Virus I can't get rid of.

[James]

well, I always come to the break room with my problems so guys, Help me out.

Then I was experiencing this.

I've ran.
Malware anti-malware.
Hijack this
Spy bot search and destroy

and ESET is running as my firewall, stopping this crap trying to download more.

I cannot boot into safemode...

It's called anti-virus 2009 virus? No clue how I got it

 

[weblord]

be sure to backup everything, before doing this
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

if you're the adventurous type like me, you can remove it manually.
just follow step by step instructions
http://www.2-spyware.com/remove-antivirus-2009.html

not for beginners though

 

[gemstar]

Check this

http://www.removal-instructions.com/removeAntivirus2009.html




Antivirus 2009 manual removal:
Kill processes:
av2009.exe av2009[1].exe AV2009Install.exe Antivirus2009.exe


Delete registry values:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
HKEY_CURRENT_USER\Software\Antivirus

Unregister DLLs:
shlwapi.dll wininet.dll


Delete files:
av2009.exe av2009install.exe av2009install_0011.exe av2009[1].exe Antivirus2009.exe ieupdates.exe scui.cpl %program_files%\\antivirus 2009\\av2009.exe %startmenu%\\antivirus 2009\\antivirus 2009.lnk %startmenu%\\antivirus 2009\\uninstall antivirus 2009.lnk winsrc.dll %desktopdirectory%\\antivirus 2009.lnk winsrc.dll ieupdates.exe av2009install_0011.exe av2009install.exe %program_files%\\antivirus 2009\\av2009.exe


Delete directories:
C:\Program Files\Antivirus 2009

 

[James]

kk, so it's not the virus I orginally thought.

here's my logs from Hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:03, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[B]O2 - BHO: (no name) - {47B19004-F55F-4793-9ACF-E333D7C53EAD} - (no file)[/B]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
[B]O2 - BHO: (no name) - {c2f8b33e-c2c5-48ad-950e-efc5fd52350c} - C:\WINDOWS\system32\fativowe.dll (file missing)
O2 - BHO: (no name) - {D6AEEADC-7733-4AA6-9CC3-2A0415F73416} - (no file)
O2 - BHO: (no name) - {ef187ec6-907f-4225-95c4-5d8c7bc12582} - (no file)[/B]
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
[B]O4 - HKLM\..\Run: [CPM0fc0b9af] Rundll32.exe "c:\windows\system32\punehomi.dll",a
O4 - HKLM\..\Run: [diwurusewa] Rundll32.exe "C:\WINDOWS\system32\yahipeja.dll",s[/B]
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" 
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

 

[weblord]

i can't get any info about those 2 dll's
punehomi.dll
yahipeja.dll

 

[James]

i can't get any info about those 2 dll's
punehomi.dll
yahipeja.dll

Neither can I... That's why I highlighted them.

 

[weblord]

what i do is back up my registry by exporting it, and remove those 2 lines, and restart, if your computer went dead then return it again.
the BHO can go if you're not using any of them

on second thought try this one first to see what are critical and safe to remove
http://housecall.trendmicro.com/

Neither can I... That's why I highlighted them.

 

[James]

what i do is back up my registry by exporting it, and remove those 2 lines, and restart, if your computer went dead then return it again.
the BHO can go if you're not using any of them

on second thought try this one first to see what are critical and safe to remove
http://housecall.trendmicro.com/

Give me some credit weblord, I've tried and didn't work, still comes back...

has anyone else experienced this?

I want to try run safe mode again but I doubt it'll work.

At work tomorrow I'll working on roughly 150 computers so whilst I'm imaging them, I can work on my laptop and may reformat it then create an Image for it so I don't have to deal with a re-install ever again.

I don't want to do that, so if anyone has some support, contact me in the next 13hours, If i'm asleep, i'll be on in the morning and you can get my cell email via PM and i'll have to hook people up with NP$ :]

 

[Mike]

The time spent on tracking the issue, finding the proper removal tool and then hoping that it works - you'd be better off by backing up and reformatting the HD. :imho:

M.

 

[James]

The time spent on tracking the issue, finding the proper removal tool and then hoping that it works - you'd be better off by backing up and reformatting the HD. :imho:

M.

move 120gig of stuff?

 

[Rudy]

I agree with William that the BHOs can go. Especially those ones with "File Missing". Whenever I see a "file missing" I delete it anytime.

It sounds like you've tried mostly Anti-malware programs, not anti-virus programs. Also, bear in mind that any of these programs, ANY of these programs, are usually more successful when you do a full scan in Safe Mode.

I would suggest trying to use AVG or something.

But you say Safe Mode won't work? What do you mean? If Safe Mode doesn't work, then how in the heck does regular mode work?

I'd be willing to try to help you out... feel free to PM me.

 

[James]

Rudy, It seems to just freeze and not go past loading files?

re-install could be the case.

 

[Rudy]

Before that, I would at least try a real anti-virus program, like AVG or Avast. From what you've posted, all you have tried so far is anti-malware programs.

Another good Anti-malware program is Lavasoft's Ad-Aware.

 

[psalzmann]

Backup files that matter most and re-format. That's the only real way to rid your box of virii. Especially on WinBlows.

Good luck.

 

[James]

Before that, I would at least try a real anti-virus program, like AVG or Avast. From what you've posted, all you have tried so far is anti-malware programs.

Another good Anti-malware program is Lavasoft's Ad-Aware.

First screenshot is my anti-virus with firewall

 

[deet]

Hive have you tried sending LiquidCherry a PM?

Have a look at what my problem was and how it got fixed.

Also after you get this fixed.. Avast.com and MalWarebytes.org are great programs..

http://www.namepros.com/the-break-room/536208-virus-and-malware-question.html

 

[MicroGuy]

Backup files that matter most and re-format. That's the only real way to rid your box of virii. Especially on WinBlows.

Good luck.

Based on my experience, this is the best route. Especially considering the amount of time lost (aka opportunity costs) using your current strategy.

 

[liquidcherry]

Hive have you tried sending LiquidCherry a PM?

Have a look at what my problem was and how it got fixed.

Also after you get this fixed.. Avast.com and MalWarebytes.org are great programs..

http://www.namepros.com/the-break-room/536208-virus-and-malware-question.html

THX deet for promoting me

I was sending james earlier in the live chat a link to a AV program what supposedly cleans viruses what are messing with the rundll32.exe system file (and told him to do a sfc/now to repair this system file in case it is corrupt infected)

The reason for not posting it here is that i haven't used that particular program myself(http://www.threatfire.com/download/ ), i just had some friends(YES,I HAVE FRIENDS MIKE!!, lol) telling me about it and i am usually not promoting programs what i haven't used myself

Cheers

frank

P.S:James if you still need help, PM me

 

[weblord]

im back.
on your hijackthis do a scan and save a logfile - done by James (credit) sorry i can't give np$ credit
check those files that you highlighted. - done by James
fix check those selected
it will appear on your backups.
exit hijackthis
exit your computer
see what happens.
last resort is reformat.
you can still revive this

 

[Corey]

James try these tools


Cleaning Tools
Virus Frist Help

I use these Free Cleaning Tools

1. ATF - Cleaner at http://www.atribune.org/index.php?o...id=25&Itemid=25

2. CCleaner - http://www.ccleaner.com

3. Disk Cleaner - http://www.diskcleaner.nl

4. Sweepi - http://www.yooapps.ch/?c=produkte/sweepi5&l=E

Virus First Help

Ad-Aware 2008 Free
http://www.lavasoft.com/products/ad_aware_free.php

Spybot - Search & Destroy
Protect yourself against spyware 1.6.0
http://www.spybot.info/en/download/index.html

SpywareBlaster 4.1
Prevent the installation of spyware and other potentially unwanted software!
http://www.javacoolsoftware.com/spywareblaster.html

Cheers
Corey