Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Infected With The Stubborn Nhatquanglan Virus, And Previous Posts From This Site About That Virus Is Not Helping! Need Help Asap =(


  • This topic is locked This topic is locked
3 replies to this topic

#1 themadavenger

themadavenger

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 28 December 2007 - 08:26 AM

It all started when my classmate inserted a USB infected with the Nathquanglan virus. My computer got infected, so not it's plaguing my Yahoo messenger, not letting me open my task manager, and it's infected my flash disk too!!!
I don't have Norton, AVG, Avira or Avast, but the computer administrator of this computer installed "SuperAntiSpyware". It's not much help. I think there's also a Regrun running here or something like that. I'm not the computer administrator by the way, and they (the computer administrator) aren't doing anything to remove the virus.
I've tried running my computer on the safe mode and using SDFix, but RunThis.bat won't work. I've also tried to run taskmanager.reg but everytime I click it says it's not a valid win32 application. When I used the Deckard's System Scanner, the log showed that Nathquanglan is still plaguing my computer.
I don't know what to do, please help me! Every file on my computer and the USB as well is very important to me. Please, I need the help, ASAP!!!

PS

Please don't tell me to tell the administrator about it--they're really NOT DOING ANYTHING even if I'll tell them about it.
And how do you delete the Nathquanglan virus on your USB?
Thanks!!!

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:35 PM

Posted 28 December 2007 - 01:59 PM

Hi themadavenger and welcome to Bleeping Computer.

Try this program:
Please download Flash_Disinfector by sUBs and save it to your desktop:

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
* Wait until the program has finished scanning, then please exit the program and reboot.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

See if this helps.

Edited by Starbuck, 28 December 2007 - 02:00 PM.

BBPP6nz.png


#3 themadavenger

themadavenger
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 29 December 2007 - 09:57 AM

Hello, Starbuck, thanks for the help regarding deleting the virus on USB! I'll try it on my friend's flash disk, her flash disk is really suffering virus invasion.

This is my latest log by SDFix:


SDFix: Version 1.120

Run by Felizadio on Sat 12/29/2007 at 02:02 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 14:06:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 1 Nov 2007 229,489 A.SHR --- "C:\Funny UST Scandal.avi.exe"
Sun 28 Oct 2007 6,470 A.SH. --- "C:\WINDOWS\system32\ttvwa.bak1"
Sat 10 Nov 2007 102,047 A.SH. --- "C:\WINDOWS\system32\ttvwa.bak2"
Sat 20 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 7 Oct 2007 555,072 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab24052f4987d828c75b146887588d0c\BIT1F.tmp"
Wed 31 Oct 2007 506,724 A.SH. --- "C:\Deckard\System Scanner\20071228215349\backup\DOCUME~1\FELIZA~1\LOCALS~1\Temp\rqyovifo.tmp"

Finished!

(My HijackthisLog is on the Hijackthis Logs part of the forum... err..sorry for my english)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 PM

Posted 29 December 2007 - 10:01 AM

Your hijackthis log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users