Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: NSVC.EXE Virus

  1. #11
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    MLF I agree, there are spots in this thread, for me I was reading this thread too early in the morning... especially the comment about sending things to the Bin with the intention of restoring..?!?
    And RECYCLER is the folder that the Recycle Bins (one for each user) are kept.. so your copies of your deleted files will be stored here (it is normally a system hidden/protected folder.

    There a re a couple of "AutoRun" or "USB KEy" Virus's out there that create a fake recycler folder I have not encountered the fake SVI folder as yet.. but..

    There are a few standalone tools for the task of removing these.. My preference is as mentioned earlier in the thread.. MALWAREBYTES
    Importantly: INSTALL in Safemode, and conduct a scan in safe mode.. before restarting and doing an update and a scan in normal mode:
    While the machine is in Safe mode.. be sure to have Hidden and system files viewable - as well as "Hide Protected system files" disabled.
    1/ You will find a "System - Hidden" executable in the root of the USB drive/stick delete it .. It can any name.. so watch out
    2/ View the Autorun file.. it sometimes includes a number - the ID of the viruses recycle bin S-21-...... take note of this number..
    3/ Open Regedit and search for this number take not of the locations.
    4/ run the Malwarebytes scan.. when finished check the logs.. that ALL the keys you identified are mentioned in the registy part of the scan.

    And just for the hell of it.. in safemode.. delete the recycler folder.. or delete all the contents of said folder.. (Shift - Delete)
    Also cycle System restore off and back on.. to clear the SVI folder.. I have had a machine that I needed to do this a couple of time.. so check that the the folder is empty before re-enabling system restore.

    Check ALL your usb devices..
    ALso change the default (double click) option for these device to Explore.. rather than Open..(L)users open anything..never thinking and blame others for their stupidity..
    IF your machine is part of a win 2k3 or 2k7 domain.. set it in your policies

    REALISE that once these buggers get in, you have not one, but several infections.. so do several restarts and scans, use several tools to confirm clean..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #12
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Wink

    Greetz.

    To the OP follow these instr
    uctions and say by by resycler

    Quote Originally Posted by t34b4g5 View Post
    I recently had to fix a friends computer that was doing the same thing..

    here's the way that i was able to fix it.


    try going to my computer.
    Click the folder button and make sure view hidden files/folders is turned on and check your drives for "resycled" and "autorun.inf" files/folder
    They will appear in the root directory..

    If they are there then go to a command prompt and change the attrib settings to the "resycled" folder and the “autorun.inf” file

    attrib -r -s -h

    then while still in the command prompt just use the del command on both.

    then do a search for autorun.inf on your drives and after the scan just right click on each one and open with notepad or wordpad and check each one, and if any happen to have "boot.com" before a string of jumbled letters numbers then delete.
    the "boot.com hides in the “recycled” folder and when the “autorun.inf” files is loaded it loads the “boot.com” file and your browser will continually get redirected.

    restart computer and then go to my computer and click folder and check to make sure there both gone..

    this thing was not only not letting me access the computers drives it also decided that it would re-direct the browser to www{X}copy-book{X}com {Note don't click site got active malware} all the time a little and i did the above and it should solve the issue.


    Also
    Start Windows in safe mode, then click Start -> Run. Type in regedit and click okay.

    Now at the top of the registry editor,
    click Edit -> Find.
    Type boot.com and click Find Next. Every time it finds a new boot.com, press the delete key and then enter. It should find a dozen or so copies.

    Now, plug in any external drives or flash drives you have used with this computer.
    Open
    My Computer. Click Tools -> Folder Options -> View and select "Show Hidden Files and Folders" and click okay.

    For each drive, open it and delete the “recycled” folder and “autorun.inf”. Back up each “autorun.inf” before deleting them off external drives, because they might be important.

    Restart the computer and the problem should be gone.

    Any removable usb drives you've plugged into that computer will also be infected with the virus, so make sure you clean them out too (note if you clean your comp, then plug-in the usb drives it'll re-install itself)
    any computers you've plugged that usb drive into are also infected

    a summary of what this thing does - its installed itself as a windows driver with a random dll file name, you'll have to track down ALL instances of it and eradicate it completely. Booting in safe-mode will assist, the drivers wont show up in control panel or admin tools either as its hidden

    other things you will need to remove this damn virus
    malware-bytes anti malware
    SmitFruadFix Scan
    hijack this
    gmer

    this thread should help you: http://www.bleepingcomputer.com/forums/topic191577.html

    if you download and install the latest version of those programs they should work fine without and update, the virus re-directs the update URL's as well. You will find its system-wide not browser specific!
    Last edited by t34b4g5; June 3rd, 2009 at 12:54 AM.

Similar Threads

  1. Abbr: history of the computer virus
    By E5C4P3 in forum AntiVirus Discussions
    Replies: 12
    Last Post: April 30th, 2013, 08:05 PM
  2. Virus Research Information: What Are The Different Kinds?
    By Spyder32 in forum The Security Tutorials Forum
    Replies: 18
    Last Post: September 3rd, 2004, 11:23 PM
  3. The Bulgarian and Soviet Virus Factories
    By foxdie in forum AntiVirus Discussions
    Replies: 11
    Last Post: April 4th, 2004, 02:52 AM
  4. Black Wolf's Guide to Memory Resident Viruses.
    By ahmedmamuda in forum AntiVirus Discussions
    Replies: 2
    Last Post: March 20th, 2002, 02:03 AM
  5. So you want to learn about Viruses.
    By 3ntropy in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: March 4th, 2002, 11:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •