944,017 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Nasty virus please help
Ad:
Permalink
Mar 10th, 2006
0

Nasty virus please help

Expand Post »
hey guys just built my computer and i already have this nasty virus and cant seem to get rid of it. A RUNDLL error message keeps coming up this is the hijachthis result:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:43 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Fag\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\RunServices: [Microsoft System Support] spool.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140754406663
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\gplql3351.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Please tell me what I need to do, thanks.

Just
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
justdrw is offline Offline
2 posts
since Mar 2006
Permalink
Mar 10th, 2006
0

Re: Nasty virus please help

Alrite, that sounds like a good virus. Fix the following:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [Microsoft System Support] spool.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com

After this, install Ewido and CCleaner (both links are in my signature below) and update definitions for both, but DON'T run them yet.

After doing this, reboot into safe mode, and first, delete this folder if found:

C:\Program Files\Common Files\VCClient

Then, run Ewido and CCleaner, fixing everything that's found. Save the Ewido log.

Then, reboot into normal mode again, run HJT, and post a new log along with the saved Ewido log.

Then, we'll work from there.

Thanks.

(justdrw, ignore this below)
Also (to Mods): Anybody know anything about:

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\gplql3351.dll

Looks REAL suspicious to me.
Team Colleague
Reputation Points: 222
Solved Threads: 105
Lapsed Skeptic
'Stein is offline Offline
1,605 posts
since Jan 2006
Permalink
Mar 10th, 2006
0

Re: Nasty virus please help

Quote originally posted by jhay116 ...
Also (to Mods): Anybody know anything about:

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\gplql3351.dll

Looks REAL suspicious to me.
Its a Look2Me infection.

First uninstall any of the following if found
Quote ...
WinAntiSpyware
WinAntiVirus
WinAntiVirusPro
WinSoftware
SurfSideKick
For these lines, they are actually part of SurfSideKick
Quote ...
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
But - I do not see any of the files that usually cause this to be difficult to remove, so they may just delete.

You'll need to give this a run...

Spysweeper
http://www.malwareteks.com/dload.php...load&file_id=5
-Update to the latest definitions and run it
-Remove everything it finds
-Attach the log when you return

Also include a new HijackThis log after Spysweeper
Reputation Points: 11
Solved Threads: 14
Posting Whiz in Training
D3m3nt3d is offline Offline
245 posts
since Feb 2006
Permalink
Mar 11th, 2006
0

Re: Nasty virus please help

hey guys thanks for the replys I don't have time tonight but I will give it shot tomorrow and let u know how it works, thanks again.

Justin
Reputation Points: 10
Solved Threads: 0
Newbie Poster
justdrw is offline Offline
2 posts
since Mar 2006

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Hijack This help
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Adware Deletion Problem





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC