Jump to content
Sign in to follow this  
shoujun

Trojan.packed.NsAnti [symentec]

Recommended Posts

Hi.

 

Recently, my symentec has been popping up with a Trojan.packed.NsAnti saying that it is blocked.

 

However it does worry me a little that the pop-up comes at a higher frequency after a while on my computer.

 

I need some help in being able to remove/stop this thing.

 

My only problem is that i do not have any paid virus/spyware/adware remover or scanner, and would be hoping to know if it can be fixed using free programmes.

 

I have tried SDFix, but it does not seem to stop the problem, plus i'm quite a newbie at removal of such stuff...

 

~hope help arrives~

 

Thanks in advance.

 

 

 

 

From my SDFix report:

 

SDFix: Version 1.204

Run by Administrator on 13/07/2008 at 10:48

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\autorun.inf - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-13 11:03:17

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:d7,41,fc,93,a8,bf,d1,1e,8b,8c,33,d5,14,5e,02,c4,96,f2,ec,ca,04,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,40,b3,1d,a2,91,e0,02,d9,78,76,27,16,d4,e3,a5,93,96,..

"khjeh"=hex:e5,7a,fc,66,01,fa,88,9c,94,60,46,39,e0,e5,2d,31,a0,a4,d3,59,db,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:c0,93,87,ae,0b,63,2d,b7,b1,2f,a0,5d,45,61,55,4f,37,07,a4,5f,4c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:86,48,81,00,e3,70,d7,30,f3,55,c3,c2,4a,de,7a,5c,5b,e6,f6,f3,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:d7,41,fc,93,a8,bf,d1,1e,8b,8c,33,d5,14,5e,02,c4,96,f2,ec,ca,04,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,40,b3,1d,a2,91,e0,02,d9,78,76,27,16,d4,e3,a5,93,96,..

"khjeh"=hex:e5,7a,fc,66,01,fa,88,9c,94,60,46,39,e0,e5,2d,31,a0,a4,d3,59,db,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:c0,93,87,ae,0b,63,2d,b7,b1,2f,a0,5d,45,61,55,4f,37,07,a4,5f,4c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:86,48,81,00,e3,70,d7,30,f3,55,c3,c2,4a,de,7a,5c,5b,e6,f6,f3,65,..

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]

"Il\16xA~äSpS ?(?T?r?u?e?T?y?p?e?)?"="HDZB_5.TTF"

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"F:\\Misc\\cs\\Counter-Strike\\czero.exe"="F:\\Misc\\cs\\Counter-Strike\\czero.exe:*:Enabled:Condition Zero Launcher"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Fri 20 Jun 2008 124,740 ..SHR --- "C:\8e.com"

Sat 12 Jul 2008 116,972 ..SHR --- "C:\ffojc.com"

Sun 13 Jul 2008 133,256 ..SHR --- "C:\nqgcd.com"

Sat 12 Jul 2008 116,972 ..SHR --- "C:\WINDOWS\system32\ckvo.exe"

Sun 13 Jul 2008 77,312 ..SHR --- "C:\WINDOWS\system32\ckvo0.dll"

Sat 12 Jul 2008 77,312 ..SHR --- "C:\WINDOWS\system32\ckvo1.dll"

Sun 13 Jul 2008 133,256 ..SHR --- "C:\WINDOWS\system32\kavo.exe"

Sun 13 Jul 2008 166,400 ..SHR --- "C:\WINDOWS\system32\kavo1.dll"

Sun 13 Jul 2008 122,051 ..SHR --- "C:\WINDOWS\system32\tavo.exe"

Sun 13 Jul 2008 81,408 ..SHR --- "C:\WINDOWS\system32\tavo0.dll"

Wed 19 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Mon 2 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Sun 13 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\eng\Local Settings\Temp\lp8u22j.dll"

Fri 4 Jul 2008 10,728 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 12,472 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 12,956 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 10,500 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 6,976 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 4 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\eng\Local Settings\Temp\[email protected]"

Fri 18 May 2007 0 A..H. --- "C:\Documents and Settings\eng\My Documents\Shou Jian\~WRL1807.tmp"

Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"

Tue 20 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp"

Thu 3 Jul 2008 26,112 ...H. --- "C:\Documents and Settings\eng\Desktop\Recent Work\SGC Examplar\~WRL0747.tmp"

Thu 2 Nov 2006 103,936 A..H. --- "C:\Documents and Settings\eng\Desktop\Recent Work\GP\GENERAL PAPER (Strategies, Reminders, Tips)\ESSAY\~WRL3659.tmp"

 

Finished!

Share this post


Link to post
Share on other sites

hello shojun,

You said your Symentec finds this, yet you say you have no paid av programs. Symentec is Norton's av, so are using a trial version or what?

 

You could try this free program, but we will probably need hjt as well. So, Please download and install SUPERAntiSpyware Home Edition (free edition)

  • Load SUPERAntiSpyware and click the Check for Updates button.
  • Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!
IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
  • Open SUPERAntiSpyware and click the Scan your Computer button.
  • Check Perform Complete Scan and then click Next.
  • SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
  • Make sure that they all have a check next to them, and then click Next.
  • Click Finish and you will be taken back to the main interface.
  • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
  • I'll need a log afterwards of what has been found.
  • To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
  • Please post the results of the SUPERAntiSpyware log in your next reply.
So we can see if SuperAntiSpyware picks this up, in some cases it has. If after using SuperAntiSpyware, and this problem remains then we need you to do this> CLICK HERE to download the HijackThis Installer:

Save HJTInstall.exe to your desktop.

Double-click on HJTInstall.exe to run the program.

By default it will install to C:\Program Files\Trend Micro\HijackThis.

Accept the license agreement by clicking the "I Accept" button.

Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click "Save log" to save the log file and then the log will open in Notepad.

Click on Edit-> Select All then click on "Edit -> Copy" to copy the entire contents of the log.

Next, Go to this forum Here to start a new thread right click and Paste your log there.

 

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

So try SuperAntiSpyware first, then use HJT if needed( most likely it will be needed ). Make sure if you use HJT that the HJT log is posted in the HJT forum as indicated above. And we can go from there. :)

 

Wademan

Edited by Wademan

Share this post


Link to post
Share on other sites

Hi.

 

To explain for the contradiction above, I do have Norton, but my account has expired and i have not been able to update it. So i'm now running on an expired account of norton which works alright... (just that i don't really trust it for trojans).

 

 

Anyway, i have tried doing the SUPERAntiSpyware and it did come up with a list of trojans found and all. the only problem i have now is getting the log as whenever i open it, the notepad just 'hangs' and i am unable to open it.

[i did the scan in normal mode and rebooted when it asked me to]

[i did a second scan in safe mode and it did not detect any trojan]

 

So i decided to use your second advice as well, and did the HijackThis and got the log:

link

 

In the end i still get the pop-up by symentec about the trojan.packed.NsAnti

 

Will be doing a third scan soon and would report if there are any new things on..

 

 

 

Shoujun

Share this post


Link to post
Share on other sites

An outdated Anti-virus program is a useless anti-virus program. It's important to keep all definitions up to date as thousands of new threats appear every day. There are many free options that work well including AVG 8.0, Avira Antivir (actually decent real-time protection despite being free) and Avast!. If you can not use an updated version of Norton Anti-Virus then it is best to run the Norton removal tool and install another program.

 

AVG 8.0 http://free.avg.com/ww.download?prd=afe

 

Avira http://www.free-av.com/

 

Avast! http://www.avast.com/eng/download-avast-home.html

 

You should also keep protected from Spyware and there are many good options that are free including Super A/S, Malwarebytes Anti-malware, and A-squared.

Edited by adam22

Share this post


Link to post
Share on other sites

You are infected with a 'Backdoor Trojan/Bot'. Some are difficult to get rid of. They are password stealers and help themselves to your critical information, such as online banking, credit card use, etc.

 

The first thing to do is to go to a known, clean machine and change all your passwords. Do not change them from this infected computer. Next, You will need to download HijackThis™:

http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

 

Start a new topic in our HJT forms

http://forums.pcpitstop.com/index.php?showforum=25

 

Click 'Do a System Scan and Save logfile'.

The HJT log will open in notepad.

Copy and paste the HJT log from notepad in that new topic

 

Please be patient as we have a lot of people with malware infections

and all of our HJT Trusted Advisors work on many

forums :adios:

 

DO NOT post your HJT log in this

thread

Share this post


Link to post
Share on other sites

hello again,

Sounds like SuperAntiSpyware removed a lot. I know you are still getting pop ups from Nortons. This is due to the fact its Expired and it cant delete the file. Nortons would need to be updated to deal with that Trojan.

 

If you cant get SuperAntiSpyware to post correctly, can you tell us what it did find? I highly believe SuperAntiSpyware did find the file an cleaned/removed it. Nortons is probably falsely reporting it since its outdated.

 

Adam gave you some excellent choices for a new AV for you. I highly recommend to go with Avast.

 

Here is what we need to do, you must remove all traces of Nortons from your pc would be step#1. To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV.

How to uninstall Norton AntiVirus 2003/2004/2005/2006/2007/2008:

- Vista/XP/2000 - Click Here (note: this removes ALL Norton 2003/2004/2005/2006/2007/2008 products from your computer)

- Me/98 - Click Here

How to uninstall Norton AntiVirus 2000/2001/2002

 

 

Step#2 would then be to reboot the pc after removing Nortons.

Step# 3 Would be to use Ccleaner to clean up more files> http://www.ccleaner.com/ Tutorial for its use if needed> http://www.ccleaner.com/help/tour/1-after-installation

 

Step # 4 Would be to download Avast ( it is free an very good ) > http://www.avast.com/eng/download-avast-home.html then update it immediately. Now do a full scan with your Avast.

 

Step #5 rescan with SuperAntiSpyware an see what it finds, also post the log from Avast here.

 

You also did a good job on posting your HJT log in our HJT forum, please be very patient there as they are very busy, it could days before they get to you., we may not even need to use it after all of the above steps are completed.

This should remove most of this junk. . :)

 

Wademan

Edit: Jacee was posting as the same time I was, I kind of slow lately. I would follow her advice for sure, with >

 

You are infected with a 'Backdoor Trojan/Bot'. Some are difficult to get rid of. They are password stealers and help themselves to your critical information, such as online banking, credit card use, etc.

 

The first thing to do is to go to a known, clean machine and change all your passwords. Do not change them from this infected computer That step is very important.

 

I almost deleted my post, but since they are very, very busy in our HJT forum you could try my suggestions, sure would not hurt and would clean up your pc very well. You for sure need an AV installed immediately!.. It could take days, maybe even a week before they get to you in the HJT forum. If you just want to wait on that, and not do any of my suggestions, that is your call.

 

--------------------

Edited by Wademan

Share this post


Link to post
Share on other sites

Please don't email or pm me for "personal" HJT help.

Why should anyone? Your not qualified!!!

 

Will you stop telling folks to run cleaners AFTER they have posted HJT logs, it prolongs the removal process.

 

Any complaints................take it up with Admin!

 

Shoujun.

 

Disregard Wademan's advice until the malware is removed from your pc, until then, only follow instructions given by a Trusted HJT Advisor.

Share this post


Link to post
Share on other sites

Why should anyone? Your not qualified!!!

 

Will you stop telling folks to run cleaners AFTER they have posted HJT logs, it prolongs the removal process.

 

Any complaints................take it up with Admin!

 

Shoujun.

 

Disregard Wademan's advice until the malware is removed from your pc, until then, only follow instructions given by a Trusted HJT Advisor.

 

Well for your information Mr:Inprofile I have some users run tools after a hjt log is posted due to the fact our hjt forum is swamped at the moment, I have seen some wait over 1-2 weeks. And Shoujun has no AV on his pc. If he is like most users he will continue to use his pc while waiting for hjt help.

 

So Shoujun, like most users here will use his pc, and with NO av on it ( I know he has Nortons BUT it is way out dated ) he will most likely get more infections an spread the Trojans an possible Virus's on his pc, and even in many cases will spread the infections to other users, such as email friends, and other online contacts.

 

Also, I am in training for HJT and more than 1/2 through it, an in training they almost always have users run the tools I normally suggest at the beginning. It is very important if users have severe infections on thier pc to at least get some sort of AV/antispyware on there pc immediately!.. They can safely do this while waiting for help in the hjt forum.

 

I highly disagree with you in regards to you saying running the tools suggested will prolong the removal process. Where do YOU get this information? Are in Professional pc security training or have a degree in helping people clean up an infected pc?

 

If our HJT forums were not super busy an behind in getting users help, I would not have suggested as much as I have. In our Hjt forums long ago,users would normally get help within a few hours, that is not the case anymore.

 

So, Shoujun, you definitely should get AV on your pc as directed above,and remove the Nortons with the removal tool as instructed above.( do that before you get Avast )

 

That step will not prolong your hjt help, and none of the other steps will either.

 

If this is confusing to you now, feel free to PM me Shoujan.

 

Wademan

Edited by Wademan

Share this post


Link to post
Share on other sites

Wademan gave excellent advice and provided the link for the removal tool I mentioned in my post. Be sure to run the proper tools and get yourself a new A/V program ASAP and a HJT log will finish up the process. Out of curiosity, how long did it take you to finish half of your training, Wademan?

Edited by adam22

Share this post


Link to post
Share on other sites

Inprofile (Imp) led me to my addiction with HJT and cleaning infected machines. He's very rarely seen, but he does know what he's talking about! :mrgreen:

Share this post


Link to post
Share on other sites

Hi all,

 

seems like there's been a slight squabble..

 

 

I've checked my hjt post and managed to get some help from Aaflac (thank you Aaflac).

 

Meanwhile, i'm doing away with norton and getting Avast as suggested by adam22 and wademan.

 

 

On the things detected by SUPERAntiSpyware,

 

Trojan.ViedoCach

Trojan.Smitfraud

 

 

There were about 5-6 different kinds of trojans found, but i can't remember them.. :(

 

 

about SUPERAntiSpyware, i cant seem to open any log properly without having to force shut the notepad. (even if it is a clean log)

 

performing scan by Avast soon.

 

Will update asap.

 

ShouJun

Edited by shoujun

Share this post


Link to post
Share on other sites

The logs not opening are a mystery to me but you can try this..

 

Open up SuperAntiSpyware and hit preferences...go to Statistics/Logs and you will see a log of all the scans you have run. Click on one to hi-lite it and hit View Log. It should open in Notepad with ease. Make sure your definitions are up to date and you have version 4.15.1000.

Share this post


Link to post
Share on other sites

Now that your getting help in the hijackthis forum

you should not be do anymore cleaning or accepting help from anyone

let Aaflac finish otherwise you will prolong your repairs and malware removal

Share this post


Link to post
Share on other sites

Now that your getting help in the hijackthis forum

you should not be do anymore cleaning or accepting help from anyone

let Aaflac finish otherwise you will prolong your repairs and malware removal

 

Most excellent advice :tup:

 

This topic is now closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...