Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
How to Remove Win32.NSAnti
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > How to Remove Win32.NSAnti  
Forum Quick Jump
 
New Topic Post reply to : How to Remove Win32.NSAnti Printable version of : How to Remove Win32.NSAnti
[ << Previous Thread | Next Thread >> ]

kaytkayt
New Member


Date Joined Jan 2008
Total Posts : 7
  		   Posted 1-3-2008 2:51 (GMT +1)    Quote: How to Remove Win32.NSAntiAlert an admin about: How to Remove Win32.NSAnti
Hello,
My computer is infected with Win32.NSAnti virus.
I have AVG 7.5.516 installed.
Initially when I click a disk on Windows My Compter I received
Win32.NSAnti virus notification from AVG.
Also my hidden directories and files can not be made "not hidden".
Even if I choose My Computer-->Tools-->Folder Options-->view
and select "show hidden files and folders", they stay hiddeb
and if I choose My Computer-->Tools-->Folder Options-->view
again "do not show hidden files and folders" is selected and can
not be corrected that way.
I run ComboFix.exe and got a log file.
I run alternativ.exe (hijackthis) and got another log file.
Then, when I click a disk on Windows My Compter I do not receive
Win32.NSAnti virus notification from AVG anymore. But hidden
file/directory problem continues and time to time I receive
"Win32.NSAnti" virus notification from AVG.
Below I include my log files.
I will be glad if somebody helps me.
Thank you.
***************** Log file of ComboFix
ComboFix 08-01-03.4 - x 2008-01-03 15:01:01.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1254.90.1055.18.180 [GMT 2:00]
Running from: C:\Documents and Settings\x\desktop\combofix.exe
Command switches used :: /killall
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
D:\Autorun.inf
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.
2008-01-03 11:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 11:28 . 2008-01-03 11:28 <DIR> d-------- C:\HJT
2008-01-02 12:27 . 2008-01-03 14:27 107,985 -r-hs---- C:\semo2x.exe
2008-01-02 12:27 . 2008-01-03 14:27 54,784 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2008-01-02 12:26 . 2008-01-03 14:27 107,985 -r-hs---- C:\WINDOWS\system32\amvo.exe
2008-01-02 12:26 . 2007-12-28 08:42 105,216 -r-hs---- C:\80avp08.com
2008-01-02 12:26 . 2008-01-03 15:06 54,784 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-01-02 11:15 . 2008-01-02 11:16 <DIR> d-------- C:\Documents and Settings\x\.nbi
2007-12-18 11:58 . 2007-12-18 11:58 <DIR> d-------- C:\Documents and Settings\x\WebApplication3
2007-12-18 11:39 . 2007-12-18 11:39 <DIR> d-------- C:\Documents and Settings\x\JSTLExample
2007-12-17 13:08 . 2007-12-17 13:08 <DIR> d-------- C:\Documents and Settings\x\Application Data\Talkback
2007-12-17 13:08 . 2007-12-17 13:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-05 10:41 . 2007-12-05 10:41 <DIR> d-------- C:\Documents and Settings\x\GUIFormExamples
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 10:17 3,079,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:56 8,460,288 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:01 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-10-25 08:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:00 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,720 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-19 08:57 25,144 ----a-w C:\Documents and Settings\x\Application Data\GDIPFONTCACHEV1.DAT
2007-01-05 07:48 30,601 ----a-w C:\Documents and Settings\x\x.exe
2006-03-16 10:24 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-03-16 10:24 56 --sh--r C:\WINDOWS\system32\A436161D3A.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_11.39.57.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:45 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"amva"="C:\WINDOWS\system32\amvo.exe" [2008-01-03 15:07 107985]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 15:50 98304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11 114688]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2005-08-18 16:50 24576]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-24 11:37 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:45 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 08:21 219136]
R2 RTWTKRNL;Real-Time Windows Target;C:\WINDOWS\system32\drivers\RTWTKRNL.sys [2004-04-13 18:13]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S4 Cllml$sqsck;Cllml$sqsck;C:\WINDOWS\system32\drivers\usbd.sys [2003-05-08 12:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e53e9ca-8061-11db-85fa-000ea65b1513}]
\Shell\AutoRun\command - G:\80avp08.com
\Shell\explore\Command - G:\80avp08.com
\Shell\open\Command - G:\80avp08.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c7be9f8-7181-11dc-86ca-000ea65b1513}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d1246f0-901d-11db-8608-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d3f1d08-a7d9-11dc-870b-000ea65b1513}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e39fb5c-941b-11dc-86f1-000ea65b1513}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{796d041d-e3ca-11da-855f-000ea65b1513}]
\Shell\AutoRun\command - "E:\COMMAND.EXE" /StartExplorer
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a4b8ca2-1341-11dc-867b-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91c147e4-b8fb-11dc-8717-000ea65b1513}]
\Shell\AutoRun\command - G:\xfoolavp.com
\Shell\explore\Command - G:\xfoolavp.com
\Shell\open\Command - G:\xfoolavp.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9938f5aa-8a6a-11db-8603-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f90942e-f3dc-11db-865f-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f909435-f3dc-11db-865f-000ea65b1513}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5c6cd2c-7ece-11db-85f8-000ea65b1513}]
\Shell\Auto\command - G:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2153ec-9812-11dc-86f7-000ea65b1513}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\open\Command - activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2153ed-9812-11dc-86f7-000ea65b1513}]
\Shell\Auto\command - G:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - G:\activexdebugger32.exe f
\Shell\open\Command - G:\activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfbe30b5-8f3b-11db-8606-000ea65b1513}]
\Shell\Auto\command - G:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e64289d0-a38d-11da-8504-000ea65b1513}]
\Shell\AutoRun\command - G:\ie.exe
\Shell\explore\Command - G:\ie.exe
\Shell\open\Command - G:\ie.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7e734e4-64d5-11db-85d7-000ea65b1513}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f98da299-4d3a-11db-85c4-000ea65b1513}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe
.
Contents of the 'Scheduled Tasks' folder
"2006-04-17 08:03:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [www.gmer.net]
Rootkit scan 2008-01-03 15:06:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\amvo1.dll
.
Completion time: 2008-01-03 15:09:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 13:09:18
ComboFix2.txt 2008-01-03 09:40:14
.
2007-12-24 11:09:27 --- E O F ---
*************************** logfile of hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 3:09:47 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\alternativ.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - [plugin.fileopen.com]
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks
Kaytkayt
Back to Top
 

kaytkayt
New Member


Date Joined Jan 2008
Total Posts : 7
  		   Posted 1-3-2008 9:43 (GMT +1)    Quote: How to Remove Win32.NSAntiAlert an admin about: How to Remove Win32.NSAnti
Hi again,
 
(First, sorry for previous multiple posting of the same message).
 
The problem is now as follows:
 
I have the "can't unhiding folders and files" problem and
changing the settings in Windows My Computer-->Tool-->Folder Options-->...
do not work.
 
I had files autorun.inf and semo??.exe (?spelling) in all my disc
partitions. When I deleted them I had them reappear in some seconds.
I had the virus in \windows\system32\amvo.exe.
I removed amvo.exe and amvo1.dll from \windows\system32
Then I deleted autorun.inf and semo??.exe.
Now, they don't reappear.
But, I still have the problem "can't unhiding" continuing.
 
I also had Win32/NSAnti virus detected (but can't be cleaned).
(That was the point where I understood that my computer was infected).l
And also some other kind of virus notifications (by AVG 7.5.516).
But, after I removed amvo.exe I might have gotten rid of
some of them (which ones I don't know).
 
But "can't unhiding" problem continues.
 
Could anybody with the same problems solve them?
 
The following is a latest Hijack This (2.0.2) log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:58 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E632BEB-4DC5-43D5-82D3-AAD1B9F49F2C}: NameServer = 80.251.40.10,80.251.40.11
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4925 bytes
thanks
 
kaytkayt
Back to Top
 

kaytkayt
New Member


Date Joined Jan 2008
Total Posts : 7
  		   Posted 1-4-2008 12:42 (GMT +1)    Quote: How to Remove Win32.NSAntiAlert an admin about: How to Remove Win32.NSAnti
I finally managed to clean infections.
 
For those who are interested:
 
First,
if exists delete that file.
Note that it is also hidden/read only/system file.
C:\WINDOWS\system32\amvo.exe <<< delete that file
 
C:\WINDOWS\system32\amvo1.dll <<< delete that file as well if exists.

Then I deleted autorun.inf and semo??.exe. from all disk partitions (+usb drive)

Now, they don't reappear.

To get rid of "can't unhide files and folders" problem try the following:
A nice little script that restores the options here:
http://www.kellys-korner-xp.com/xp_tweaks.htm

368. Folder Options/View Empty - Restore Now
http://www.kellys-korner-xp.com/regs_edits/viewfolderrestore.reg
Now, I don't have "can't unhide files and folders" problem anymore.
Windows My Computer-->Tools-->Folder Options-->show hidden files (works :-))
Then I installed Kaspersky 7.0 Trial Edition.
Scanned the system and removed the infections.
Things seem to be OK.
Thanks.
Kaytkayt
Back to Top
 
New Topic Post reply to : How to Remove Win32.NSAnti Printable version of : How to Remove Win32.NSAnti
 
Forum Information
Currently it is Friday, January 09, 2009 10:08 PM (GMT +1)
There are a total of 66.008 posts in 16.187 threads.
In the last 3 days there were 19 new threads and 110 reply posts. View Active Threads
Who's Online
This forum has 27804 registered members. Please welcome our newest member, revmrf.
53 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Google redirect virus help (6)09-01-2009 20:36:39 (phinfan)
Connection to server timeout (0)09-01-2009 20:35:36 (revmrf)
Hijackthis (2)09-01-2009 19:41:14 (fingers101)
Need help with removing viruses ∼tmpa and ∼tmpc!!! (4)09-01-2009 19:26:11 (Strummer89)
Virus help needed (10)09-01-2009 19:23:22 (msmat999)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard