Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My computer has become infected with Manson/Liser

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 10th, 2009, 4:46 pm

I tried deleting kthn.exe, it asked me 'Are you sure you want to delete C:\windows\system32\kthn.exe\*' ? To which I replied 'Y'.

Then I tried ren C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.old

This didn't work - it said invalid parameter. But I then I looked under the help for 'ren' and found this:

Renames a file or files.

RENAME [drive:][path]filename1 filename2.
REN [drive:][path]filename1 filename2.

Note that you cannot specify a new drive or path for your destination file.

So what I did instead was CD into the windows directory, and ran ren explorer.exe explorer.old, CD back into C:\, then I ran the copy command to replace it. I did the same thing for the other files (Except I did it from C:\WINDOWS\system32\) and it seemed to work. I _think_ this had the same effect as what you asked me to do, but I'm not sure.

I rebooted the computer and scanned:



Avira AntiVir Personal
Report file date: Friday, July 10, 2009 15:45

Scanning for 1448372 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 1ECA66A679AB494

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:29:46
ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 01:29:49
ANTIVIR3.VDF : 7.1.4.182 52224 Bytes 7/5/2009 01:29:50
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/6/2009 01:30:05
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/6/2009 01:30:04
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/6/2009 01:30:01
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/6/2009 01:30:00
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/6/2009 01:29:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/6/2009 01:29:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, July 10, 2009 15:45

Starting search for hidden objects.
'53848' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'veohwebplayer.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP357.tmp\aspapp\ocpinst.exe
[0] Archive type: NSIS
--> [UnknownDir]
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\MSN Messenger\msimg32.dll
[DETECTION] Contains recognition pattern of the ADSPY/FunWeb adware or spyware
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\dcduasm.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Jennifer.exe.vir
[DETECTION] Is the TR/Rabbit.JU Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmnuemwpejjuxeir.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmwjjnfrwhbmxfmx.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpypiqqowksgvxdk.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpmiqtdyxgsfkwh.dll.vir
[DETECTION] Is the TR/TDss.aebu Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrkjxmjafxneirv.dll.vir
[DETECTION] Is the TR/TDss.adzz Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACawviwewbsbxjccv.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101425.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101430.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101432.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.HMI Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148901.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148902.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148903.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148904.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148905.dll
[DETECTION] Is the TR/TDss.adzz Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148906.dll
[DETECTION] Is the TR/TDss.aebu Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148936.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148937.exe
[DETECTION] Is the TR/Rabbit.JU Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148946.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148947.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149089.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149090.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP791\A0149178.exe
[DETECTION] Is the TR/Agent.1436664 Trojan
C:\WINDOWS\explorer.old
[DETECTION] Is the TR/Patched.AA.522 Trojan
C:\WINDOWS\system32\lsass.old
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\services.old
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\winlogon.old
[DETECTION] Is the TR/Patched.AA.546 Trojan

Beginning disinfection:
C:\Program Files\MSN Messenger\msimg32.dll
[DETECTION] Contains recognition pattern of the ADSPY/FunWeb adware or spyware
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\dcduasm.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Jennifer.exe.vir
[DETECTION] Is the TR/Rabbit.JU Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmnuemwpejjuxeir.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmwjjnfrwhbmxfmx.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpypiqqowksgvxdk.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpmiqtdyxgsfkwh.dll.vir
[DETECTION] Is the TR/TDss.aebu Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrkjxmjafxneirv.dll.vir
[DETECTION] Is the TR/TDss.adzz Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACawviwewbsbxjccv.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101425.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101430.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101432.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148901.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148902.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148903.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148904.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148905.dll
[DETECTION] Is the TR/TDss.adzz Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148906.dll
[DETECTION] Is the TR/TDss.aebu Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148936.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148937.exe
[DETECTION] Is the TR/Rabbit.JU Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148946.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148947.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149089.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149090.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP791\A0149178.exe
[DETECTION] Is the TR/Agent.1436664 Trojan
[WARNING] The file was ignored!
C:\WINDOWS\explorer.old
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\lsass.old
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\services.old
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\winlogon.old
[DETECTION] Is the TR/Patched.AA.546 Trojan
[WARNING] The file was ignored!


