Pretty bad virus need some help.

[xnikx]

Ok i have a pretty bad virus thats stopping me from pretty muching even being able to use my computer.

My computer is runnning very slow, freezing up, and alot of weird thats are happening.
One of which is an error i get while going on the internet saying "buffer overload".
Ads popping up, not sure if its adware though.

What programs should i download.

 

[marley1]

soundslike spyware, and this is the wrong forum =)

you need to do a bunch of steps. download: HiJackThis, Cleanup!, Spybot 1.5 and update it, ComboFix, VundoFix, SmitFraudFix.

go into SafeMode. go through add/remove programs and remove any of the bad programs.
run CleanUp!
run Hijackthis and remove any instance of bad things (make note of where hte files are)
go through C:\Windows\ and C:\Windows\System32, and C:\Windows\System32\drivers\etc and remove any problem files (some may not want to delete so then you either need to pull the drive and put in another machine to delete or use a bootable linux, bootable windows type software)

run ComboFix, if it wants to restart make sure you press F8 during bootup to get back into safemode
run Smitfraud, run Vundofix
run Spybot

run Antivirus checker

run HiJackThis to verify everything gone, if not, repeat./

 

[pug71]

also download Adaware at lavasoft's website and also CCleaner

 

[Yz388]

There are some free virus scanners out there that I have used in the past.

Personally, I run spybot search and destroy, adware, cc cleaner, and then a virus remover/scanner of your choice. I am sure you will get many different opinions, because its more of a personal preference as to what software you use.

But like I said, I use those 4 very often and almost always take care of the problem. Also, for more advanced removal, use hijack this. Be careful tho.

As for av, AVG's free client works pretty good. (Also an opinion) Many will argue.



I would look into getting a good av in the future, Nod32 is suppose to be one of the best. I use AVG with a firewall and have never had any problems. But then again, it depends on what type of user you are. Always depends on that.


Good luck


wow 2 posts while I was typing mine up

 

[dazedjeffy]

Online Virus Scanners

http://housecall.trendmicro.com/
http://www.kaspersky.com/virusscanner

 

[xnikx]

ok so far ive run cccleaner, adaware, n spybot and the problem is a bit better but still here.

heres what i got from hijackthis
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nik\lsass.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [3caf3fd9] rundll32.exe "C:\WINDOWS\system32\egabemdc.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [BM3f9c0c45] Rundll32.exe "C:\WINDOWS\system32\mnbtpgnn.dll",s
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179188660343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

what should i delete?

 

[Jay_2]

get Kaspersky and run that, it should help sort your problems out.

C:\WINDOWS\Fonts\svchost.exe looks a bit sus to me

as does C:\WINDOWS\system32\mnbtpgnn.dll and C:\WINDOWS\system32\egabemdc.dll and if you don't go to party poker that looks odd to me as well.

Its a bit of a mess to be honest.

 

[xnikx]

i tryed downloading Kaspersky but it just made things worse. it removed all my security and it wouldnt even install. it would just keep restarting my computer.

serously this kasperksy thing made things so much worse. now my computer takes like 3 minutes to log in and then a pop up to install it comes up. and i cant find a way to remove it.

 

[Lethal]

Try http://superantispyware.com

That got rid of tons of shit that nothing else seemed to catch. The free version is very good and doesn't conflict with other virus/spyware programs. It's at least worth a shot, you have nothing to lose by trying it.

 

[sirsnits]

if you really have to, back up your stuff and reinstall, i deal with viruses all the time. people bring their pc's to me all the time and they are just loaded to the brim with spy ware malware viruses etc.., most i can clean, but in some cases the best thing to do is reinstall. i have found that there are still many viruses unrecognized bye virus scanners. search as had as you can for a solution first, reinstalling is usually the very last resort.

 

[xnikx]

by reinstalling you mean reformating? i got rid of the Kaspersky, ran superantispyware and it found some adware so well see what happens. but i dont think i should have deleted C:\WINDOWS\system32\mnbtpgnn.dll because when i restarted after superantispyware it sayd error couldnt find C:\WINDOWS\system32\mnbtpgnn.dl

 

[MrWizard6600]

you need to reformat. Once infected, you can go on a witch hunt to get rid of all the stuff but it will never be as secure or as clean as when you first installed.

Back-up any data, that stuff should be clean, then reformat. A couple hours work to re-install all your old apps but it will run like its brand new.

 

[LoStMaTt]

I agree. It is time for you to back up your stuff and wipe the drive clean. Load it with a fresh copy of windows.

 

[marley1]

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nik\lsass.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689 220221DD3257
O4 - HKLM\..\Run: [3caf3fd9] rundll32.exe "C:\WINDOWS\system32\egabemdc.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [BM3f9c0c45] Rundll32.exe "C:\WINDOWS\system32\mnbtpgnn.dll",s

also go to Regedit > Local Machine > Software > Microsoft > Windows NT > winlogon and look at the shell and explorer.

also go to winlogon > notify and make sure their isn't some weird ones

i use something called ERD to do this (a bootable stripped down windows), allows me to delete the files since they aren't being used and access registry.

after that i would get back into safemode, run hijackthis again to make sure none of them came back, recheck over regedit, run Cleanup, run Combofix, then let it restart if it needs to, get back into safemode. Run Spybot 1.5 updated and, then restart should be good.

then learn to not click on "free ipods" or porn ads =)

 

[sirsnits]

another good thing too keep in mind, is to always disable system restore,, some viruses like to hide in there.

 

[fss69]

Along with the earlier suggestions, you can try using a good anti-rootkit such as GMER. Dr. Web Cure-IT is a very solid standalone AV/AS worth looking into. Also install AVG 8 Free since it includes the impressive old ewido AS engine.

I agree with the above that you should do a full reinstall. However, you might as well get everything fixed up so you can properly find all the files you want to backup. Plus it'll be nice to have your computer running until you have the time to do all this stuff!