Need help - Can't remove W32Allim Nsvc32.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by MikeInPA, May 29, 2007.

  1. MikeInPA

    MikeInPA Private E-2

    Hi. On my daughter's computer, Symantic Anti Virus has flagged a "risk" that includes 4 instances of W32.Allim with the file nscvc32.exe. I click the button to clean the virus, it indicates that it's successful however, it only seems to remove "2" of the items. If I reboot, it finds the same error again (as it it were never cleaned). In fact, if I rerun the scan right after cleaning it again finds the 4 instances right away. I think the "cleaning" process only terminates the process temporarily. After doing a little research, I find that w32.allim is an AIM messenger virus/worm. Going to the Semantic site, it tells me to completely remove, I need to edit the registry, but all of the registry entries it tells me to look for are not on the computer. Not sure what to do next. My daughter did indicate that she click on a "Check this out" link in AIM which is indicative of the w32.allim infestation, so I'm pretty sure that SAV is finding the right problem, but all of their methods of removing it don't seem to be viable. She is experiencing some freezing of the computer and need to reboot (plus SAV "finding" this everytime she logs on). Not sure what to do next. I see that many of the issues on this site are diagnosed with Hijack this (which I haven't downloaded, but certainly could). I was at my wit's end when I stumbled on this site and I think it's absolutely wonderful that sites like this exist - thanks! Anyway, am anxious to get to work to try to ferret this problem out, can anyone help? We're running Windows XP with a fairly minimal set of applications. Is there a simple fix for the w32.allim roblem or does it require detailed forensics? :) Thanks!! Mike in PA
     
    MikeInPA, May 29, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    It's possible that some of what Symantec is finding are in System Restore and things in System Restore cannot be cleaned. Symantec's instructions will even tell you this. It is necessary to disable system restore and then run you scan. Afterwards you would re-enable System Restore. However read on thru to the end before you take any actions.

    Actually more issues are diagnosed with other tools than with HijackThis. HijackThis is the last tool we ask to be downloaded in our cleaning procedures.

    Since your PC does sound like it still has existing problems, I would not recommed disabling System Restore yet. First you should complete the below procedure, so we can verify what your malware status is. Then I will tell you what to do next.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, May 29, 2007
    #2
  3. MikeInPA

    MikeInPA Private E-2

    Ok - thanks for the reply. Took me a little while, but I believe I was able to run the scan procedures per the instructions (I did run the Panda scan in normal mode, but the other required scans were in Safe Mode or Safe Mode with networking). The bottom line summary seems to be that BitDefender found the infected Nvscvc32.exe like SAV, but Bitdefender simply went ahead and deleted the file (I had thought of doing this myself, but figured that deleting my display driver might be a bad idea). HOWEVER, this file was in my Windows/Security directory and in checking my display adapter in the device manager, it says it is Mobile Intel (R) 945GM Express Chipset Family, so I'm not really sure this is my display driver. (Either way, with the file deleted, my computer seems to display ok AND SAV no longer finds the problem. Also - In looking at the Hijackthis log there is line:

    O23 - Service: NViDiA Display Driver Service (NVSVC32_SVC) - Unknown owner - C:\WINDOWS\security\nvsvc32.exe (file missing)

    So, it looks like something is looking for the deleted file. ??

    Bottom bottom line: everything SEEMS to be ok now, but I'm a little worried a file was deleted that I might need. Any suggestions?
     

    Attached Files:

    MikeInPA, Jun 2, 2007
    #3
  4. MikeInPA

    MikeInPA Private E-2

    Here are the remaining logs and my notes on what I did (I did not disable System Restore per your initial post). Do I need to do anything with the Quarantine files that Counterspy found or the cookies that Panda found?

    Thanks again!!

