View Full Version : Malware & Virus Infection

01-12-2010, 11:23 AM
Okay, I am very very close to reformatting. Most of my stuff is backed up so it really isn't a problem. Though I'd like to avoid it if I can.

I got hit with some bad malware or adware or whatever. Some of my search engine results are redirected and I get some pop ups as well, most of the pop ups are some website survey page. Occasionally the redirects are to fake internet scans that show I have infections and need to buy their bogus virus scanners. It was actually worse before.

I just dealt with a Window's stop error that I believe was 0000007B, safe mode didn't work. I booted from "last known good" or whatever. That worked. I have been using many free software that hasn't been able to pin it down, amongst others their is Malwarebytes, Hi Jack This, Super Anti Spyware, Ashampoo, and Avast.

Is there anybody out there who can help me? Thanks in advance!

01-12-2010, 11:41 AM
Try this...

Go here:
Download Avira AntiVir Rescue System in .ISO format. Burn it to a CD, then boot the computer from the CD. This CD will have up-to-date virus definitions included as part of the download. If you don't have a software that burns .ISOs to CD, you can use the .EXE version which will burn the CD for you. It is Linux-based and will boot run before Windows loads.

After running the Avira scan from the CD, boot to Safe Mode and delete all cookies, temp file, etc. from browsers.

Then run SuperAntiSpyware and MalwareBytes in Safe Mode, if possible.

01-12-2010, 1:17 PM
I'm on my cell. Acura is on the scanner but nothing is happening. Status says scanner not started. Start scanner button is faded, it cannot be clicked. It isn't frozen though, I cando anything except starting the scanner.

Back on my computer. Scanner does nothing. Safe mode doesn't start, it turns into a Window's stop error. MalwareBytes found nothing.

01-12-2010, 1:37 PM
Post your HiJack This report

01-12-2010, 1:55 PM
I got hit with something similar to what your describing a few days ago. Here is a link to some info on it for you.


01-12-2010, 2:04 PM
My Mom's computer got this virus.
There is a step-by-step Utube video on how to fix this.
I don't know where it is in utube, my sister found it.
Maybe search the virus name.
It took 3 hours to fix but she did it.

01-12-2010, 2:13 PM
Originally my background got hijacked, the pop ups happened a lot more and the redirects were after every search result. Pop ups and redirects aren't as strong and the background is back to normal. Also, the virus had shut down cntrl+alt+del, I have fixed that as well.

I am actually getting another error, I'll write down what it is next time I get it but it says windows suffered a serious error and needs to reboot and counts down from I think a 45 second timer. Very annoying.

Here is my Hi Jack This log (btw I removed the seconds on the time because it created one of those animated smilies hosted on this site :D):

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:13 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nxigorilo] rundll32.exe "C:\WINDOWS\alekicilucip.dll",Startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: vigibetos - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: gahurihor - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

End of file - 6386 bytes

01-12-2010, 2:29 PM
O4 - HKLM\..\Run: [Nxigorilo] rundll32.exe "C:\WINDOWS\alekicilucip.dll",Startup
O21 - SSODL: vigibetos - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)

are not good guys, while the second one says it is missing I would still remove it. Try removing both of those items and see if the behaviour changes for the better

EDIT: Realized I wasn't very clear. In HiJack This check both of these items (and only these items) and then click Fix Checked in the scan & fix section below

01-12-2010, 3:38 PM
Did it and rebooted. The 021 item is gone, the 04 item is still there.

01-12-2010, 4:13 PM
how is the system behaving?

01-12-2010, 4:15 PM
The redirects, pop ups, and errors are still here. The computer does seem to run faster though. I think the one that wouldn't go away is tied into the redirects and pop ups.

I got that reboot error again and wrote it down. It is a 1 mintue timer, it says a shutdown was initiated by NT Authority\System. Something else about DCOM server process launcher terminated unexpectidly.

01-12-2010, 4:39 PM
I had a nasty one before Christmas. ended up going the way of the reformat.

Glad I did as it runs much better now.

01-12-2010, 6:36 PM
Hmm, I ran SpyBot this evening and found some bad sounding things. There are a whole bunch of things in the title "Microsoft.Windows.DisableSystemRestore". There were tons of these, bypassfirewalls, antivirus override and a couple of Win32 agents. Hopefully this'll help as none of my other software programs were working.

01-12-2010, 8:30 PM
If you have another profile, log on as that and scan from there. That profile might not be hosed or as bad.