Virus : Help Please

[cecilia]

Anyway, yesterday, AVG pop up a virus thread (found) in my computer .. i've google and found none info that help.
i got another message today T_T this is what it said

I did a hijack scan .. this is my report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:37 AM, on 3/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vso-software.fr/affiliate/thankyou.php?p=ConvertXtoDVD
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - S-1-5-20 Startup: Adobe Gamma.lnk (User 'NETWORK SERVICE')
O4 - S-1-5-20 Startup: Free Music Zilla.lnk (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk (User 'SYSTEM')
O4 - S-1-5-18 Startup: Free Music Zilla.lnk (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk (User 'Default user')
O4 - .DEFAULT Startup: Free Music Zilla.lnk (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

--
End of file - 9894 bytes

-- Ah, i also went in to look in the specific folder for the particular files but found none either (i think AVG might have remove it to its vault but i don't know how to access it either)

anyway, my computer won't shut down even when i shut it down properly .. last time it work okay was 2 week ago .. should i just do a system restore or what should i do, what do i need to uninstall? .. can someone please help me ..

Thanks in advance.

 

[aikoden]

OMG!!! POOR CECI!!! sadly i cant help you ceci T_T..

i realized that many ppl are getting viruses lately.. i even caught one too on my usb stick.. i was like ahh.. <-- so i quickly transferred my stuff and reformatted my usb.. ARGH!! i know i caught the virus at school..! i just hope nothing transferred over into my laptop..

 

[KEdoubleNY]

There's a lot of stuff that you can delete from the hijackthis scan. Esp. the re-direct links.

The R0 - R1 and the R3 -R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - S-1-5-20 Startup: Adobe Gamma.lnk (User 'NETWORK SERVICE')
O4 - S-1-5-20 Startup: Free Music Zilla.lnk (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk (User 'SYSTEM')
O4 - S-1-5-18 Startup: Free Music Zilla.lnk (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk (User 'Default user')
O4 - .DEFAULT Startup: Free Music Zilla.lnk (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') ****I don't know if you use any of these???


Why don't you use Anti-Malwarebytes. Download it. Update it and do and FULL SYSTEM SCAN. It's likely you have a lot of spywares and adwares in your PC.

 

[CTR]

Get Malwarebytes' Anti-malware and scan it with the update definition.
Get Superantispyware and scan it with the update definition. Both are free.

I would get rid of AVG as it is one of the worst anti-virus company out there and go with Norton, Kaspersky, or Eset NOD32. I have Eset and it's low on resources and is proven.

Next, get Sandboxie so you can browse and test software that you are not sure in it. If it does contain a virus then you can delete the folder and no infection. If you need any of the aforementioned software then just post it in here and I will provide it for you.

Lastly, if Malwarebytes and superantispyware does not do the job, post on the "bleepingcomputer.com" as they are expert in this area.

 

[cecilia]

thank you everyone for the help.
I've used MALWARE and it detect nothing.
i did the hijack removal and for some reason, it's not removing that adobe nor Free Music Zilla.
i even uninstalled FreeMusic Zilla ..

now another pop up show that i have another virus ..
i did an AVG 8 whole computer scans and it found nothing either but that stupid popup keeps saying that i have it in those places.

CTR, could you please upload Sandboxie for me? i don't have any of those and would like to get this fix asap b/c my computer been lagging and acting strange lately, i do not know how i got it to be like this .. T_T // thank you.

off to scan with Superantispyware -- hopefully i'll find something in there.

 

[CTR]

thank you everyone for the help.
I've used MALWARE and it detect nothing.
i did the hijack removal and for some reason, it's not removing that adobe nor Free Music Zilla.
i even uninstalled FreeMusic Zilla ..

now another pop up show that i have another virus ..
i did an AVG 8 whole computer scans and it found nothing either but that stupid popup keeps saying that i have it in those places.

CTR, could you please upload Sandboxie for me? i don't have any of those and would like to get this fix asap b/c my computer been lagging and acting strange lately, i do not know how i got it to be like this .. T_T // thank you.

off to scan with Superantispyware -- hopefully i'll find something in there.

Ceci, the Sandboxie only helps when you have it in place before hand. The Sandboxie is a web-browser that creates a folder for temporary files when you're surfing the web. So when you get an infection, you can delete the Sandbox folder and the bad things inside the folder is destroy.

Lastly, I think you might have a rootkit inside your computer. A Rootkit is a memory based virus. Can you do a free scan here? http://www.eset.com/online-scanner

If it does not find something then your last resort is to go to bleepingcomputer.com because they are the expert. I have learned a lot from their site.

 

[cecilia]

CTR, thank you for your wonderful help .. i will try all those that you've recommended. let's hope i have luck, if not, i will come back to bug you and post at the given forum link as well. thank you again na.

 

[CTR]

CTR, thank you for your wonderful help .. i will try all those that you've recommended. let's hope i have luck, if not, i will come back to bug you and post at the given forum link as well. thank you again na.

Ceci, check you inbox on instruction on get unlimited trial period on Eset NOD32. I have used Eset NOD32 for 5 years without any problems. Only when I tried other AVs ---- trouble. When you computer is clean, I will give you the Sandboxie browser which work with IE, Firefox, Chrome, etc. Basically, the Sandbox safe my butt a couple of times.

 

[cecilia]

so sad, my computer crashed T_T
i'm now using my little bro's

so unlucky, this is the 2nd one that go bye bye for this month T_T

thank you everyone for the help .

 

[aikoden]

awwwe.. that sucks for you ceci T_T..
were you able to transfer some stuff at least?

 

[CTR]

so sad, my computer crashed T_T
i'm now using my little bro's

so unlucky, this is the 2nd one that go bye bye for this month T_T

thank you everyone for the help .

Why did it crashed? Is it still working or do you have to reformat your whole computer? Do you know what type of virus it was? I was hoping you can let Bleepingcomputer.com look at it to see if it is curable.

 

[cecilia]

^it went cray -- taking forever to load to the desktop ..
it won't even go there in the first place too ..

i did one whole system recovery and it still does the same thing ..
now it load to the desktop but i can't do anything b/c it lagging so BAD T_T
i can't even charge my itouch on there anymore ..
now i'm resorting to my little bro T_T

i think i'm going to go for mac desktop for a safer route now lol

CTR, i'll see if that thing want to work again .. if not, i have to take it back to have my bro in law fix it ..
(he fixes computer, it's just that i hate going to ask him for help over and over again - i'm such a burden )
it's an old computer anyway (have it for 4 years LOL) -- i'll take your suggestion in consideration again.
thanks for you WONDERFUL help na.

 

[CTR]

^it went cray -- taking forever to load to the desktop ..
it won't even go there in the first place too ..

i did one whole system recovery and it still does the same thing ..
now it load to the desktop but i can't do anything b/c it lagging so BAD T_T
i can't even charge my itouch on there anymore ..
now i'm resorting to my little bro T_T

i think i'm going to go for mac desktop for a safer route now lol

CTR, i'll see if that thing want to work again .. if not, i have to take it back to have my bro in law fix it ..
(he fixes computer, it's just that i hate going to ask him for help over and over again - i'm such a burden )
it's an old computer anyway (have it for 4 years LOL) -- i'll take your suggestion in consideration again.
thanks for you WONDERFUL help na.

My computer is that old too. I'm running Windows XP which I bought in 2006. I think you got yourself a Rootkit installed in your computer. You could have gotten it from downloading something or getting it from an infected USB drive. My sister's boyfriend computer was infected and when my sister plugged her USB drive into my computer, Eset picked up.

Last year, I was helping some Karen refugees that came to my church with their computers. One of them got infected by a Rootkit (memory base virus). I was able to get rid of a lot of things but the Rootkit would just keep switching it on me. Basically, their computer was being controlled by a bot which was controlled by a hacker. My last resort was to reformat the whole computer because the virus basically messed up the Operating System (Windows XP).

I'm sorry I couldn't help you Ceci.