[Xandi]

Hi, Everyday at 3:19 i my avg virus scanner pops up and says i have a 3 viruses...
NCasePackage.exe
Optimize.exe
EDowPack.exe

I heal/delete them with Avg...I have run ad-aware and spybot and cwshredder everyday. Yet every day at 3:19 they return. Can you please help me? This is my Hijackthis log. I really have no idea what any of it means sadly. Thanks


Logfile of HijackThis v1.99.1
Scan saved at 5:10:30 PM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

[Advertisements]

Please do this:

1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.

2. Reboot.

3. Repeat the process but this time remove the check from the box.


Let me know if they return now.

[Daemon]

Please do this:

1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.

2. Reboot.

3. Repeat the process but this time remove the check from the box.


Let me know if they return now.

[Xandi]

I always have system restore off....so I removed the check. I will let you know tomorrow at 3:19 if they come back.

Thanks so much

[Xandi]

Today again like clockwork at 3:19 the virus came back again.

[Daemon]

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

[Xandi]

File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\okshook.dll tagged as not-a-virus:RiskWare.Proxy.MarketScore.l. No Action Taken.
File C:\WINDOWS\system32\rk.bin tagged as not-a-virus:RiskWare.Proxy.MarketScore.k. No Action Taken.
File C:\WINDOWS\system32\rk.exe tagged as not-a-virus:RiskWare.Proxy.MarketScore.k. No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\okshook.dll tagged as not-a-virus:RiskWare.Proxy.MarketScore.l. No Action Taken.
File C:\WINDOWS\SYSTEM32\rk.bin tagged as not-a-virus:RiskWare.Proxy.MarketScore.k. No Action Taken.
File C:\WINDOWS\SYSTEM32\rk.exe tagged as not-a-virus:RiskWare.Proxy.MarketScore.k. No Action Taken.

[Daemon]

Not much there. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop.

Start Killbox and click on Tools->Delete Temp Files. When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\okshook.dll
C:\WINDOWS\SYSTEM32\rk.bin
C:\WINDOWS\SYSTEM32\rk.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

Reboot if it doesn't do so automatically. Post a new mwav scan in your next reply.

Purge your system restore again as I described earlier - let me know if they come back.

[Xandi]

Those 4 delete just fine.

File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.


That's what was left when i did mwav scan again.

I guess all I can do is wait till tomorrow at 3:19 to see if the viruses come back again.

Thanks for your help, I will let you know if it worked or not.

[Xandi]

The Viruses didnt come back today!!

Thanks so much for your help

[Daemon]

You're welcome - glad to help

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.