Solve : Malware help PLEASE....?

1.	Solve : Malware help PLEASE....?
Answer» I'm running my computer on Windows XP SP2. I plugged in a pendrive that I got from my friend and my computer got infected. Explorer was shutting down, and even if I check the "Show Hidden files and Folder" radio button in Tools->Folder Options, hidden files were not being shown. From M Computer, when I clicked on drives, they were being opened from a new Explorer window. I formatted my C: and reinstalled the OS. However, the problem has persisted. I installed AVAST and right now, it is giving me a "Malware Was FOUND" warning for mnl6on3.com for drives C, D, E, F, G, H (all my drives) as Malware name Win32:Rootkit-gen [Rtk] and classification Rootkit. Sometimes, none of the drives open, and I have to browse to Windows Explorer using Open With. Yesterday, I was getting an Malware warning for klif.sys everytime I tried to open C Drive. And Avast gave about 10 Malware warnings repeatedly for files in System Volume Information for all the drives. Following the instructions given in this forum, I have installed Avast, CCleaner, SUperAntispyware, Malwarebytes Anti-Malware and HijackThis. It appears I can enable Hidden folders now, but I still have to associate the drives with Windows Explorer using Open With every time I want to browse to it from My Computer. ckvo is there in the startup. SuperAntispyware and MBAM logs are attached. [recovering disk space -- attachment deleted by admin]HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:02 PM, on 9/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ALCFDRTM.EXE C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Program Files\Trend Micro\HijackThis\sniper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon NOTIFY: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 2941 bytes Download Deckard's Association File Tool (DAFT) and save it to your desktop. Double-click the daft.exe icon. Read the disclaimer and click OK Click on the Scan button. If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question. Click the Fix button. Re-scan and save a logfile. By default, it will save as daft.txt Post the contents of that logfile in your next reply. . ---------- Run this Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the Desktop. ---------- Let me know how things are now.The content of the daft log: DAFT Log saved on 2008-09-03 02:16:47 ----------------------------------------------------------------------- All associations okay! Everything seems to be fine now. I deleted autorun files on each drive that were point to mnl6on3.com. Thanks a lot, Man!! Windows Explorer association is also okay now.No problem, LOOKS like your associations got messed up somehow. Here are a few things you MAY want to do. Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates.

Answer»

I'm running my computer on Windows XP SP2. I plugged in a pendrive that I got from my friend and my computer got infected. Explorer was shutting down, and even if I check the "Show Hidden files and Folder" radio button in Tools->Folder Options, hidden files were not being shown. From M Computer, when I clicked on drives, they were being opened from a new Explorer window. I formatted my C: and reinstalled the OS. However, the problem has persisted. I installed AVAST and right now, it is giving me a "Malware Was FOUND" warning for mnl6on3.com for drives C, D, E, F, G, H (all my drives) as Malware name Win32:Rootkit-gen [Rtk] and classification Rootkit.

Sometimes, none of the drives open, and I have to browse to Windows Explorer using Open With. Yesterday, I was getting an Malware warning for klif.sys everytime I tried to open C Drive. And Avast gave about 10 Malware warnings repeatedly for files in System Volume Information for all the drives.

Following the instructions given in this forum, I have installed Avast, CCleaner, SUperAntispyware, Malwarebytes Anti-Malware and HijackThis.

It appears I can enable Hidden folders now, but I still have to associate the drives with Windows Explorer using Open With every time I want to browse to it from My Computer.

ckvo is there in the startup.

SuperAntispyware and MBAM logs are attached.

[recovering disk space -- attachment deleted by admin]HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:02 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon NOTIFY: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2941 bytes
Download Deckard's Association File Tool (DAFT) and save it to your desktop.

Double-click the daft.exe icon. Read the disclaimer and click OK
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile.
By default, it will save as daft.txt
Post the contents of that logfile in your next reply.

.
----------

Run this Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Let me know how things are now.The content of the daft log:

DAFT Log saved on 2008-09-03 02:16:47
-----------------------------------------------------------------------
All associations okay!

Everything seems to be fine now. I deleted autorun files on each drive that were point to mnl6on3.com. Thanks a lot, Man!! Windows Explorer association is also okay now.No problem, LOOKS like your associations got messed up somehow.

Here are a few things you MAY want to do.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

Solve : Malware help PLEASE....?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment