I use Linux for everything but have to use windows for my TF2. I have got a virus which poses as an antivirus software. Just displays "System detected Virus activities" and then asks me to download some stupid anti virus software. I have tried Avira, AVG and nod32 too but none could even detect it. Meanwhile my task manager has been disabled.

I have Garena installed. I wonder if that has some role to play in this. I used this windows for more than 2 years without needing to reformat. But had to reformat yesterday since I couldn't do much. But it again got infected once I installed Garena and xFire. Could any of them have caused this problem. I didn't visit any aisi vaisi site. Uske liye Linux hai

Now tell what I should do?



Here is the HijackThis log file.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:40: VIRUS ALERT!, on 7/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = UltimateCleaner 2007

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [38482925] rundll32.exe "C:\WINDOWS\system32\kpvgxxfr.dll",b

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF4DCBD-A8BB-4765-90F3-B4B25CB3051A}: NameServer = 218.248.240.24 218.248.240.135

O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll

O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe



--

End of file - 3751 bytes

O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM\..\Run: [38482925] rundll32.exe "C:\WINDOWS\system32\kpvgxxfr.dll",b

O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll

O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll



You have been infected by a couple trojans. I suggest you first -

RENAME the files above (not the rundll32.exe).

Run the hijackthis scan and remove these entries from the registry.

Reboot in safe mode, and delete these files (or shift them to another location).

Restart - run hijackthis again, you should be rid of the trojan.



Keep in mind, if you are using an 'open' computer i.e. without a firewall, you will definitely be infected again.

I suggest you download Comodo Firewall, and Avira Antivirus, and you should be safe.



Edit : Very likely you have the TR/Vundo trojan. use these instructions to remove it.

TR/Vundo.Gen (Adware Virtumondo) - HijackThis.de Support Board



VundoFix by Atribune - a tool specifically to remove the vundo infection.