    1. Uninstall malware via add/remove programs – no items listed were installed on pc.
    2. MS Config Startup Mode - Changed to “Normal” startup mode
    3. Secondary Cleanup – 1. No items in SAV quarantine. Emptied recycle bin. No icon for “protected recycle bin”. Downloaded and ran Ccleaner 2. Unhid hidden files and unchecked hide extensions/protected files. 3. Only SAV is installed.
    4. Downloaded and extracted ShowNew.zip, GetRunKey.zip
    5. Downloaded Spybotsd14.exe, installed, deselected all products under advanced.
    6. Downloaded and installed counterspy, downloaded and installed updates
    7. Downloaded Hijackthis, renamed to analyze.exe
    8. Rebooted in safe mode.
    9. Ran Ccleaner again
    10. Ran Counterspy. Found SearchIt Toolbar and GonnaSearch Toolbar. Quarantined them. No obvious way to the “view” menu to print the log. After quarantine, it asked me to reboot. Upon reboot a “boot time” system scan was performed and apparently one of the actions was to delete the quarantine file. After reboot, SAV AGAIN found the 4 instances of the Allim.32 problem!
    11. Started Counterspy and copied the log of the scan.
    12. Updated Java definitions.
    13. Ran BitDefender. Bit Defender found several items and deleted them including the nvsvc32.exe file!
    14. Rebooted, ran SAV and no longer found the Allim.32 (since the file was deleted by Bit Defender.
    15. Ran runkeys and newfiles
    16. Ran analyze.exe
     

    Attached Files:

    MikeInPA, Jun 2, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Steps below will remove CounterSpy and its quarantine. Cookies are not problems.

    You missed one! Viewpoint Media Player should have been uninstalled in step 0 of the READ ME. Uninstall it now.

    Just an FYI! You got your original infection from something you downloaded. Be more careful what and where you download. The below file was your source. Bitdefender deleted it too.
    C:\Documents and Settings\Administrator\Desktop\Downloads\pic007.com

    Let's finish removing the malware service that was installed!
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to NViDiA Display Driver Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteNVSVC32_SVC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Uninstall the below old versions of software as requested in step 6 of the READ ME:
    J2SE Runtime Environment 5.0 Update 10
    Java 2 Runtime Environment, SE v1.4.2

    Run HijackThis and select the following lines (not malware but they are a waste of system resources and do not need to load at startup) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    After clicking Fix, exit HJT.
    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    Last edited: Jun 4, 2007
    chaslang, Jun 3, 2007
    #5
  6. MikeInPA

    MikeInPA Private E-2

    Wow. You are good! Thanks for all the help! Yes, you are correct that the Malware was introduced when (as I mentioned above) my daughter clicked on a link from AIM that said "Check out these pictures of you". I assume that downloaded the pic007.com file and that's what executed to create the rogue service. Perhaps a naive question, but I assume that the NVSVC32_SVC really has nothing to do with my video card and is simply a name chosen by the Malware to SEEM like it was legitimate, true?

    The steps above seemed to go fine. I did not get any error messages when disabling the NVSVC32_SVC and verified that it was no longer running or listed after completing all the steps and rebooting. Also, the two folders you mentioned from the Sunbelt uninstall were already deleted when I went looking for them. Computer seems to be running fine now (the problems it WAS experiencing were extremely intermittant). Certainly SAV is not identifying any ALLIM.32 problem any more. :)

    One interesting thing did happen on the reboot. A "new" item popped up called "AOL Port Magic" indicating that it detected I was running with a Linksys connection and asked me if I wanted to configure. I selected "Never configure" and it went away. Perhaps this program (which I believe is an AOL adjunct) was always there and something we did caused it to reinitialize?? It doesn't seem like a problem, but I thought I'd mention it.

    Thanks again! Let me know if you see anything in the latest log files that looks unusual.
     

    Attached Files:

    MikeInPA, Jun 3, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is correct. That is why my instructions said:

    Potentially! I don't use and would not use AOL so I cannot say for sure why. You can read more about PortMagic here:

    http://help.channels.aol.com/kjump.adp?articleId=218658


    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 4, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds