Trojan.Packed.NsAnti giving me problems. Please Help me

[ash82]

I am having some problem with my pc running on Windowx XP. I just install BitDefender to scan my pc and found some virus. One of them is called trojan.packed.NSAnti but it doesn't seems to fully clean yet. I am stil encountering many problems now.

I read through the following url and follow the steps. I tried using CCleaner Slim, SUPERAntiSpyware, Malwarebytes' Anti-Malware but still no improvement.

http://www.computerhope.com/forum/index.php/topic,46313.0.html

I will describle some of the problems and maybe you guys can help me to determine what's wrong.

1) I can't open any of my folders in my computer. When i click on my computer and  nothing happens.

2) I can't start up my Internet Explorer, but i can start up Mozilla Firefox. Some of the website cannot be display when i browse using Firefox. eg. the antivirus websites like symantec, mcafee and others.

3) When i was installing or starting SUPERAntiSpyware and Malwarebytes' Anti-Malware and it won't let me do so. Only after i change the filename then it can start. I think it was blocked by something.

When I start my pc in safe mode, i am able to get into my computer folders and internet explorer as well. But the websites is stilll being blocked and won't display. I am not sure what is wrong here.

I am not very experienced in this, maybe can you guys tell me what you need me to post here?

Can anyone help me out please? I look forward to your replies. Thanks

[evilfantasy]

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can run the scans that would not run.

[ash82]

Thanks evilfantasy for the reply. I follow your instructions and did not find any of them.  I noticed there is a ! for one of the device in Non-plug and Play Drivers. It is called srescan but I am not sure if this is the problem.

[evilfantasy]

Do you have ZoneAlarm installed?

Try to download MalwareBytes from here http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=contentBody;mostPopTwoColWrap&cdlPid=11004434

Post the log it creates.

[ash82]

Yes I have Zone alarm installed and Bitdefender as my Antivirus.

This is the latest log i get. I did perform this scan before. Do you need the log before?

Malwarebytes' Anti-Malware 1.34
Database version: 1818
Windows 5.1.2600 Service Pack 2

3/6/2009 11:14:31 AM
mbam-log-2009-03-06 (11-14-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141308
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Thanks

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[ash82]

Thanks for the quick reply. I download the ComboFix in chinese version. I hope it is alright for you to view the log.

Just a short note, When i run the ComboFix.exe, I wasn't able to do so. Nothing happens but after i renamed it then i can run it. It apply to Malwarebytes' Anti-Malware as well.

Thanks 

[attachment deleted by admin]

[evilfantasy]

The real-time protection of two antivirus programs may conflict with each other and cause the following:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
3) Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.

You should uninstall either BitDefender or Zone Alarm antivirus. This will just cause you more roblems and it actually offers less protection.

----------

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code: [Select]

c:\windows\wc98pp.dll2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

[ash82]

I have uninstalled Zone Alarm. The following link is the result you ask for.

http://www.virustotal.com/reanalisis.html?2ce1df6133608e35dcdcba95b35ee5dc

Thanks evilfantasy

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04079646-aa8b-11db-bc88-0016e6d61212}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a427cde-fab2-11dd-a473-8000600fe800}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9a2d404-a11d-11dd-a395-0016e6d61634}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce29bc4a-2fe3-11dd-a2a1-0016e6d61634}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e82bca55-d236-11db-a0dd-0016e6d61634}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

After posting the ComboFix log.

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[ash82]

I perform the online scan from Kaspersky and started scanning my computer. The scanning took so long for my C: drive and i stopped it half way. I attached the report and there are 3 infected files.

Please advise whelther i should complete the whole scan because it took me a long time to scan the c: drive alone.

Thanks evilfantasy



[attachment deleted by admin]

[evilfantasy]

Yes we need the whole scan. It takes a while, maybe over an hour but it's a virus scan. They can take a while to finish.

[ash82]

The whole scan took more than 3 hours to completed c: drive so i stopped it after the c: drive is completely scanned. There were still 5 drive to go so i decided to stop it.  Sorry i could perform the whole scaning process you ask me to do.

My data in other drive is quite a lot in size and will probably took me another 3 - 4 hours to scan online.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Saturday, March 7, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Saturday, March 07, 2009 04:22:11
 Records in database: 1876121
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   I:\

Scan statistics:
   Files scanned: 40192
   Threat name: 4
   Infected objects: 3
   Suspicious objects: 1
   Duration of the scan: 03:13:46


File name / Threat name / Threats count
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx   Infected: Trojan-Downloader.HTML.Agent.km   1
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx   Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110   1
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx   Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4   1

The scan was stopped by the user.

[evilfantasy]

You stopped it again? Who knows what else might be there.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[ash82]

This is the result i get from OTMoveIt3.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
File/Folder C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\Deleted Items.dbx not found.
C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx moved successfully.
File/Folder C:\Documents and Settings\USER\Local Settings\Application Data\Identities\{7DB71075-DD4B-4DD6-AF9F-D4AA97544897}\Microsoft\Outlook Express\PETER.dbx not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03082009_143241


I have updated all the softwares as well. Everything seems alright and good. Thanks evilfantasy so much for helping me to fix my problem. I am really grateful and thanks for giving me the links to help maintain my pc in good condition. It was really very useful for me. Cheeers