Jump to content

Strange issue while scanning, probable infection

Recommended Posts

Hello everbody,

please keep in mind english is not my primary language, so i apologize in advance if that text that follows contains any kind of bad grammar/syntax mistakes, so please don't bash me too much about it :)

don't hit me too much about my newbie attempts to fix the problem myself, i honestly didn't even think about the possibility of asking for help here, so well, i hope there's still hope to do something about it, i could format, but i'd really prefer to avoid that.

Now for what concearn my issue: i am currently writing from my laptop, the desktop computer which is infected (winxp sp3 with the latest security updates), had a lot of malware passed through a usb pen (that was used in a crappy shop, damn me, i should have known better) , and the avast antivirus protection updated to the latest definition didn't manage to block the infection from spreading.

At first there were a lot of different kinds of malwares, and the computer would self reset every 60 seconds, with a warning pop up of windows stating that there was a problem with services.exe and that NT authority system had allowed the reboot. it also presented some internet redirections, windows firewall screwed up (like many additional exceptions that shouldn't have been there and so), evident slow downs, impossibility to access some hard drive folders, hidden and system files invisible (despite having the option to see them turned on) and so on.

Well, when i attempted to clean up with my noob attempts, and the only results i was able to accomplish have been the pop up message about rebooting disappearing when i start the system (although it still appears if i boot from safe mode), the possibility of browsing through my folders/seeing hidden files/running programs again, taken out all the stuff i could from the start up/suspicious services etc (although it is quite possible that in my noobness something that didn't have to, have been stopped).

there were also, along other things, a lot of copies of the avast, mbam, acrobat, jave etc. exe files duplicates, with a change in the shortcuts as well to the new infected exe files.

Anyway now, for the 90%, the computer seems to work fine, if i didn't know that there's something very wrong with it, i could hardly notice it from a performance point of view (i can't notice any real slow down so far), but when i run mbam or any other kind of anti malware/antivirus scanner, even from the web (kapersky, panda, housecall...), they all hang while scanning some .sys files located in windows\system32\drivers by the names of: kbdhid.sys, kewcvs.sys (which also have some entries in the registry, although they are protected, and i can't modify them in anyway, and programs like ccleaner don't detect anything malicious in the registry).

I should also point out that any kind of attempt to access such files, would results in the process used to do so stopping from working (explorer or prompt command for dos etc).

This means that i wasn't able to upload manually the files anywhere for scanning.

Some of the succesful scanning with mbam (updated to the latest definition) was done by scanning from safe mode, and it is actually the only program so far that managed to complete the scanning in safe mode, all the other programs i tried to run, even in safe mode, keep blocking themselves when they reach the files i mentioned previously. This includes the microsoft removal tool as well.

Anyway scanning in safe mode with mbam only allowed the removal of some malware files in the previous attempts, now every time that it finishes i get the log saying i am 100% clean.

Thanks in advance to anyone who will try to help me with this nightmare or to suggest me what looks to be unavoidable (the format).

Link to post
Share on other sites

I would have just edited my previous post if i could have just found the edit button in this forum :)

Anyway, i just realized i forgot to add my logs, how smart of me.

Well here they are:


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:51:14, on 28/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:







C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe




C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe



C:\Documents and Settings\Propietario\Escritorio\IE8-WindowsXP-x86-ESN.exe



C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam .exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\npjpi160_17.dll

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\npjpi160_17.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Malwarebytes' Anti-Malware 1.41

Database version: 3251

Windows 5.1.2600 Service Pack 3 (Safe Mode)

28/11/2009 23:47:51

mbam-log-2009-11-28 (23-47-51).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)

Objects scanned: 254867

Time elapsed: 38 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I should probably add that MalwareBytes, when running in safe mode, seems to "hang" for a couple minutes at the beginning of the run, probably skipping entirely the winroot\system32\drivers folder, hence the reason it doesn't seem to find any malicious file, while running it normally, does found 2 entries almost at the beginning (i think in the registry) but it always ends up hanging while scanning the above mentioned folder before it can complete the scan, and so giving me the possibility to take action on the threats. i was wondering if there was any way to tell mbam to avoid scanning a specific folder so it could get rid of whatever else it can find?

Anyway thanks again to anyone who'll try to help me out with this.

Link to post
Share on other sites

  • 3 weeks later...

Thanks for letting us know.

Since the problem appears to be resolved, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.