>
2008-02-01 22:04:39 28271 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
2008-02-01 22:04:39 20480 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
2008-02-01 22:04:38 116021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys <Not Verified; Broadcom; >
2008-02-01 22:04:38 23000 --a------ C:\WINDOWS\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
2008-02-01 22:04:38 7680 --a------ C:\WINDOWS\system32\btinstall.dll <Not Verified; IVT Corporation; BlueSoleil>
2008-02-01 22:04:38 49152 --a------ C:\WINDOWS\system32\btfunc.dll <Not Verified; IVT Corporation; BlueSoleil>
2008-02-01 22:04:38 0 d-------- C:\Program Files\IVT Corporation
2008-01-25 21:23:26 68727 -r-hs---- C:\WINDOWS\system32\avpo.exe
2008-01-23 00:07:06 0 d-------- C:\Program Files\Alwil Software


-- Find3M Report ---------------------------------------------------------------

2008-02-01 22:04:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-23 00:18:49 0 d-------- C:\Program Files\Common Files\Sandlot Shared
2008-01-01 12:13:09 88 --a------ C:\WINDOWS\popcinfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [04/26/2005 10:22 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [01/26/2005 11:07 PM]
"nwiz"="nwiz.exe" [01/26/2005 11:07 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [01/26/2005 11:07 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"SoundMan"="SOUNDMAN.EXE" [10/27/2004 01:49 PM C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [03/08/2005 02:33 AM C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [03/11/2005 04:33 PM C:\WINDOWS\system32\VTTrayp.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/20/2008 09:38 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/22/2005 09:39 AM]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [03/31/2005 09:30 AM]
"Folder Keeper"="D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2/1/2008 10:04:41 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc




-- End of Deckard's System Scanner: finished at 2008-02-22 21:33:27 ------------



The extra will be in the attachment later.
I also did the PEEK.BAT thing: I copied-pasted the following into a new text document (notepad) and saved it as peek.bat (type-all files), then i ran it and it provided me with a notepad file named peek.txt :

PHP Code:

type "C:\boot.ini">C:look.txt
Start notepad C:Look.txt
del peek.bat 


Here is the file(peek.txt):
[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=S88W6L /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=S88W6L-BAK


I know that i should've asked before taking them into action, but i noticed that they were not really harmful in terms of the effect/result to my pc, so i endeavoured to do it.


Any help/suggestion/advice of how to delete the Win32/nsanti virus in my pc????? Any troubleshooting will be welcomed.
Thanks in advance.


Rgds,
JO.


PS: - I do not have direct internet connection at home. I usually use the internet in the office...so every step/advice/suggestion/troubleshooting given to me will be responded one night after (i can read it any time in the office, but i can't take any into action as my pc is at home not at the office). So, please make sure you could help me by responding/giving advice,suggestion/asking for troubleshooting in a more complete/longer way to avoid long-waiting call for my respond later. Hope, nobody minds. ..

[eagerJO]

**bump**

[eagerJO]

it's getting worse now....this morning my pc shut down by itself then restarted, with the sound of 'tet....(loud beep)', shut down again and then did not show any pic on the screen, though the CPU noise was still heard.
After about 10-15 mins, I powered on my pc and now it's behaving as normal. What was happening?
Is the virus infecting my pc's behaviour right now? As far as i know, this NSANTI only attacks windows browsers, am i right?

[Ried]

Hello Jo,

I'm afraid it's a bit more serious than just a browser issue. You mentioned this PC has no direct internet connection--where is the flash drive/removable media that infected this machine? You'll need that so it can be disinfected as well before it spreads this infection to yet another computer.

Download Flash_Disinfector.exe and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

-----------------------------------------------------------

Now please download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt , an update on system behavior, and a new HijackThis log for further review.

