Help me get rid of this irritating virus

baccilus · #1 (**permalink**) 14 Jul 08, 07:38 PM

I use Linux for everything but have to use windows for my TF2. I have got a virus which poses as an antivirus software. Just displays "System detected Virus activities" and then asks me to download some stupid anti virus software. I have tried Avira, AVG and nod32 too but none could even detect it. Meanwhile my task manager has been disabled.
I have Garena installed. I wonder if that has some role to play in this. I used this windows for more than 2 years without needing to reformat. But had to reformat yesterday since I couldn't do much. But it again got infected once I installed Garena and xFire. Could any of them have caused this problem. I didn't visit any aisi vaisi site. Uske liye Linux hai

Now tell what I should do?

Here is the HijackThis log file.

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40: VIRUS ALERT!, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = UltimateCleaner 2007
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [38482925] rundll32.exe "C:\WINDOWS\system32\kpvgxxfr.dll",b
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF4DCBD-A8BB-4765-90F3-B4B25CB3051A}: NameServer = 218.248.240.24 218.248.240.135
O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3751 bytes

PiXeLpUsHeR · #2 (**permalink**) 14 Jul 08, 08:48 PM

hmmmm it looks like you have nod32 anti-virus installed to me

GameNome · #3 (**permalink**) 14 Jul 08, 09:20 PM

Use Avast and schedule a boot time scan.My friend's PC had such a virus and doing this removed it.

baccilus · #4 (**permalink**) 14 Jul 08, 09:54 PM

I got rid of this using malwarebytes. It found more than 40 infections while nod32, avira and avg couldn't find even one.

PiXeLpUsHeR · #5 (**permalink**) 14 Jul 08, 10:02 PM

I think this guide will help lead you through all possible scenarios.. I used it myself when I a had a pesky rootkit virus that was almost impossible to remove.

Try this one first
READ & RUN ME FIRST. Malware Removal Guide - MajorGeeks Support Forums

If it doesn't work try this one
Alternative Scans - MajorGeeks Support Forums

virus32win · #6 (**permalink**) 14 Jul 08, 10:48 PM

your complete Hard disk is infected.Attach it to another clean system run Antivirus/Spyware scanner fully updated on your infected hard disk.Format the windows partition,clean install windows.Use Avast latest Anti virus on System.

painkiller · #7 (**permalink**) 14 Jul 08, 11:11 PM

just try spybot search and destroy and ad-aware before doing anything stupid

baccilus · #8 (**permalink**) 15 Jul 08, 01:30 AM

Thanks PixelPusher. Those guides are helpful. Repping you.

PiXeLpUsHeR · #9 (**permalink**) 15 Jul 08, 04:30 AM

good luck
btw here is a list of free online virus scanners too

AK3D · #10 (**permalink**) 15 Jul 08, 05:50 AM

O3 - Toolbar: sqvgnrpx - {F37B3BD0-55F4-4087-A42A-E6AAEBBF06B4} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [38482925] rundll32.exe "C:\WINDOWS\system32\kpvgxxfr.dll",b
O21 - SSODL: fsrpknov - {758E5146-22D4-418D-9EBB-1C28B688BD80} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {81FD837B-45A4-4DDE-896C-6BFC5AF8B5EC} - C:\WINDOWS\fdxbameg.dll

You have been infected by a couple trojans. I suggest you first -
RENAME the files above (not the rundll32.exe).
Run the hijackthis scan and remove these entries from the registry.
Reboot in safe mode, and delete these files (or shift them to another location).
Restart - run hijackthis again, you should be rid of the trojan.

Keep in mind, if you are using an 'open' computer i.e. without a firewall, you will definitely be infected again.
I suggest you download Comodo Firewall, and Avira Antivirus, and you should be safe.

Edit : Very likely you have the TR/Vundo trojan. use these instructions to remove it.
TR/Vundo.Gen (Adware Virtumondo) - HijackThis.de Support Board

VundoFix by Atribune - a tool specifically to remove the vundo infection.

Main Sections	New To TechEnclave?	Need Help?
Technology Forum Computer Gallery Software Guides Hardware Reviews PC Buying Advice	Register to Participate Privacy Statement Terms of Service Community Rules Know TechEnclave Staff	Frequently Asked Questions Did you forget your password? How to Access Market How to Become a Dealer Advertise With Us Contact Us

	TechEnclave Software Zone Operating Systems
Help me get rid of this irritating virus Discussion under Operating Systems, part of the Software Zone category on TechEnclave; I use Linux for everything but have to use windows for my TF2. I have got a virus which poses ...