Help me get rid of this irritating virus

baccilus · July 14, 2008, 2:08pm

I use Linux for everything but have to use windows for my TF2. I have got a virus which poses as an antivirus software. Just displays “System detected Virus activities” and then asks me to download some stupid anti virus software. I have tried Avira, AVG and nod32 too but none could even detect it. Meanwhile my task manager has been disabled.

I have Garena installed. I wonder if that has some role to play in this. I used this windows for more than 2 years without needing to reformat. But had to reformat yesterday since I couldn’t do much. But it again got infected once I installed Garena and xFire. Could any of them have caused this problem. I didn’t visit any aisi vaisi site. Uske liye Linux hai

Now tell what I should do?

Here is the HijackThis log file.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:40: VIRUS ALERT!, on 7/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = UltimateCleaner 2007

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM..\Run: [38482925] rundll32.exe “C:\WINDOWS\system32\kpvgxxfr.dll”,b

O4 - HKUS\S-1-5-19..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-20..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘NETWORK SERVICE’)

O4 - HKUS\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)

O4 - HKUS.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O17 - HKLM\System\CCS\Services\Tcpip..{6FF4DCBD-A8BB-4765-90F3-B4B25CB3051A}: NameServer = 218.248.240.24 218.248.240.135

O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll

O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

–

End of file - 3751 bytes

DanDroiD · July 14, 2008, 3:18pm

hmmmm it looks like you have nod32 anti-virus installed to me

GameNome · July 14, 2008, 3:50pm

Use Avast and schedule a boot time scan.My friend’s PC had such a virus and doing this removed it.

baccilus · July 14, 2008, 4:24pm

I got rid of this using malwarebytes. It found more than 40 infections while nod32, avira and avg couldn’t find even one.

DanDroiD · July 14, 2008, 4:32pm

I think this guide will help lead you through all possible scenarios.. I used it myself when I a had a pesky rootkit virus that was almost impossible to remove.

Try this one first

READ & RUN ME FIRST. Malware Removal Guide - MajorGeeks Support Forums

If it doesn’t work try this one

Alternative Scans - MajorGeeks Support Forums

The_Sauron · July 14, 2008, 5:18pm

your complete Hard disk is infected.Attach it to another clean system run Antivirus/Spyware scanner fully updated on your infected hard disk.Format the windows partition,clean install windows.Use Avast latest Anti virus on System.

painkiller · July 14, 2008, 5:41pm

just try spybot search and destroy and ad-aware before doing anything stupid

baccilus · July 14, 2008, 8:00pm

Thanks PixelPusher. Those guides are helpful. Repping you.

DanDroiD · July 14, 2008, 11:00pm

good luck

btw here is a list of free online virus scanners too

AK3D · July 15, 2008, 12:20am

O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM..\Run: [38482925] rundll32.exe “C:\WINDOWS\system32\kpvgxxfr.dll”,b
O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll

You have been infected by a couple trojans. I suggest you first -
RENAME the files above (not the rundll32.exe).
Run the hijackthis scan and remove these entries from the registry.
Reboot in safe mode, and delete these files (or shift them to another location).
Restart - run hijackthis again, you should be rid of the trojan.

Keep in mind, if you are using an ‘open’ computer i.e. without a firewall, you will definitely be infected again.
I suggest you download Comodo Firewall, and Avira Antivirus, and you should be safe.

Edit : Very likely you have the TR/Vundo trojan. use these instructions to remove it.
TR/Vundo.Gen (Adware Virtumondo) - HijackThis.de Support Board

VundoFix by Atribune - a tool specifically to remove the vundo infection.