move/rename?????

[angela74]

I have had two problems detected on my computer within a week.  The first was a Trojan and now I have a HLLP-Vova 10.1-B malware virus.  It cannot put it in the chest and I don't know what it means by move/rename option.  Should I take my computer in?  I am noticing problems with the way it runs and I don't know what to do.

Please Help,
I make my living on the computer and I'm so stressed about this stuff,
Angela

[essexboy]

Hi angela -

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[DavidR]

I have had two problems detected on my computer within a week.  The first was a Trojan and now I have a HLLP-Vova 10.1-B malware virus.  It cannot put it in the chest and I don't know what it means by move/rename option.  Should I take my computer in?  I am noticing problems with the way it runs and I don't know what to do.

Please Help,
I make my living on the computer and I'm so stressed about this stuff,
Angela

First, the move/rename option is in avast 4.8 and considering as you say you make your living on the computer, I would suggest that you update to avast version 5.0, which provides additional improvements and protection over 4.8.

The actual move/rename option moves the file to the <avast4>\DATA\Moved folder and appends .vir to the file name.

What reason was given for not being able to move the file to the chest ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

~~~~
You should most certainly take the actions suggested by essexboy.

[angela74]

Thank You Essex Boy! 
Here is what I was told after I ran the quick scan with Malwarebytes' Anti-Malware 1.44:

"Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/4/2010 12:51:16 PM
mbam-log-2010-03-04 (12-51-16).txt

Scan type: Quick Scan
Objects scanned: 120550
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)"


I hope this is true but I am hesitant to believe that I have no viruses because this is an ongoing prob.  About a week ago my comp started to act weird so I did a full scan with Avast 4.8.   I found that I failed to initially turn on my resident protection and that the full scan discovered a HLLP-VOVA 10.1-B on my C:/WINDOWS folder.  I put it in the chest (whatever that means) and did a system restore.  I was still worried because I'm so ignorant on this topic.  I then found this latest problem that I posted about earlier.  I'm confused and worried.     After looking again at the virus name I discovered that it is possibly the same virus that has not be repaired or removed correctly.  So Sad.

[essexboy]

If you could run the OTS scan now Angela I will see what that reveals

[angela74]

attached is the text file that were the result of the OTS scan

[angela74]

and here is the second one

[essexboy]

Just a few minor elements there - what problems do you have now ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - All]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[angela74]

Hey EssexBoy,
I ran the fix you suggested and I'm am attaching the file that was the output.  I had to do it twice because the first time I pressed the run fix button my computer stopped working and the operating system disapeared and all my icons and stuff went away.  Basically the screen was blank.  The second time I did it, it seemed to work fine. 

Also a couple days ago my comp crashed and when I went to restart it I got a screen telling me that my computer was unable to start.  The computer suggested something and after having to unplug it a couple times it started up.   I've also been getting lots of popups. 

[essexboy]

Sorry should have said the fix stopped all processes on your system to remove files - that is why the screen went blank

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[angela74]

Sorry its taken so long to do this.  attached is the combofix log.

[essexboy]

That looks good - what problems do you have now ?

[angela74]

Well I dont know exactly when, in this process that it happened but my machine started to act more normal.  My scans started to come up clean again and everything seemed fine.  The only thing that has persisted throughout is that I see outlines of pull down menus and forms after they have been closed.  But they only linger for a moment.  I just thought that my computer was generally slow.  The thing that made me post again was that I got this weird pop up telling me that I have a virus and asking to scan my computer.  I never used to get pop ups.  I dont know why I have them so frequently now since I didnt change any settings. Anyway, is there a definitive way to tell if your infected?  To answer you more directly, its running slow, getting pop ups, and that lingering outline thing.

[essexboy]

OK that has directed me into a slightly different area - First I need you to make some changes on your system

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer


And for Firefox there are instructions on this page and you want the setting to be no proxy

THEN

Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in your C:\ drive
  
• Reboot your computer
• Please post the contents of that log

[angela74]

I ran it twice because I think I missed a step the first time.


The first one:
14:01:46:275 5824   TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
14:01:46:276 5824   ================================================================================
14:01:46:276 5824   SystemInfo:

14:01:46:276 5824   OS Version: 6.0.6002 ServicePack: 2.0
14:01:46:276 5824   Product type: Workstation
14:01:46:276 5824   ComputerName: HANSENS-PC
14:01:46:278 5824   UserName: hansens
14:01:46:278 5824   Windows directory: C:\Windows
14:01:46:278 5824   Processor architecture: Intel x86
14:01:46:278 5824   Number of processors: 2
14:01:46:278 5824   Page size: 0x1000
14:01:46:284 5824   Boot type: Normal boot
14:01:46:284 5824   ================================================================================
14:01:46:411 5824   UnloadDriverW: NtUnloadDriver error 2
14:01:46:411 5824   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:02:04:170 5824   wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:02:04:171 5824   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:02:04:171 5824   wfopen_ex: Trying to KLMD file open
14:02:04:171 5824   wfopen_ex: File opened ok (Flags 2)
14:02:04:181 5824   wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:02:04:181 5824   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:02:04:181 5824   wfopen_ex: Trying to KLMD file open
14:02:04:181 5824   wfopen_ex: File opened ok (Flags 2)
14:02:04:181 5824   Initialize success
14:02:04:181 5824   
14:02:04:182 5824   Scanning   Services ...
14:02:05:174 5824   GetAdvancedServicesInfo: Raw services enum returned 448 services
14:02:05:430 5824   
14:02:05:430 5824   Scanning   Kernel memory ...
14:02:05:431 5824   Devices to scan: 1
14:02:05:431 5824   
14:02:05:431 5824   Driver Name: nvstor32
14:02:05:431 5824   IRP_MJ_CREATE                      : 8078360A
14:02:05:431 5824   IRP_MJ_CREATE_NAMED_PIPE           : 81E67A22
14:02:05:431 5824   IRP_MJ_CLOSE                       : 80783565
14:02:05:431 5824   IRP_MJ_READ                        : 81E67A22
14:02:05:431 5824   IRP_MJ_WRITE                       : 81E67A22
14:02:05:431 5824   IRP_MJ_QUERY_INFORMATION           : 81E67A22
14:02:05:431 5824   IRP_MJ_SET_INFORMATION             : 81E67A22
14:02:05:431 5824   IRP_MJ_QUERY_EA                    : 81E67A22
14:02:05:431 5824   IRP_MJ_SET_EA                      : 81E67A22
14:02:05:431 5824   IRP_MJ_FLUSH_BUFFERS               : 81E67A22
14:02:05:431 5824   IRP_MJ_QUERY_VOLUME_INFORMATION    : 81E67A22
14:02:05:431 5824   IRP_MJ_SET_VOLUME_INFORMATION      : 81E67A22
14:02:05:431 5824   IRP_MJ_DIRECTORY_CONTROL           : 81E67A22
14:02:05:431 5824   IRP_MJ_FILE_SYSTEM_CONTROL         : 81E67A22
14:02:05:432 5824   IRP_MJ_DEVICE_CONTROL              : 807836CB
14:02:05:432 5824   IRP_MJ_INTERNAL_DEVICE_CONTROL     : 80752EE3
14:02:05:432 5824   IRP_MJ_SHUTDOWN                    : 81E67A22
14:02:05:432 5824   IRP_MJ_LOCK_CONTROL                : 81E67A22
14:02:05:432 5824   IRP_MJ_CLEANUP                     : 81E67A22
14:02:05:432 5824   IRP_MJ_CREATE_MAILSLOT             : 81E67A22
14:02:05:432 5824   IRP_MJ_QUERY_SECURITY              : 81E67A22
14:02:05:432 5824   IRP_MJ_SET_SECURITY                : 81E67A22
14:02:05:432 5824   IRP_MJ_POWER                       : 8075888F
14:02:05:432 5824   IRP_MJ_SYSTEM_CONTROL              : 807838FE
14:02:05:432 5824   IRP_MJ_DEVICE_CHANGE               : 81E67A22
14:02:05:432 5824   IRP_MJ_QUERY_QUOTA                 : 81E67A22
14:02:05:432 5824   IRP_MJ_SET_QUOTA                   : 81E67A22
14:02:05:457 5824   C:\Windows\system32\drivers\nvstor32.sys - Verdict: 1
14:02:05:458 5824   
14:02:05:458 5824   Completed
14:02:05:458 5824   
14:02:05:459 5824   Results:
14:02:05:459 5824   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
14:02:05:460 5824   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
14:02:05:460 5824   File objects infected / cured / cured on reboot:   0 / 0 / 0
14:02:05:460 5824   
14:02:05:461 5824   fclose_ex: Trying to close file C:\Windows\system32\config\system
14:02:05:461 5824   fclose_ex: Trying to close file C:\Windows\system32\config\software
14:02:05:463 5824   KLMD(ARK) unloaded successfully