[eagerJO]

Hi Ried,

Sorry for this (very) late reply, i was too busy with my work down here.
Anyway, here is the combofix.txt file:
ComboFix 08-02-25.2 - WinXp 2008-02-25 20:48:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.634 [GMT 7:00]
Running from: C:\Documents and Settings\WinXp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 20:45 . 2008-02-25 20:45 13,824 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2008-02-22 22:00 . 2008-02-20 11:02 1,333 --a------ C:\showhiddenfiles.vbs
2008-02-22 21:53 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-22 21:53 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\Deckard
2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-02-22 21:29 . 2008-02-22 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-22 21:29 . 2008-02-25 20:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-22 21:29 . 2005-01-07 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-20 21:39 . 2008-02-20 21:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 22:24 . 2008-02-15 22:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems
2008-02-15 21:15 . 2008-02-15 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-02-02 22:04 . 2008-02-12 23:03 135 --a------ C:\WINDOWS\Mp3ACutjoin.ini
2008-02-02 22:03 . 2008-02-02 22:03 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2008-02-02 22:03 . 2008-02-12 23:01 <DIR> d-------- C:\My Music
2008-02-02 21:59 . 2008-02-12 23:03 5 --a------ C:\WINDOWS\system32\SySMACJ.dat
2008-02-02 21:58 . 2008-02-02 21:58 <DIR> d-------- C:\Program Files\HiFisoftware
2008-02-02 21:58 . 2004-12-08 13:21 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2008-02-02 21:58 . 2004-08-02 15:09 450,560 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-02-02 21:58 . 2004-12-01 14:43 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2008-02-02 21:58 . 2003-08-07 14:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-02-02 21:58 . 2004-05-20 14:24 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-02-02 21:58 . 2003-12-08 12:49 116,304 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-02-01 22:11 . 2008-02-01 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-02-01 22:04 . 2008-02-01 22:04 <DIR> d-------- C:\Program Files\IVT Corporation
2008-02-01 22:04 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys
2008-01-25 21:23 . 2007-08-20 18:48 68,727 -r-hs---- C:\WINDOWS\system32\avpo.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 03:46 --------- d-----w C:\Documents and Settings\WinXp\Application Data\AVG7
2008-02-17 17:09 --------- d-----w C:\Documents and Settings\Phin\Application Data\AVG7
2008-02-01 15:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 17:18 --------- d-----w C:\Program Files\Common Files\Sandlot Shared
2008-01-22 17:07 --------- d-----w C:\Program Files\Alwil Software
2007-08-15 15:54 45,056 --sha-w C:\WINDOWS\word.exe
2007-08-20 11:48 68,727 --sh--r C:\WINDOWS\system32\avpo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00 1694208]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57 847872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 07:00 15360]
"avpa"="C:\WINDOWS\system32\avpo.exe" [2007-08-20 18:48 68727]
"BolaMata"="D:\DELPHI\data\New Folder\mata\BOLAMATA.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-26 10:22 589824]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 23:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 23:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 23:07 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 13:49 73728 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 02:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 16:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-20 21:38 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 16:25 6731312]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-03-22 09:39 167936]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30 1106944]
"Folder Keeper"="D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 21:38 219136]

C:\Documents and Settings\WinXp\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-20 13:12:57 45056]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 13:23]
R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-11-29 19:50]
R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-11-29 19:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e20de64-acad-11dc-9b31-0013d3feae51}]
\Shell\AutoRun\command - F:\n1deiect.com
\Shell\explore\Command - F:\n1deiect.com
\Shell\open\Command - F:\n1deiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49b0ff92-b562-11dc-9b43-0013d3feae51}]
\Shell\AutoRun\command - F:\n1deiect.com
\Shell\explore\Command - F:\n1deiect.com
\Shell\open\Command - F:\n1deiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b6d98b4-5af8-11dc-9a91-0013d3feae51}]
\Shell\AutoRun\command - G:\n1deiect.com
\Shell\explore\Command - G:\n1deiect.com
\Shell\open\Command - G:\n1deiect.com

.
Contents of the 'Scheduled Tasks' folder
"2007-04-19 16:11:17 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 20:49:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 20:50:15
ComboFix-quarantined-files.txt 2008-02-25 13:50:07
ComboFix2.txt 2008-02-20 16:16:22
ComboFix3.txt 2008-02-20 15:05:44
ComboFix4.txt 2008-02-20 14:51:22


New HJT logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Folder Keeper] D:\DELPHI\data\New Folder\folder_keeper\FolderKeeper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [BolaMata] "D:\DELPHI\data\New Folder\mata\BOLAMATA.EXE"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 6142 bytes


PC behaviour: well, it does not shut down and restart anymore (don't really know why), i guess the viruses are still there. Overall, the same behaviour as when i posted this thread for the first time.

[Ried]

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\avpo.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avpa"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e20de64-acad-11dc-9b31-0013d3feae51}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49b0ff92-b562-11dc-9b43-0013d3feae51}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b6d98b4-5af8-11dc-9a91-0013d3feae51}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that in your next reply.

--------------------------------------------------------------------

Quote:

I do not have direct internet connection at home. I usually use the internet in the office

This PC never connects to the internet--is that correct?

Quote:

Originally Posted by Ried

You mentioned this PC has no direct internet connection--where is the flash drive/removable media that infected this machine? You'll need that so it can be disinfected as well before it spreads this infection to yet another computer

How did this PC get infected? Did you find and insert the removable media that first brought this infection to this system?

Also, I'm a bit confused--your ComboFix.txt is stating the Recovery Console is not installed, yet you posted a boot.ini earlier. Did you remove it?

[eagerJO]

Quote:

Originally Posted by Ried

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that in your next reply.

I'll post the reply tomorrow (it's morning in here, 10.41 am, i am at work, so it'll be the next day then, you don't mind, do you? )

Quote:

This PC never connects to the internet--is that correct?

Yes, it's correct.

Quote:

How did this PC get infected? Did you find and insert the removable media that first brought this infection to this system?

I think it's the flashdisk (removable media) that I continuously use when transferring data from work to continue working at home...because in the first place (about 3 weeks ago) avg detected there were viruses in that flashdisk, but i was able to delete them though. This thing (viruses found and then deleted) happened several times; i think the viruses had the same name (related to autorun thing i guess), and eventhough i deleted it at the pop-up, avg still detected the viruses everytime i plugged it in...till at last, no more virus detected in my flashdisk (after i found out how to disable the autorun by using command prompt), instead it found viruses in my pc now.

Quote:

Also, I'm a bit confused--your ComboFix.txt is stating the Recovery Console is not installed, yet you posted a boot.ini earlier. Did you remove it?

I probably removed it, accidentally. Like i said before in the first post, before posting this new thread in this forum, i'd read several similar posts (win32/nsanti) and taken some suggestions/troubleshootings given by the administrator/analyst into action.
Well, is it harmful? how to re-install it if it's essential to be there? Sorry for causing such a mess to you.

[Ried]

Hi Jo,

1. Tomorrow will be fine.

2. If those flash disks were truly disinfected, they would not have infected this machine.
Bring those flash disks home with you and we'll clean those properly as well.

3. It's a quick, simple procedure to reinstall the Recovery Console. While it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

[eagerJO]

Quote:

Originally Posted by Ried

2. If those flash disks were truly disinfected, they would not have infected this machine.
Bring those flash disks home with you and we'll clean those properly as well.

Yeah, i thought so as well...allright, i'll have them with me then at home.

Quote:

Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Which one should i do first? have the recovery consolled installed then drag n drog the cfscript in the combofix, or vice versa? do i need to provide both logs, or only the final one?

[Ried]

Please install the Recovery Console first. Compare the CF_RC.txt with the boot.ini you first posted. If it matches, all is good and no need to supply that log to me.

**edit**

Insert those flash discs before you run ComboFix.exe so I can see what's on them.

[eagerJO]

Ok, Ried,
I'll get back to you again tomorrow.
anyway, what time is it over there, in Japan?