End of the scan: Friday, July 10, 2009 16:34
Used time: 48:21 Minute(s)

The scan has been done completely.

6702 Scanned directories
375742 Files were scanned
31 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
375708 Files not concerned
9303 Archives were scanned
36 Warnings
3 Notes
53848 Objects were scanned with rootkit scan
0 Hidden objects were found
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am
Advertisement
Register to Remove

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 12th, 2009, 8:10 am

Hi jinr,
You did a good job with the files. I'll keep the information you provided, for future Recovery Console functions.
There is a MSN Messenger file flagged as being infected. I would like you to uninstall MSN Messenger. I do not see this listed in the Add/Remove Programs list so it may be
an old leftover version, before you installed Windows Live Messenger.
The other files referenced are located in a folder ComboFix creates (Qoobox) to place the files it removes and the System Volume Information references are old (SRPs) System Restore Points.
We will take care of these files as well.

Please perform the following steps:

Step 1.
Add/Remove Programs
Please try to locate MSN Messenger on your Start Menu... see if there is an Uninstall option available. If there is no Start Menu item for MSN Messenger
or no Add Remove Programs entry, then it's probably a leftover.. as it looks like you have or have had, Messenger, MSN Messenger and Windows Live Messenger installed at one time or another.
It's the MSN Messenger folder that contains the "infected" file.
Windows Live Messenger is the most current offering of this MS product... so please remove the MSN Messenger program.

Step 2.
ComboFix - Cleanup
  1. Click Start...select Run from the menu.
  2. Copy and paste the following into the text entry box:
    Combofix /u
  3. Click the OK button. (See image below as reference.)
Image

Step 3.
Create a new - clean SRP (System Restore Point)
Let's create a new, clean SRP and remove any old entries that may possibly be compromised.
Create a new SRP
  1. Go to Start > All Programs > Accessories > System Tools > System Restore
  2. Select Create a restore point... then press the Next...button.
  3. Type a name for the new SRP... like All Clean... then press the Create... button.
  4. When finished... press the Close...button.
    Now you have a good clean SRP that can be used, if needed.
Remove old SRP entries
  1. Now... Go to Start > Run... type in: cleanmgr...press the OK...button.
    The Disk Cleanup window will show it is "calculating" the amount of space saved by compressing old files. This could take a few seconds, to minutes.
  2. When available... select the More Options... tab.
    In the System Restore section... at the bottom of the window...
  3. Press the Clean up...button. Reply Yes to the "Are you sure you want to delete all but the most recent restore point?" prompt.
  4. Press the X to close and exit.
    All existing restore points will be deleted... except the new one you just created.

Step 4.
Please run the full Avira scan again... as you did earlier. Post the scan results in your next reply.

Step 5.
Post a New HJT Log
  1. Start HijackThis.
    If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  2. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
    When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Step 6.
Please include in your next reply:
  1. Any problems executing these instructions.
  2. New Avira scan results
  3. New HJT log
  4. How is your computer behaving
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 13th, 2009, 11:04 am

I can't figure out how to remove the MSN Messenger. There is no item for it on 'Add or Remove Programs' (But there is an item here for 'MSN'). On the start menu, it says 'Windows Live Messenger', but when I open it it opens 'msnmsgr.exe' (And Avira warns me that the "infected" file is being used)

Is it OK to complete the rest of the steps you've given already?
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 13th, 2009, 1:36 pm

Hi jinr,
Thanks for getting back to me. Let's do this...

Step 1.
Use Control Panel.. Add/Remove Programs to uninstall Windows Live Messenger (WLM).
Once Windows uninstalls WLM... then using Explorer... locate the folder:
C:\Program Files\MSN Messenger\
and delete the entire folder.
You can download and install a new Windows Live Messenger, after we finish, if you like.

