Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsLdr-x

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsLdr-x

Unread postby oien » November 24th, 2010, 6:49 pm

Please HELP :cry:

I have tried to get rid of this on my desktop for two weeks now. The main problem: Screen (and mouse) shuts down on startup. Earlier the screen shut down during gaming etc. Start meny disapeared one time.

Only way to start the computer now is safe mode (after using the Vista CD). The Vista CD do not report malfunctioning when checking start-up. Problem fixed for a while during my 2 weeks of nightmare when using System Restore, but the problem kept coming back, sometimes after several days. The Nvidia software keeps unistalling itself. It was running fine for a while when I disabled the secondary screen in the software (TV).

Have tried numerous Antivirus scanners. If I remember correctly, my problems started when I switched from AVAST (free Edition) to Microsoft Essentials. I have now bought WEBROOT now.

ESET online scanner finds JS/fraud.NAB and Win32/agent FQRCZBA.
WEBROOT finds Troj/JavaDI-V - ClsLdr-x

I have disabled my external harddrive now as I suspected it was infected.


Here is my system info and log.


##### System Information #####

OS: Windows Vista (TM) Home Premium Service Pack 2 (6.00.6002)
DirectX: 9.0c
CPU name: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+
CPU speed: 2500MHz
Memory: 2048MB
Screen size: 1280x1024 (32bits)
Video card: Nvidia 9500GT




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:11:30, on 24.11.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://radarsync.netvibes.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Påloggingshjelp for Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [WPCUMI] "C:\Windows\system32\WpcUmi.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [Anonymizer Universal] C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')
O4 - Global Startup: SetPointII.lnk = ?
O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - http://srtest-cdn.systemrequirementslab ... detect.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0773474683
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0773414189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5224867714
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/stati ... 0.27.0.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36243CB9-1FCB-4C0C-B7E5-BA3A4E6FD235}: NameServer = 10.9.8.7 10.9.8.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 6875 bytes




Hi, here is my startup log as I see you ask for it a lot:

StartupList report, 24.11.2010, 10:28:19
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HiJackThis\HiJackThis.EXE
Detected: Windows Vista SP2 (WinNT 6.00.1906)
Detected: Internet Explorer v8.00 (8.00.6001.18975)
* Using default options
==================================================

Running processes:

C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
SetPointII.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Kernel and Hardware Abstraction Layer = "KHALMNPR.EXE"
WPCUMI = "C:\Windows\system32\WpcUmi.exe"
WebrootTrayApp = "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
Windows Defender = %ProgramFiles%\Windows Defender\MSASCui.exe -hide

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Malwarebytes' Anti-Malware = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sidebar = "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
VistaStartMenu = "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
Anonymizer Universal = C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe /hide

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\Windows\system32\Transparent Language.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
Webroot Browser Helper Object - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504}
WRCommonBHO - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll - {D93EC24D-8741-4D41-B83D-A5793B998416}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Anonymizer Universal Updates.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------

Enumerating Download Program Files:

[CabBuilder]
CODEBASE = http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
OSD = C:\Windows\Downloaded Program Files\OSDC5.OSD

[Facebook Photo Uploader 5 Control]
InProcServer32 = C:\Windows\Downloaded Program Files\PhotoUploader5.ocx
CODEBASE = http://upload.facebook.com/controls/200 ... oader5.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\Windows\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/ ... ontrol.cab

[{40F576AD-8680-4F9E-9490-99D069CD665F}]
CODEBASE = http://srtest-cdn.systemrequirementslab ... detect.cab

[DLM Control]
InProcServer32 = C:\Windows\DOWNLO~1\DownloadManagerV2.ocx
CODEBASE = http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab

[MUCatalogWebControl Class]
InProcServer32 = C:\Windows\system32\MicrosoftUpdateCatalogWebControl.dll
CODEBASE = http://catalog.update.microsoft.com/v7/ ... 0773474683

[WUWebControl Class]
InProcServer32 = C:\Windows\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windows ... 0773414189

[MUWebControl Class]
InProcServer32 = C:\Windows\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microso ... 5224867714

[{7530BFB8-7293-4D34-9923-61A11451AFC5}]
CODEBASE = http://download.eset.com/special/eos/OnlineScanner.cab

[Battlefield Heroes Updater]
InProcServer32 = C:\Windows\Downloaded Program Files\BFHUpdater.dll
CODEBASE = https://www.battlefieldheroes.com/stati ... 0.27.0.cab

[WebSDev Control]
InProcServer32 = C:\PROGRA~1\MSI\MSIWDev\WebSDev.ocx
CODEBASE = http://liveupdate.msi.com.tw/autobios/L ... nstall.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... rashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\Windows\system32\Macromed\Flash\Flash10l.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab

[{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll
NameSpace #5: C:\Windows\system32\wshbth.dll
Protocol #1: C:\Windows\system32\wpclsp.dll
Protocol #2: C:\Windows\system32\wpclsp.dll
Protocol #3: C:\Windows\system32\wpclsp.dll
Protocol #4: C:\Windows\system32\wpclsp.dll
Protocol #5: C:\Windows\system32\wpclsp.dll
Protocol #6: C:\Windows\system32\wpclsp.dll
Protocol #7: C:\Windows\system32\wpclsp.dll
Protocol #8: C:\Windows\system32\wpclsp.dll
Protocol #20: C:\Windows\system32\wpclsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\System32\webcheck.dll

--------------------------------------------------
End of report, 7 777 bytes
Report generated in 0,031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
oien
Active Member
 
Posts: 5
Joined: November 24th, 2010, 3:18 am
Advertisement
Register to Remove

Re: JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsL

Unread postby MWR 3 day Mod » November 28th, 2010, 12:50 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsL

Unread postby Airscape » November 28th, 2010, 2:15 pm

Hello and welcome to the forum.
My name is Airscape and I'll be helping you with your malware issues.
The logs can take a while to research. Please be patient with me.

Take note of the following before we begin.
  • Post to this thread only and please stick to it until I say your pc is clean.
  • The instructions I give are for This computer only and should not be used on any other pc.
  • Do NOT run any tools/scans unless I instruct you to.
  • Try not to install/uninstall any programs while we work. This will add extra time researching your logs.
  • If you have found assistance elsewhere and no longer require our help, please say so, and this topic will be closed.
  • If you have any problems, please stop and ask before proceeding with any fixes.
  • ALL USERS OF THIS FORUM MUST READ THIS FIRST

Note: As I'm still in training, everything I post must be checked by a teacher first. So there may be a slight delay in between posts.

Important:
Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any important files and folders (to a cd/dvd) that you don't want to lose before we start.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsL

Unread postby oien » November 30th, 2010, 1:45 pm

6 days and no help. I give up. Formatting.....
oien
Active Member
 
Posts: 5
Joined: November 24th, 2010, 3:18 am

Re: JS/fraud.NAB - Win32/agent FQRCZBA -Troj/JavaDI-V - ClsL

Unread postby NonSuch » November 30th, 2010, 4:22 pm

As the original poster has stated that this issue will be resolved with a reformat, this topic will now be closed.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware