Removing a virus. Need help!
January 2nd, 2014
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:17:29 PM, on 10/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Programmi\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\Programmi\Acer\Acer VCM\RS_Service.exe
C:\Programmi\Microsoft Security Client\msseces.exe
C:\Programmi\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0810&m=ao751h
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=0&o=xph&d=0810&m=ao751h
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 – BHO: RealPlayer Download and Record Plugin for Internet Explorer – {3049C3E9-B461-4BC5-8870-4C09146192CA} – C:\Documents and Settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 – BHO: (no name) – {5C255C8A-E604-49b4-9D64-90988571CECB} – (no file)
O2 – BHO: Guida per l’accesso a Windows Live – {9030D464-4C02-4ABF-8ECC-5164760863C6} – C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Programmi\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 – BHO: JQSIEStartDetectorImpl – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 – Toolbar: Google Toolbar – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O4 – HKLM\..\Run:
[MSC]
“c:\Programmi\Microsoft Security Client\msseces.exe” -hide -runkey
O4 – HKUS\S-1-5-19\..\Run:
[CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO LOCALE’)
O4 – HKUS\S-1-5-20\..\Run:
[CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO DI RETE’)
O4 – HKUS\S-1-5-18\..\Run:
[CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run:
[CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 – Global Startup: Acer VCM.lnk = ?
O8 – Extra context menu item: E&sporta in Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Google Sidewiki… – res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 – Extra button: Inserisci blog – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra ‘Tools’ menuitem: Inserisci &blog in Windows Live Writer – {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} – C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Programmi\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Programmi\Messenger\msmsgs.exe
O20 – AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 – Winlogon Notify: igdlogin – igdlogin.dll (file missing)
O22 – SharedTaskScheduler: Precaricatore Browseui – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINDOWS\system32\browseui.dll
O22 – SharedTaskScheduler: Daemon di cache delle categorie di componenti – {8C7461EF-2B13-11d2-BE35-3078302C2030} – C:\WINDOWS\system32\browseui.dll
O23 – Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) – Google – C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
O23 – Service: Google Update Service (gupdate) (gupdate) – Google Inc. – C:\Programmi\Google\Update\GoogleUpdate.exe
O23 – Service: Google Update Service (gupdatem) (gupdatem) – Google Inc. – C:\Programmi\Google\Update\GoogleUpdate.exe
O23 – Service: Google Software Updater (gusvc) – Google – C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: Java Quick Starter (JavaQuickStarterService) – Sun Microsystems, Inc. – C:\Programmi\Java\jre6\bin\jqs.exe
O23 – Service: This service enables products that use the Nalpeiron Licensing System. (nlsX86cc) – Nalpeiron Ltd. – C:\WINDOWS\system32\nlssrv32.exe
O23 – Service: Raw Socket Service (RS_Service) – Acer Incorporated – C:\Programmi\Acer\Acer VCM\RS_Service.exe
O23 – Service: SwitchBoard – Adobe Systems Incorporated – C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe
O24 – Desktop Component 1: Aqua Real – 7db39a0d-580f-4be9-9195-8bfcd226f6c2
—
End of file – 6911 bytes
Use Malwarebytes
http://www.malwarebytes.org/
If that does not work, use Combofix
http://www.combofix.org/
And then stop downloading infected files and executing them..! FFS.
1. Download and install Malwarebytes Antimalware
2. Go in SAFE MODE
3. Run Malwarebytes and do FULL SCNA
4. Enjoy
Also, you could try COMBOFIX!
C:\WINDOWS\system32\nlssrv32.exe
C:\Programmi\Acer\Acer VCM\RS_Service.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dhurata Milori\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
O4 - HKLM\..\Run: [MSC] "c:\Programmi\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - Global Startup: Acer VCM.lnk = ?
O23 - Service: This service enables products that use the Nalpeiron Licensing System. (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Programmi\Acer\Acer VCM\RS_Service.exe
Remove all of these with in HijackThis
Also remove everything BHO related.
Install an run a scan with Malware Bytes
http://www.malwarebytes.org/
Then run a scan with these free online virus scanners.
http://go.eset.com/us/online-scanner
http://www.superantispyware.com/onlinescan.html
Report back after you have done all of the above.
Kaspersky Virus Removal Tool 2011
http://support.kaspersky.com/viruses/avptool2011?level=2
A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft’s Internet Explorer web browser to provide added functionality.
Yeh, try malwarebytes. If it closes itself off, rename mbam.exe to notepad.exe. or any other name.
Then try: spybot search and destroy.. safer-networking (dot) org (Switch to advance mode for start up tools.)
Hijackthis doesn’t show all the start up places that things can hide in.
Use AutoRuns from sysinternals (dot) com. Free. Unzip and run.. no install.
…and check the scheduled task tab on autoruns. and logon and the rest.
Switch anti-virus to Avira. Nod32 doesn’t find near as much.. as you see. Cool names doesn’t mean it’s the best. lol
I test anti-viruses by actually downloading viruses and trojans on purpose.
If you don’t like avira. then I’d say use kaspersky. Then avast. The worst tested was bitdefender. It doesn’t defend too good. lol
But there’s always a chance for something to get through no matter what anti-virus you have.
For Avira configuration. Set scanner and guard Heuristic to High detection level.
Thank you all for your kindly reply. Issue solved and thank you again for your help.
SABERWOLF, SmAsHeDr, wo_Ot? god bless you all
SmAsHeDr replied:
And then stop downloading infected files and executing them..! FFS.
I’ll remember this.
It’s nice to see that you made it mate
Cheers!