GRRRR I am gettin a virus every 10 seconds HELP!!!!

[Colby]

I keep getting this virus Thing

File name: c:docume~1\user\LOCAS~1\temp\BIT89F.tpm
Malewrae name : Win32:Zlober [Drp]
Type: Dropper
VPS Version 000780-2 10/11/2007

i have tryed deleting, moving/renaming, And Moving it to chest, And taking no action And It KEEPS Coming Back GRRRRR

[Lisandro]

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

[Colby]

So far it working Thanks

[DavidR]

What would be helpful to others is what tools did you try and what results were found.
What was the malware name, the infected file/s name and where it was located, e.g. (C:\windows\system32\infected-file-name.xxx) ?

If malware is found, then if possible you should send samples to avast so that detections can be improved.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Welcome to the forums.

[GrahamE]

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

Ok, I'm sorry that I'm going off at a slight tangent here, but after your recommendation, I downloaded and installed this 'Windows Advanced Care' program.
It tells me that I have no infections, but that I should immunise about 34,000 items. Why? If so far, my security has held up okay, why do I need to immunise 34,000 (YES!! 34 THOUSAND!!) items??

Most importantly I feel, why, in regard to Startup items, is it telling me to remove startup entries for:

AVAST4/ASHDISP.EXE
ZoneAlarm
SpywareTerminator
ATI Graphics card

This is one weird program for you to be recommending!??!

[Colby]

Now i keep getting this weird background it says you privacy is in danger. If i click anything on my desktop(Link my computer) it opens a internet explorer window i can just click ctrl-alt-delete and end the iExplorer process or firefox depends on which one opens and it makes it go away for about 2 minutes

Heres the log you told me to post

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:39 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Panasonic\HPLSMAN\hplsman.exe
C:\Program Files\Panasonic\Disprot\IDRot.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\KGB\Mpk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\system32\Tprbtn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Panasonic\DispRot\IDRot.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\Program Files\Panasonic\MEISKB\meiskb.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\user\Desktop\Programs\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\system32\hkeyman.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [HPlsKey] C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
O4 - HKCU\..\Run: [Mpk.exe] C:\Program Files\KGB\Mpk.exe
O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\Program Files\KGB\Mpk.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Display Rotation Tool.lnk = ?
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: Software Keyboard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {1FBFF001-4362-4532-AE8A-E9AF19C686A9} (FMAloader.FMAloaderctl) - http://10.5.10.10/FMA4/FMAloader.CAB
O16 - DPF: {29614A0D-8046-4476-A4E1-E2B430220C98} (Project1.ampSearch) - file://C:\fsms_data\nbwe\ampsearch.CAB
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - file://C:\fsms_data\nbwe\whip.cab
O20 - Winlogon Notify: HPLSNTF - C:\WINDOWS\SYSTEM32\HPLSNtf.dll
O21 - SSODL: sysdx - {9FB5DA97-7E67-440D-BF7C-AFFBA9F29055} - (no file)
O21 - SSODL: msmdev - {324AA5AB-4CD5-4901-B64A-31BC87C70627} - C:\WINDOWS\msmdev.dll
O21 - SSODL: msmhost - {65A968D6-46F6-4D2A-A7B1-1CD878F7C202} - C:\WINDOWS\msmhost.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7871 bytes

[mauserme]

Hi Colby.

The desktop problem is from a SmitFraud varient called Privacy Danger.  There is also CoolWebSearch and a couple trojans in your log.  You might want to print the following as there are several steps and you will not have an interent connection while working in safe mode.

Download Smitfraudfix from Here or Here.  Double-click smitfraudfix.exe, Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
 
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually).

Double-click smitfraudfix.exe, Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.  A reboot may be needed to finish the cleaning process.


To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.


Note:  process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm




Next, Download CWShredder Here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder.  Click I Agree, then Fix and then Next, let it fix everything it asks about.  Reboot your computer into normal windows.




Now open HJT and click to Do a System Scan Only.  When complete place a check mark next to the following lines that are still present


O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O4 - HKLM\..\Run: [scroller] fpapli.exe
O16 - DPF: {29614A0D-8046-4476-A4E1-E2B430220C98} (Project1.ampSearch) - file://C:\fsms_data\nbwe\ampsearch.CAB
O21 - SSODL: sysdx - {9FB5DA97-7E67-440D-BF7C-AFFBA9F29055} - (no file)
O21 - SSODL: msmdev - {324AA5AB-4CD5-4901-B64A-31BC87C70627} - C:\WINDOWS\msmdev.dll
O21 - SSODL: msmhost - {65A968D6-46F6-4D2A-A7B1-1CD878F7C202} - C:\WINDOWS\msmhost.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Close all other windows, including your browser, and click Fix Checked



Download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\nsduo.dll
C:\Windows\system32\fpapli.exe
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\privacy_danger\

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


After completing everything above, post the SmitFraudFix log, the OTMoveIt results, and a fresh HJT log.



Please note:  The following line must not be fixed in HJT

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Doing so will kill your internet connection.

Please upload this file to Virus Total


c:\windows\system32\nwprovau.dll

[Colby]

Gone finally Thanks

[mauserme]

You're welcome 

But if you don't mind posting the logs so there are no surprises down the road ...

Oh, and the Virus Total results for c:\windows\system32\nwprovau.dll, just to play it safe.

[essexboy]

nwprovau.dll  Legit LSP MS Netware http://www.castlecops.com/LSPs.html

[mauserme]

Thanks Martin.

I was 99% sure its safe - I just hate leaving that 1% on an uncommon HJT entry.

[essexboy]

All part of the learning process, as time passes it does become easier and the bad boys jump out at you 

[mauserme]

... and the bad boys jump out at you 

My goal is to get them to jump right off the hard drive.  Am I expecting too much?

[Defender2]

Hello, i have the same problem, but instead of my pc, its my USB retractible memory.
The archive is called: "documentos de administrador"
I eliminate it, but then it comes back, the elimination process is the same as if it where the pc?

[Lisandro]

I eliminate it, but then it comes back, the elimination process is the same as if it where the pc?

Yes. The process is the same, just scanning the USB drive.
Also, follow the steps on #1 of this thread