I Need Help

View previous topic View next topic Go down

I Need Help

Post by lenitas on Sat Feb 20, 2010 10:22 pm

One of my computers on my network is infected with Win32/Nutel.E and BankerFox.A. Can I use safely the other computer on the network to go online and change my account passwords? I have the infected computer disconnected from the network.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sat Feb 20, 2010 10:25 pm

I had a typo in my first message. It's Win32/Nugel.E and BankerFox.A viruses.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by Belahzur on Sat Feb 20, 2010 11:46 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

I Need Help

Post by lenitas on Sun Feb 21, 2010 12:03 am

I d/loaded OTL, Avenger, Commy & IceSword on this computer. I transferred OTL & Avenger to the infected computer via USB, and it won't let me use either one of them. It says everything I click on is infected. It won't open anything programs. I have it disconnected from my network and the internet.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by Belahzur on Sun Feb 21, 2010 12:09 am

Hello.
Rename IceSword.exe to explorer.exe and see if it runs.
If not, keep trying, it will eventually work, IceSword renames itself when run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 12:21 am

Ok, I'll have to transfer it by USB and try it next. Thanks.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 12:40 am

It won't let me rename anything but the zipped file. It says it has unzipped the files, but they are still named IceSword. It won't let me run it. I get a popup that says: "Application cannot be executed. The file wscntfy.exe is infected. Do you want to activate your antivirus software now?" (software they are trying to sell me...not what's on my computer).

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 12:47 am

Now an IceSword box has opened with the logo in it and a list of icons on the left side. Do I click on any of them? It's not doing anything.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 1:02 am

I clicked on Process and saved the log. Then I clicked on Startup and saved that log too. When I go to the next step and click on process again, I don't find a file named fllnsysguard.exe.

I was reading your instructions to someone else, so they may not apply to me.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 1:19 am

Here's the first log I saved:
Process:

System Idle Process
System
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\Program Files\WDC\CR\SetIcon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\smss.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\rdxjba\etgmsftav.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 5 for explorer.exe.zip\IceSword122en\IceSword.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 1:20 am

Here's the second log:
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WD Button Manager
"C:\WINDOWS\system32\WDBtnMgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wcmdmgr
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
"C:\WINDOWS\SMINST\RECGUARD.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
"C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
"C:\WINDOWS\system32\igfxtray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv
"c:\windows\system\hpsysdrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility
"C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
"C:\WINDOWS\system32\hkcmd.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dla
"C:\WINDOWS\system32\dla\tfswctrl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checktime
"c:\program files\HPSelect\Frontend\ct.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CamMonitor
"c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AlcxMonitor
"C:\WINDOWS\ALCXMNTR.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SetIcon
"\Program Files\WDC\CR\SetIcon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
"C:\WINDOWS\system32\nwiz.exe" /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mcagent_exe
"C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD
"C:\HP\KBD\KBD.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ewhvngif
C:\Documents and Settings\Owner\Local Settings\Application Data\rdxjba\etgmsftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton
"C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ewhvngif
C:\Documents and Settings\Owner\Local Settings\Application Data\rdxjba\etgmsftav.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by Belahzur on Sun Feb 21, 2010 1:50 am

Hello.


  • Open IceSword again.
  • Go into the Process list again, and right click on the following filename:

    etgmsftav.exe

  • Select Terminate Process.
  • Close Icesword.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 1:57 am

I already have Malwarebytes on the infected computer. It says it's scanning now. I did the quick scan. Do I need to reinstall it?

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by Belahzur on Sun Feb 21, 2010 1:59 am

No, quick scan will do fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 2:22 am

Mbam can't update on the infected computer because I have it offline. I read on here to take it offline, so I did.

Pls tell me what to do now....do you think the one I downloaded is up-to-date? Thanks.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Sun Feb 21, 2010 2:55 am

I installed the mbam file I d/loaded on here and re-scanned. Here's the log for the second scan: Still says nothing infected.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/20/2010 8:49:55 PM
mbam-log-2010-02-20 (20-49-55).txt

Scan type: Quick Scan
Objects scanned: 123170
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I Need Help

Post by Belahzur on Sun Feb 21, 2010 4:32 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I Need Help

Post by lenitas on Mon Feb 22, 2010 11:53 pm

The viruses kept getting worse, or multiplying. It got so bad nothing would open. I have a computer tech here looking at it now. Will get back to you if necessary. Thanks much for all your assistance.

lenitas
Novice
Novice

Posts Posts : 13
Joined Joined : 2010-02-20
OS OS : Windows XP
Points Points : 24973
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum