Solved I think my netbook is infected

Status
Not open for further replies.

noobkiller69

Posts: 17   +0
Just recently I have discovered that my netbook is infected. For example, in task manager, I can't click on "Image Name" in process to place in the alphabetical order. Also I'm having trouble with the "GMER" program cause everytime I run it, BSoD pops up and computer manually automatically reset, therefore I don't have a log attached to this.
 

Attachments

  • Attach.txt
    14.5 KB · Views: 1
  • DDS.txt
    15.5 KB · Views: 1
  • mbam-log-2010-06-15 (17-38-22).txt
    894 bytes · Views: 1
i can't click on "Image Name" in process to place in the alphabetical order

What happens when you click on the frame above the list of processes?

For System Error [1003] - Error code 10000050
Try performing a clean boot to see if the problem is caused by a Microsoft application or by a third-party application.

This error indicates potential hardware problems or device drivers that are incompatible with the current hardware (occuring sometimes after a service pack updates the drivers).

I don't know that this is a malware problem, but go ahead and run the following- there are some driver questions:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please include the logs in your next reply. I'll have you work on GMER if it looks like we need it.
 
Thank,I'll try it soon. When I click Image Name for Processes in Task manager, nothing happen, like it won't assign itself. It automatically set at alphabetical order for image name.
 
I just recently checked the task manager and it gone back to normal. I didn't do anything except the thing u told me. Here attached to this reply is the text you requested.

EDIT: also do you know what "NvCPavill" is? Cause I came accross it in the system 32 folder and it didn't look right. When you try to delete it, it says that it currently in use.
 

Attachments

  • ComboFix.txt
    17.4 KB · Views: 1
  • log.txt
    1 KB · Views: 1
You might have done something as simple as reboot and gotten the image sort back.

You have multiple antivirus programs running: Avira, Symantec/Norton security program and according to the restore Points, you also installed AVG on 6/15/2010. Multiple antivirus programs make the system more vulnerable and also slow it down

Please decide which one you want to keep and remove the others. Here are tools to help. Use the tools for the 2 programs you do not want to keep:
Norton Removal Tool.
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
To uninstall Avira:
  • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  • Wait for the list of installed programs to load, then click the name of the Avira program.
  • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  • Press Yes, to confirm the removal and then OK.
  • . Click Next until Finish. The software is removed.
Reboot the computer when finished.
=================================
Please uninstall Spyhunter from the Enigma Software Group This is not good software to have on the system and the Enigma site itself brings up alerts of being an untrusted and unreliable site. Check Add/Remove Programs for the uninstall. When done, use Windows Explorer (Windows Key + E)> click on My Computer> Double click on the Local drive (C)> Programs> find the Spyhunter and/or Enigmafolder and do a right click> Delete.
Exit Windows Explorer.
===============================
There are several entries in Combofix that need to be moved. Before I write that script, please handle the multiple antivirus programs and the uninstall for Spyhunter and Enigma. Then run Combofix again. IF there are any remaining entries from above, I can add them to the script and have you run it all together.

You need to be really careful with what security programs you put on the system and where you download the programs.
=====================================

Edit: You asked about "NvCPavill". I can't ID that file, but here is a reference for NvRoter.exe in Australia: It's in the left frame almost to the bottom. Perhaps you can understand the words. Ahttp://newspapers.nla.gov.au/ndp/del/article/2063000
 
When i first came across NvCPavill, NvRoter.exe was also next to it. I deleted NvRoter.exe but couldn't delete NvCPavill. The NvCPavill has an image icon. Also which anti-virus do you recommend I keep/get?
 
I did what you requested and that was pick one anti-virus. I chose Avira AntiVir Personal because it was recommend in the 8 steps. I attached the new ComboFix to this reply.

EDIT: When I start up Windows an error message pop-up to do with MikePIC and {smartassembly} has expired. Do you have any ideas on how to fix this or overcome it.
 

Attachments

  • ComboFix v2.0.txt
    17.9 KB · Views: 3
MikePIC and {smartassembly} has expired. Do you have any ideas on how to fix this or overcome it.

"Paintribbon has been built with an evaluation version of {smartassembly}, which has expired on Friday, July 31, 2009.You need to purchase a license of {smartassembly}."

See discussion and update fix for this bug here: http://www.aviassin.com/forum/t-168137

Always download for the software makers site if you can. They will also have the most current updates or fixes.
=======================================
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\Drivers\RTS5121.sys
c:\windows\system32\DRIVERS\Rts516xIR.sys 
c:\windows\nsreg.dat
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCall.dll
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla4.dll
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla3.dll
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla2.dll
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.exe
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla.exe

Folder::
c:\program files\AVG
c:\documents and settings\All Users\Application Data\avg9
c:\windows\system32\NvCPavill.exe
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\NortonInstaller

DirLook::
c:\windows\SxsCaPendDel

Registry::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{407d35ba-7723-478d-87f8-15057cb8c338}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

Driver::
RSUSBSTOR
Rts516xIR
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
 
Looks good to me. you should even be a bit faster with all those Norton files gone!

Do any of the original problems remain? If not:
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Creating a Restore Point in Windows 7:
  1. Click on Start> right click on Computer> Properties
  2. Select System Protection
  3. Click on the Create button (near bottom)
  4. Type a name for the Restore Point
  5. Click on Create again to save the restore point.

Deleting all but the most recent System Protection point in Windows
  • Click Start, type Cleanmgr.exe and press ENTER
  • Select the drive-letter from the list and click OK
  • Click Clean up system files
    This restarts Disk Cleanup to run in elevated mode.
  • Select the drive-letter from the list and click OK
  • Click the More Options tab
    w7-srp2.png
  • Click the Clean up… button under System Restore and Shadow Copies.
  • Click OK.

Empty the Recycle Bin

Let me know if you need more help.
 
Status
Not open for further replies.
Back