virus help please

[martyh]

hi guys ,my laptop has managed to get infected with ..vista antivirus2010 pro..

i have only just managed to connect to the net by running without add ons .i have run a full scan with MS essentials with no joy ,i am currently running Malwarebytes ,i have tried to find the reg keys but the files are not listed in the regestry ,is there any other way to get rid of it i have tried the registry fixes for this virus that i have found on the net but as i say the files are not listed in the registry so any help appreciated

[Zee]

My friend installed this on his system about a month ago, couldn't get rid of it.
The way to uninstall it is to use HijackThis

Post the log details after scan

http://download.cnet.com/Trend-Micro...-10227353.html

[martyh]

Quote:

Originally Posted by Zee

My friend installed this on his system about a month ago, couldn't get rid of it.
The way to uninstall it is to use HijackThis

Post the log details after scan

http://download.cnet.com/Trend-Micro...-10227353.html

thanks for the reply i didn't install it though my curser was hovering over a advert on a site and the next thing i know it was on

---------- Post added at 21:59 ---------- Previous post was at 21:51 ----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:53, on 10/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskmgr.exe
C:\Users\martin\AppData\Local\av.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\Go ogleToolbarNotifier.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NAS PM Service (NasPmService) - BUFFALO INC. - C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6229 bytes

[Raistlin]

According to this site:

http://www.hijackthis.de/

You need to fix:

Code:

O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

And review (in other words, work out what the hell it is and then deal with it as needed):

Code:

C:\Users\martin\AppData\Local\av.exe

Everything else looks ok.....

[martyh]

thanks for the help guys ,i have fixed 023 file ,dont know what that did just cleared the screen ,the avi.exe is the one i want to get rid of but deleting the reg does nothing

[Raistlin]

av.exe appears to be a file located in the directory location I've given above.

Can you delete it from there? If it says it's locked/in use you might need to boot into Safe Mode to be able to delete it. While you're at it you might want to delete any System Restore points that you have as well as they're probably also infected.

[martyh]

cheers rob will try safemode but not holding out much hope because i have already deleted those files but they keep re-apearing

[Raistlin]

If they keep reappearing then they're being copied from elsewhere on the drive at boot.

Boot to Safe Mode and run your (updated) AV scanner from there. That should identify and eliminate the files. Failing that search the entire drive for the (still in Safe Mode) and delete them manually. I would also remove the System Restore points that you have.

TBH I wouldn't normally advocate even trying to clean up after a viral infection a) you can never really trust the system again afterwards, and b) it normally takes more time than a rebuild does.....

---------- Post added at 22:32 ---------- Previous post was at 22:30 ----------

Removal information here:

http://www.virusremovalguru.com/?p=5528

If you're going to follow these steps do so manually, I wouldn't recommend the tool (if only because there's no real way to know that the tool itself is safe).

[martyh]

cheers rob i have deleted all restore points ,i will scan in safemode and possibly clean install tomorrow dependant on results ,do you think i should maybe install norton antivirus 3 month trial and see if that will pick it up as MS essentials won't even when updated ?

[Raistlin]

I think (from having done some reading) that this little bleeder is somehow interfering with the AV software's ability to detect it. There seems to be a suggestion that you can hack the registry about to fix this, then your AV should detect it, that all seems a bit messy to me though.....

By all means try Norton, but I'm not keen on it myself - I think you'll find (if I'm right) though that you won't be able to install anything like that because the virus will block it.

The removal instructions linked to above suggest a way to manually remove everything. If they don't work, and you can't get an AV to work (personally I'd try the free version of Avast rather than the trial of Norton) then you may need to consider a rebuild.

[martyh]

Quote:

Originally Posted by Rob M

I think (from having done some reading) that this little bleeder is somehow interfering with the AV software's ability to detect it. There seems to be a suggestion that you can hack the registry about to fix this, then your AV should detect it, that all seems a bit messy to me though.....

By all means try Norton, but I'm not keen on it myself - I think you'll find (if I'm right) though that you won't be able to install anything like that because the virus will block it.

The removal instructions linked to above suggest a way to manually remove everything. If they don't work, and you can't get an AV to work (personally I'd try the free version of Avast rather than the trial of Norton) then you may need to consider a rebuild.

i'm going to re-install i think rob because the registries for this HORRIBLE thing aren't even listed and it has just popped up in safe mode
by the way the site i was on was TPB (my fault i know)but i have'nt downloaded anything my curser was over a advert and there it was screen full of popups and no firewall this had deactivated windows firewall and malwarebytes and MS essentials and now it comes up in safemode so it's re-install i think

ps downloaded Avast and norton and this virus will not let me install

[DaiNasty]

This nasty piece of work recognises and blocks most well-known AV softwares.

RKill may be able to disable it for long enough to have a chance of disinfecting.

http://www.technibble.com/rkill-repa...l-of-the-week/

also check out Bleepingcomputer for advice on removal.

http://www.bleepingcomputer.com/virus-removal/

but personally I'd save crucial files, flatten and re-install.

[Matty_]

Only other option is to boot from a live cd, and then you might find the computer unbootable due to wrong WinLogon key.

Check the key HKLM\Software\Microsoft\WindowsNT\Winlogon ->It should have an "userinit.exe" string which needs to be set to C:\Windows\System32\userinit.exe

It`s possibly set to something like winlogon86.exe which is the virus.

As tothers have said re-install is best option, and stay off TPB, if you must use them find a safer site...

[Rockabilly Spike]

how come your internet security didnt pick this up before it was installed?

[Kymmy]

Probably because it's not a virus but just adware.. We had a spammer join another forum I admin and spam the link to all the members just all of them were intelligent enough to trust that the forum doesn't virus scan thier members so not to install it