Step 2.
ComboFix - Cleanup
  1. Click Start...select Run from the menu.
  2. Copy and paste the following into the text entry box:
    Combofix /u
  3. Click the OK button. (See image below as reference.)
Image

Step 3.
Create a new - clean SRP (System Restore Point)
Let's create a new, clean SRP and remove any old entries that may possibly be compromised.
Create a new SRP
  1. Go to Start > All Programs > Accessories > System Tools > System Restore
  2. Select Create a restore point... then press the Next...button.
  3. Type a name for the new SRP... like All Clean... then press the Create... button.
  4. When finished... press the Close...button.
    Now you have a good clean SRP that can be used, if needed.
Remove old SRP entries
  1. Now... Go to Start > Run... type in: cleanmgr...press the OK...button.
    The Disk Cleanup window will show it is "calculating" the amount of space saved by compressing old files. This could take a few seconds, to minutes.
  2. When available... select the More Options... tab.
    In the System Restore section... at the bottom of the window...
  3. Press the Clean up...button. Reply Yes to the "Are you sure you want to delete all but the most recent restore point?" prompt.
  4. Press the X to close and exit.
    All existing restore points will be deleted... except the new one you just created.

Step 4.
Avira scan
Please run the full Avira scan again... as you did earlier. Post the scan results in your next reply.

Step 5.
Post a New HJT Log
  1. Start HijackThis.
    If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  2. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
    When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Step 6.
Please include in your next reply:
  1. Any problems executing these instructions.
  2. New Avira scan results
  3. New HJT log
  4. How is your computer behaving
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 13th, 2009, 4:23 pm

Ok, deleted the MSN folder, uninstalled ComboFix and created the new SRP with no problem. When I got to deleting the old ones from the disk cleanup, it didn't prompt me 'Are you sure you want to delete all but the most recent restore point?', but when I clicked 'OK' at the bottom of the page, it asked me something like 'Are you sure you want to perform the selected actions?', which I said yes to. The Avira scan doesn't include any of the infected restore points (Only the four renamed files), so I think it deleted them.



Avira AntiVir Personal
Report file date: Monday, July 13, 2009 15:18

Scanning for 1519075 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 1ECA66A679AB494

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:29:46
ANTIVIR2.VDF : 7.1.4.221 1273856 Bytes 7/12/2009 15:07:26
ANTIVIR3.VDF : 7.1.4.226 39424 Bytes 7/13/2009 15:07:28
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/6/2009 01:30:05
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/6/2009 01:30:04
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/6/2009 01:30:01
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/6/2009 01:30:00
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/6/2009 01:29:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/6/2009 01:29:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, July 13, 2009 15:18

Starting search for hidden objects.
'53906' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'OSE.EXE' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'veohwebplayer.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP357.tmp\aspapp\ocpinst.exe
[0] Archive type: NSIS
--> [UnknownDir]
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\explorer.old
[DETECTION] Is the TR/Patched.AA.522 Trojan
C:\WINDOWS\system32\lsass.old
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\services.old
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\winlogon.old
[DETECTION] Is the TR/Patched.AA.546 Trojan

Beginning disinfection:
C:\WINDOWS\explorer.old
[DETECTION] Is the TR/Patched.AA.522 Trojan
[NOTE] The file was moved to '4acb935e.qua'!
C:\WINDOWS\system32\lsass.old
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4abc935a.qua'!
C:\WINDOWS\system32\services.old
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4acd934c.qua'!
C:\WINDOWS\system32\winlogon.old
[DETECTION] Is the TR/Patched.AA.546 Trojan
[NOTE] The file was moved to '4ac99350.qua'!


End of the scan: Monday, July 13, 2009 16:02
Used time: 43:56 Minute(s)

The scan has been done completely.

6583 Scanned directories
370816 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
370810 Files not concerned
9252 Archives were scanned
4 Warnings
6 Notes
53906 Objects were scanned with rootkit scan
0 Hidden objects were found

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:27 PM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O24 - Desktop Component 0: (no name) - http://runehq.com/image/style/blue/header01.jpg

--
End of file - 8276 bytes


How the system is behaving: It seems to be alot better. There is no more freezing, and the suspicious processes are gone from taskmgr. The console is still acting weird when I use the 'tab' key, and firefox still won't start. (I think I know how to deal with Firefox though - it creates a certain file when it starts up, and if it's not deleted it won't start up again, deleting it has fixed this in the past)
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 13th, 2009, 7:26 pm

Hi jinr,
Thanks for letting me know how your computer is behaving.
It "sounds" like the old (SRPs) System Restore Points have been removed, if Avira is no longer reporting them.
I want you to run an online scan with a different scanner. One scanner make find something another didn't.

Step 1.
ESET NOD32 Online Scan
Note: You - will - need to use Internet Explorer for this scan!
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
    Please navigate to the system tray... look for: Image
    • Right click it-> uncheck the option AntiVir Guard enable.
    • You should now see a closed, white umbrella on a red background like: Image
      The Avira real-time protection is disabled.
    Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
    ** Make sure you are using an account that has Administrative privileges **
      Press the "ESET Online Scanner" button.
    1. Check the box next to "YES, I accept the Terms of Use."
    2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
    3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
      Once installed, the scanner will be initialized.
    4. Click "Start". Make sure that the options:
      • Remove found threats is UNCHECKED
      • Leave the "default" settings under Advanced as they are, if not set , please check:
        • Scan for potentially unwanted applications
        • Scan for potentially unsafe applications
        • Enable Anti-Stealth Technology
    5. Click "Start"... ESET scanner will begin to download the virus signatures database.
      When the signatures have been downloaded, the scan will start automatically.
    6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
    7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
    8. Copy and paste the contents of log.txt in your next reply.

    Remember to enable your Anti-virus protection... before continuing!

    Step 2.
    Please include in your next reply:
    1. Any problems executing these instructions.
    2. ESET scan results
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 14th, 2009, 7:19 pm

I installed windows updates and updated Avira before running the scan.

Eset did pick up something new, spoolsv.exe

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=5c1667ff7ff8424085699570173aac3d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-14 11:13:12
# local_time=2009-07-14 07:13:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 40925000000
# scanned=65291
# found=6
# cleaned=0
# scan_time=1834
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150291.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150292.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150293.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150294.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\WINDOWS\system32\spoolsv.exe Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
${Memory} Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 15th, 2009, 3:09 pm

Hi jinr,

It appears that yet another "system" file has become infected. This is how the Virut infections works... we can try to replace the infected file like we did
earlier with the other files but there is no telling what file(s) may be infected tomorrow. Coupled with the fact that you also had a rootkit infection...
I feel that your computer has been severely compromised and the best action that you can take at this point is to reformat and reinstall the Operating System.
These "cleanings" may only be the tip of the iceberg... not knowing how many other files have been compromised.
Continuing to assist in any cleaning attempts would just be a waste of time, yours and mine.


You can perform the following steps and post the results...
I will be more than happy to look at them and respond back but I think pursuing additional attempts to "clean" the computer would be futile.

Step 1.
Restart your computer and enter Recovery Console
Enter 1 for the Windows system you want to use and press Enter
at the C:\Windows prompt... type the following commands one (1) at a time... pressing Enter after each command is entered:
CD C:\Windows\System32
ren C:\Windows\System32\spoolsv.exe C:\Windows\System32\spoolsv.OLD
CD C:\
copy C:\Windows\ServicePackFiles\i386\spoolsv.exe C:\Windows\System32\spoolsv.exe


Please reboot your computer normally...

Step 2.
Create a new - clean SRP (System Restore Point)
Let's create a new, clean SRP and remove any old entries that may possibly be compromised.
Create a new SRP
  1. Go to Start > All Programs > Accessories > System Tools > System Restore
  2. Select Create a restore point... then press the Next...button.
  3. Type a name for the new SRP... like All Clean... then press the Create... button.
  4. When finished... press the Close...button.
    Now you have a good clean SRP that can be used, if needed.

