Jump to content

nvheglo.sys <Trojan.Bubnix>


Recommended Posts

My computers DSL internet connection about died, seems to be a ton of traffic running through connection. That traffic only really starts if I access the net in any way. even just doing an update on Malwarebytes starts the data flow. Scanned with Malwarebytes and came up with a Trojan.Bubrix located in my /system32/drivers directory called nvheglo.sys. Malwarebytes couldn't remove it, even on a reboot. I've tried googling "nvheglo.sys" and nothing comes up. Wondering if anyone has come across this stinker? Suggestions on removing? Sorry I am pretty careful while surfing so I don't deal with removing these things too often but this one got in.

Thanks

B.Kidd

Link to post
Share on other sites

Hi and Welcome!!

First, Make files and folders visible:

Click Start > Open "My Computer"

Select the Tools menu and click "Folder Options."

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

=================

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to explorer.exe

Double-click explorer.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start, Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

Then, Please follow the instructions here and copy/paste all requested logs into this topic:

http://forums.malwarebytes.org/index.php?showtopic=9573

Thank You!

Link to post
Share on other sites

Ok I finally got all the scans done. I "think" I was actually able to remove the original issue about the "nvheglo.sys" using the MSRT. As you can see in the mrt.log here there is the original first scan after I downloaded MSRT and the second scan at the bottom of the log which doesn't show the "nvheglo.sys" anymore but other issues:

--------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.11, September 2010

Started On Wed Oct 06 17:58:54 2010

Extended Scan Results

----------------

->Scan ERROR: resource service://nvheglo (code 0x0000054F (1359))

->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

Threat detected: Trojan:WinNT/Bubnix.gen!A

file://C:\WINDOWS\system32\drivers\nvheglo.sys

SigSeq: 0x00003F963B4BEA4D

SHA1: 5441BC2F942B27E52B9A458F9FFB003807C93C4B

Threat detected: TrojanDropper:Win32/Cutwail.AV

file://C:\WINDOWS\Temp\NS33.tmp

SigSeq: 0x000010871BCE6B76

SHA1: DB1F14C11CB45137227EB70C48E2622BAC74B2E8

file://C:\WINDOWS\Temp\NS47.tmp

SigSeq: 0x000010871BCE6B76

SHA1: 4F388D0E0AE964F0B3FEA0037FC3D7E80A946EC6

file://C:\WINDOWS\Temp\NS5D.tmp

SigSeq: 0x000010871BCE6B76

SHA1: 16E3E74882AF0AFD0F56939694542C2A0CB0CF79

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1285\A0029801.sys

SigSeq: 0x0000287F3D093213

SHA1: 62459B12B6B412151E509F984102616BE303ED2D

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1285\A0029800.sys

SigSeq: 0x0000287F3D093213

SHA1: 62459B12B6B412151E509F984102616BE303ED2D

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1286\A0029813.sys

SigSeq: 0x0000287F3D093213

SHA1: 578CCF22EBDAC0A658ABD04CCAF262297FA7AD80

Extended Scan Removal Results

----------------

Start 'remove' for file://\\?\C:\WINDOWS\Temp\NS5D.tmp

Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\Temp\NS47.tmp

Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\Temp\NS33.tmp

Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\nvheglo.sys

Operation was scheduled to be completed after next reboot.

Results Summary:

----------------

For cleaning Trojan:WinNT/Bubnix.gen!A, the system needs to be restarted.

For cleaning TrojanDropper:Win32/Cutwail.AV, the system needs to be restarted.

Found Virus:Win32/Cutwail.I, partially removed.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 06 20:52:27 2010

Return code: 10 (0xa)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.11, September 2010

Started On Wed Oct 06 21:02:20 2010

Extended Scan Results

----------------

->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

Threat detected: Trojan:WinNT/Bubnix.gen!A

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1367\A0032415.sys

SigSeq: 0x00003F963B4BEA4D

SHA1: 5441BC2F942B27E52B9A458F9FFB003807C93C4B

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1285\A0029801.sys

SigSeq: 0x0000287F3D093213

SHA1: 62459B12B6B412151E509F984102616BE303ED2D

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1285\A0029800.sys

SigSeq: 0x0000287F3D093213

SHA1: 62459B12B6B412151E509F984102616BE303ED2D

Threat detected: Virus:Win32/Cutwail.I

file://C:\System Volume Information\_restore{41D6C692-290A-4F59-AFB0-1AB3F1CCB0C2}\RP1286\A0029813.sys

SigSeq: 0x0000287F3D093213

SHA1: 578CCF22EBDAC0A658ABD04CCAF262297FA7AD80

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:23:05 PM, on 10/7/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Razer\razerhid.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Razer\razertra.exe

C:\Program Files\Razer\razerofa.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162616923437

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 4731 bytes

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4772

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

10/7/2010 7:13:48 PM

mbam-log-2010-10-07 (19-13-48).txt

Scan type: Quick scan

Objects scanned: 138573

Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here is the DDS.txt:

DDS (Ver_10-10-05.01) - NTFSx86

Run by Brian at 19:18:05.29 on Thu 10/07/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1501 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Razer\razerhid.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Razer\razertra.exe

C:\Program Files\Razer\razerofa.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [razer] c:\program files\razer\razerhid.exe

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162616923437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\oc6l4r08.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [2006-12-29 189792]

R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [2006-12-29 3712]

R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [2006-12-29 7584]

R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2007-2-21 1423360]

R3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2007-1-22 15360]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2006-10-28 13225]

S0 wvaml;wvaml; [x]

UnknownUnknown nmzessgl;nmzessgl; [x]

=============== Created Last 30 ================

2010-10-08 02:16:39 0 ----a-w- c:\documents and settings\brian\defogger_reenable

2010-10-07 03:50:23 -------- d-----w- c:\windows\system32\MpEngineStore

2010-10-06 01:51:37 -------- d-----w- c:\program files\FileASSASSIN

==================== Find3M ====================

2010-07-14 02:22:57 47616 ---ha-w- c:\windows\system32\diskager.dll

2001-11-23 12:08:20 712704 ----a-w- c:\windows\inf\other\audio3d.dll

============= FINISH: 19:19:01.71 ===============

And as directed I have attached the Attach.zip containing the Attach.txt and the ARK.txt

Attach.zip

Link to post
Share on other sites

Everything that the MSRT is detecting is in system volume information. That is the sequestered data that your computer uses when you select to restore your system to an earlier state using the "System Restore" Feature. Those detections are not active threats, so You do not need to worry and we can purge those infected restore points at the end of the cleanup.

What I want to know is whether You are still getting this network traffic that You reported in your initial reply, because You should no longer have any active threats (active meaning: threats that are running on your system):

My computers DSL internet connection about died, seems to be a ton of traffic running through connection. That traffic only really starts if I access the net in any way. even just doing an update on Malwarebytes starts the data flow.
Link to post
Share on other sites

You're welcome and it sounds good.

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Approve the installation of the ActiveX control that's required to enable scanning
  • Make sure the box to
    • Remove found threats. is CHECKED!!
    • Click "Start"

    [*]Allow the definition data base to install

    [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" Check-box at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

Ok I ran ESET

Here is the text file from ESET:

C:\Documents and Settings\LocalService\Local Settings\Application Data\ntxmlmulti\ntxmlmulti.dll a variant of Win32/Agent.QRF trojan cleaned by deleting - quarantined

C:\hold\mexepet.dll a variant of Win32/Cimag.CW trojan cleaned by deleting - quarantined

C:\WINDOWS\system32\diskager.dll a variant of Win32/PSW.Papras.BO trojan cleaned by deleting (after the next restart) - quarantined

C:\WINDOWS\Temp\NS1E.tmp a variant of Win32/Agent.QRF trojan deleted - quarantined

C:\WINDOWS\Temp\NS34.tmp Win32/Agent.QRF trojan deleted - quarantined

C:\WINDOWS\Temp\NS59.tmp a variant of Win32/Agent.QRF trojan deleted - quarantined

C:\WINDOWS\Temp\~TM8E.tmp a variant of Win32/Kryptik.FNB trojan cleaned by deleting - quarantined

What next?

Thank you

Link to post
Share on other sites

Let's try to remove some service orphans:

Type cmd into the Start Search box

Right-click cmd.exe (under Programs at the top of the listing) and select "Run as Administrator" to open an elevated command prompt

Copy/Paste the following at the command line:

sc delete wvaml

Hit Enter

Copy/Paste the following at the command line:

sc delete nmzessgl

Hit Enter

Right-click an empty area in the same command window

Choose "Select All"

Right-click an empty area in the command window, again

Copy/Paste the contents of the clipboard into a Notepad text file

Post that back in your next reply

For example, you may get something like this message:

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

or something like this:

Microsoft Windows [Version 6.0.6002]

Copyright

Link to post
Share on other sites

Ok I ran the Command Prompt commands, this is what I got:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>sc delete wvaml

[sC] DeleteService SUCCESS

C:\WINDOWS\system32>sc delete nmzessgl

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\WINDOWS\system32>

Then I went ahead and ran the TFC and cleaned out the temp files.

Thank you

Link to post
Share on other sites

You're Welcome and Good job!!!! We have a few steps to finish up now.

First, we'll get rid of your infected system restore data by doing the following.

Flush your system restore points so you have a suitable backup should you need to restore your system files:

Turn off System Restore:

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

Reboot

Turn System Restore back on:

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 21, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 21, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

You can now delete the Java Installer from your desktop!!

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

  • Delete the contents of the C:\ARK folder (or whatever folder you chose to install the anti-rootkit in)
  • Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing! :o

Link to post
Share on other sites

  • 4 months later...
  • Staff

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • Staff

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.