Need Help!!!!VIRUS

Help and Discussion

Moderator: The Mod Squad

Need Help!!!!VIRUS

Postby TheNeophyte » Mon Oct 27, 2008 11:16 am

Win32/PSW.OnlineGames.NMYtrojan

Actually I got this from my External Hardisk Drive. It's coming from the files which I copied from my PC at the office. The stupid thing I deed was to open my External Hardisk Drive at my Home PC. And when I came today, My desktop starts complaining like this;

http://docs.google.com/View?docid=d472m9c_0fg5zmbc4

http://docs.google.com/Doc?id=d472m9c_2dc3w25cb

Is there a way to fix this thing?

The main thing, that I am concern about is my 1TB external hard disk, it was affected as well. All my stuff is here.

http://docs.google.com/Doc?id=d472m9c_4gm7j38qp

Is there a way to fix my External hardisk with formating them?

I do really need all your help and advice.

thank you
To Live is for something, To Die is for nothing
TheNeophyte
Initiate
Initiate
 
Posts: 37
Joined: Tue Feb 26, 2008 10:16 pm
Location: Dubai, United Arab Emirates

Postby evasive » Tue Oct 28, 2008 1:00 am

I say, try a cleanup with the online scanner from F-secure:
http://www.f-secure.com/v-descs/trojan- ... ml#details

http://support.f-secure.com/enu/home/ols.shtml

click on the logo. If that doesn't work go here:
http://support.f-secure.com/ols/start.html

you need IE6/7 for this. There are other online scanners/cleaners out there but I don't know if they will clean this one up. And last but not least, warn your network/system administrator at work that there's an infection on the system...
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby TheNeophyte » Tue Oct 28, 2008 9:07 am

And last but not least, warn your network/system administrator at work that there's an infection on the system...

On your instruction above, to where should I go?
To Live is for something, To Die is for nothing
TheNeophyte
Initiate
Initiate
 
Posts: 37
Joined: Tue Feb 26, 2008 10:16 pm
Location: Dubai, United Arab Emirates

Postby TheNeophyte » Tue Oct 28, 2008 6:12 pm

Statistics
Scanned:

* Files: 153608
* System: 4151
* Not scanned: 49

Actions:

* Disinfected: 0
* Renamed: 5
* Deleted: 0
* None: 22
* Submitted: 10

Files not scanned:

* C:\AUTORUN.INF
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\XK2N.BAT
* C:\WINDOWS.OLD.000\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FD2FDC6CCCE96A84024A845F8C2A49F_75022DB6-655D-4E2F-AA8E-BE80C81686E8
* C:\WINDOWS.OLD.000\PROGRAMDATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FD2FDC6CCCE96A84024A845F8C2A49F_75022DB6-655D-4E2F-AA8E-BE80C81686E8
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{C5011064-B44D-44B4-853A-5B15EC26D553}
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBDAM
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBDAO
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBEAM
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBEAO
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBM
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\HP
* C:\WINDOWS.OLD.000\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FD2FDC6CCCE96A84024A845F8C2A49F_75022DB6-655D-4E2F-AA8E-BE80C81686E8
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\DLLCACHE\AUTORUN.INF
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\WINDOWS\CURSORS\BOOM.VBS
* C:\USERS\EMJOPIA\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{C5011064-B44D-44B4-853A-5B15EC26D553}
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBDAM
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBDAO
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBEAM
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBEAO
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\DBM
* C:\USERS\EMJOPIA\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\7C3CDD21D617\HP
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FD2FDC6CCCE96A84024A845F8C2A49F_75022DB6-655D-4E2F-AA8E-BE80C81686E8
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FD2FDC6CCCE96A84024A845F8C2A49F_75022DB6-655D-4E2F-AA8E-BE80C81686E8
* C:\BOOT\BCD
* D:\AUTORUN.INF
* D:\XK2N.BAT
* D:\WINDOWS\SYSTEM32\CKVO.EXE
* D:\WINDOWS\SYSTEM32\CKVO0.DLL
* F:\AUTORUN.INF
* F:\XK2N.BAT
* H:\SYSTEM VOLUME INFORMATION\_RESTORE{03DEC760-A87F-4AB5-AE5C-58F302120A9F}\RP78\A0019708.BAT
* H:\SYSTEM VOLUME INFORMATION\_RESTORE{03DEC760-A87F-4AB5-AE5C-58F302120A9F}\RP78\A0019709.INF

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2008-10-28
* F-Secure Pegasus: 1.20.0, 2008-09-22
* F-Secure AVP: 7.0.171, 2008-10-28

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics


Hi this are the things that the software founds on my system. Why his not deleting and renaming files on my system?
To Live is for something, To Die is for nothing
TheNeophyte
Initiate
Initiate
 
Posts: 37
Joined: Tue Feb 26, 2008 10:16 pm
Location: Dubai, United Arab Emirates

Postby Karlsweldt » Wed Oct 29, 2008 3:56 pm

Path statements (working links) for features or programming may be different at the office than on your home setup. That may be the reason for so many errors.
But ensure your system has the most up-to-date anti-virus scanning engine, and is proficient. You are best to scan the system in 'safe' mode, where most viral forms are dormant and easily removed.
If the files came from any type of business, there should have been a very secure and high-level anti-virus program in use. If not, I would not trust any data from that source!!
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20690
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Postby TheNeophyte » Thu Oct 30, 2008 10:48 am

So what would be your best advice on this problem? My system was already affected by this Viruses. Even my 1TB, :oops: I have tones of movie collections. To format my system is my last option? I am using NOD32 anti virus. :!:
To Live is for something, To Die is for nothing
TheNeophyte
Initiate
Initiate
 
Posts: 37
Joined: Tue Feb 26, 2008 10:16 pm
Location: Dubai, United Arab Emirates

Postby evasive » Fri Oct 31, 2008 4:17 am

TheNeophyte wrote:And last but not least, warn your network/system administrator at work that there's an infection on the system...

On your instruction above, to where should I go?


It's coming from the files which I copied from my PC at the office.


Did not realize you are the system/network administrator there if it's the only PC. Anyway, you want to do a scan with mentioned online scanner on your office PC too.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby TheNeophyte » Thu Nov 13, 2008 3:06 pm

I don't get your last advice, at the moment the virus still exist on my system. I really don't know how to get raid of this, say for example; C:\XK2N.BAT and F:\XK2N.BAT. As mentioned on my post above, their are some files that the online scanner skipped/not scanned. So obviously, the virus are still there.

Can you please be more specific on your advice above?

thanks
To Live is for something, To Die is for nothing
TheNeophyte
Initiate
Initiate
 
Posts: 37
Joined: Tue Feb 26, 2008 10:16 pm
Location: Dubai, United Arab Emirates

Postby evasive » Fri Nov 14, 2008 1:28 am

I am using NOD32 anti virus.


If that is a full version you should be able to tell it to remove the infected stuff.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby Karlsweldt » Fri Nov 14, 2008 2:47 pm

If those files cannot be removed, they are set as 'active' files. The OS has been given a "key" to accept those files as part of its operation.
Perhaps the only way they won't be 'active' is when you reboot into safe mode at start up. Then disable the Windows restore feature, and run the anti-virus and malware programs. Once you are sure the nasties are gone, then reactivate the restore feature. If you don't disable the restore feature, Windows will faithfully undo all your work on the next normal boot!

Some info on that Xk2N.bat file, from a Google seaerch. And additional info from MSFN about editing the Registry to kill those files.
Likely the file isn't large, perhaps less than 1 Kb. But it is keyed when the OS starts, and then activates other files to cause the problems.
If you cannot remove the files, likely they are part of a Registry key.. and may be best left to someone who knows how to edit the Registry. The wrong editing of Registry keys can cause the OS to go belly-up!
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20690
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Next

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 1 guest