Remove old SRP entries
  1. Now... Go to Start > Run... type in: cleanmgr...press the OK...button.
    The Disk Cleanup window will show it is "calculating" the amount of space saved by compressing old files. This could take a few seconds, to minutes.
  2. When available... select the More Options... tab.
    In the System Restore section... at the bottom of the window...
  3. Press the Clean up...button. Reply Yes to the "Are you sure you want to delete all but the most recent restore point?" prompt.
  4. Press the X to close and exit.
    All existing restore points will be deleted... except the new one you just created.

Step 3.
ESET NOD32 Online Scan (again... )
Note: You - will - need to use Internet Explorer for this scan!
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
    AVIRA ANTIVIR
    Please navigate to the system tray... look for: Image )
    • right click it-> untick the option AntiVir Guard enable.
    • You should now see a closed, white umbrella on a red background like: Image
      The Avira real-time protection is disabled.
    Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
    ** Make sure you are using an account that has Administrative privileges **
      Press the "ESET Online Scanner" button.
    1. Check the box next to "YES, I accept the Terms of Use."
    2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
    3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
      Once installed, the scanner will be initialized.
    4. Click "Start". Make sure that the options:
      • Remove found threats is UNCHECKED
      • Leave the "default" settings under Advanced as they are, if not set , please check:
        • Scan for potentially unwanted applications
        • Scan for potentially unsafe applications
        • Enable Anti-Stealth Technology
    5. Click "Start"... ESET scanner will begin to download the virus signatures database.
      When the signatures have been downloaded, the scan will start automatically.
    6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
    7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
    8. Copy and paste the contents of log.txt in your next reply.

    Remember to enable your Anti-virus protection... before continuing!

    Step 4.
    Please include in your next reply:
    1. Any problems executing these instructions.
    2. ESET scan results
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 15th, 2009, 5:42 pm

Thank you for all of your help up unto this point. I followed the instructions you gave me, and the ESET scanner log is at the bottom of this post. Before that, I have some questions about available options. Firstly, regarding my personal files, I have alot of home-made video and audio files that can't be replaced. There are about 25 GB of video files, and also there are alot of important HTML files, which I have read virut infects. Is there any way to scan/clean these HTML files? Also, what would be the best way to back up these things? I wouldn't be able to fit them all on my USB.

Regarding the infection itself, from what I understand, if it's infecting new files then there has to be something that's actually doing the infecting. If all of it were completely removed, it would be impossible for it to infect new files. Since it can copy itself, an infected file can now infect other files. To fix it, you would need to replace every infected file. So how can it get so ingrained that nothing can remove it? Also, it transforms. Are some of its transformations impossible to detect? Is it the case that some point in the future, it may be possible for virus scanners to detect and remove it completely?

Also, as another option, could I install another operating system, like Linux-based one, on the same computer and use that instead? Since this virus infects Windows executable files, and Linux uses a different format, this virus would not even be able to run on Linux. Then I could copy all the files onto the new operating system, and remove the infected Windows.

Sorry for all of these questions - Believe me, I don't want to waste any more of either of our time over this.
Again, thank you for all your help so far. And thanks in advance for everything to come.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=5c1667ff7ff8424085699570173aac3d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-14 11:13:12
# local_time=2009-07-14 07:13:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 40925000000
# scanned=65291
# found=6
# cleaned=0
# scan_time=1834
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150291.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150292.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150293.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP795\A0150294.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
C:\WINDOWS\system32\spoolsv.exe Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
${Memory} Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=5c1667ff7ff8424085699570173aac3d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-15 08:54:30
# local_time=2009-07-15 04:54:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 821698125000
# scanned=64823
# found=1
# cleaned=0
# scan_time=1823
C:\WINDOWS\system32\spoolsv.old Win32/TrojanProxy.Agent.NCI virus 00000000000000000000000000000000 I
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 16th, 2009, 11:33 am

Jinr,
Just so you'll know, trying to clean your machine wasn't a waste of time... some valuable information was obtained. Unfortunately, it just wasn't good news.
Before that, I have some questions about available options. Firstly, regarding my personal files, I have alot of home-made video and audio files that can't be replaced. There are about 25 GB of video files, and also there are alot of important HTML files, which I have read virut infects. Is there any way to scan/clean these HTML files? Also, what would be the best way to back up these things? I wouldn't be able to fit them all on my USB.
There are several ways to backup your personal files... The "safest" way to back up video/audio files is to burn them to DVDs.
Then have Kaspersky or some other AV scan the DVD disks before they are copied into any reformatted Windows computer.
Your music , pictures, documents should be OK to backup... you should scan them before backing them up to be sure. As far as your HTML files... if they are infected or any (other) infected files... these can not be cleaned and need to erased.
Regarding the infection itself, from what I understand, if it's infecting new files then there has to be something that's actually doing the infecting. If all of it were completely removed, it would be impossible for it to infect new files. Since it can copy itself, an infected file can now infect other files. To fix it, you would need to replace every infected file. So how can it get so ingrained that nothing can remove it? Also, it transforms. Are some of its transformations impossible to detect? Is it the case that some point in the future, it may be possible for virus scanners to detect and remove it completely?
As far a Virut infection is concern I am, by no stretch of the imagination, an expert on the internal workings of this infection. It can and does infect multiple files... and because of a bug in the viral code it can destroy a file it infects.
For more information I would look at the links I provided to better understand the infection.
If the experts in the malware removal community agree that the best "cure" for this infection is to reformat and reinstall the OS, I trust them to know what they are talking about.
As far as future scanners being able to remove it completely... we can only hope.

There are lots of good help/support sites that can provide more information on the various back up methods and clean installs, here are several for your convenience.
These sites have a variety of experts, that are better equipped to respond to questions about backups, backup software and other operating systems.
Registration is free, it only takes a few minutes. :)
The Elder Geek on Windows
BleepingComputer.com
WhattheTech...formerly TomCoyote

If you have any additional malware questions, please let me know, otherwise...

You can delete the C:\WINDOWS\system32\spoolsv.old file...

Please see these suggestions to help keep your computer more secure.

Update your Antivirus programs and other security products regularly.
Avoid new threats that could infect your system. You can also check if any application updates are needed for your PC.
Secunia Software Inspector - Copyright © Secunia.
F-secure Health Check - Copyright © F-Secure Corporation.


Visit Microsoft often
Keep on top of critical updates , as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home


You can try...some free programs, that will help improve your computer's security.
These kinds of protection programs (adware, spyware, etc...) tend to overlap in coverages.
Many feel that having a "layered" protection scheme, is beneficial. Each individual has to decide what works best for their situation.
There are many available...here are a few you can look into, if you want. :)

Malwarebytes' Anti-Malware
Download it from Malewarebytes © Malwarebytes Corporation.
Tutorials are available for installing and running, Malwarebytes' Anti-Malware.
Powerful, easy to use and free. For real-time protection you will have to purchase the product.

Spybot Search and Destroy
Download it from © Safer Networking Ltd. Just choose a mirror and off you go.
A Spybot tutorial can be found Here.

SpywareBlaster
Download it from © Javacool Software LLC.
A SpywareBlaster knowledgebase can be found Here.

WinPatrol
Download it from Copyright © BillP Studios
Information about how WinPatrol works, is available Here.
(The free version of WinPatrol...does not provide any real-time protection)

Firetrust SiteHound
You can find information and download it from © Firetrust Ltd


Read, stay informed.
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"
How to prevent Malware:© miekiemoes - Microsoft MVP - Consumer Security .

Please respond back after reading this post, so I'll know you've seen it... then, I will have this topic closed. Thanks.

Stay Safe! 8)
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 18th, 2009, 11:35 am

3 Day Bump
Hello...
It has been 3 or more days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
If, after 48 hrs., you have not replied to this thread... it will be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 20th, 2009, 9:18 am

Yes, sorry about the lateness of my reply. I've read your response, you can close the thread :oops:
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 20th, 2009, 10:18 am

Glad we could be of some help... stay safe.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby Gary R » July 22nd, 2009, 10:01 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 322 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware