I got some virus or something

[Josh7289]

So, I was talking to a friend in an instant messenger program, I clicked a link his computer gave me, and I got a virus or something. AntiVir went crazy, and I deleted most of the things that popped up that it said were bad, but some I accidentally clicked "Deny Access" for. Anyway, I scanned my system for viruses for AntiVir, and it deleted something, then I proceeded to scan with Ad-Aware and Spybot S&D, and both of those got rid of some things. After that, I manually went threw a bunch of folders on my PC and delete pretty much everything that looked suspicious and was created after I downloaded the file, especially in the Windows folder.

I then went through some of my running processes that looked suspicious, tried to look them up on the Internet, and tried to delete the .exe's that were running them. After that, I downloaded HijackThis! and got this log that I need help understanding, since I'm still getting some pop-ups and crap:

[log snipped]

So if you could tell me what to delete from there or any other tips to clean my PC, I'd greatly appreciate it. Thank you very much!

 

[mechBgon]

This is an object lesson in why you don't run IM programs under an Administrator-class account. Limited accounts are the safer solution

Now...

1) update your AntiVir definitions

2) go through all of AntiVir's options panels, for both the real-time protection and for the on-demand scan, and max out all its capabilities, such as scanning inside compressed files & archives, scanning for adware/spyware, and heuristics.

3) download and install Windows Defender, which is on the front page of Microsoft.com pretty much all the time. Update it but don't scan yet.

4) reboot into Safe Mode and run a full AntiVir scan. Then stay in Safe Mode and run a full Windows Defender scan, the full version not the quick version.

5) after that, reboot to normal mode, uninstall AntiVir, download & install a free 30-day trial of Kaspersky AntiVirus Personal 6, and go through its Settings (green checkmark at top of panel) and max everything out. Then update it, reboot to Safe Mode, and run a full scan with Kaspersky, which is better than AntiVir.

6) Go to Control Panel > User Accounts, make a new user account named Admin and leave it as a Computer Administrator account. Now switch your regular account to a Limited account, and give that a try in the future.


BTW, whatever antivirus product you use... set it to kill on sight, no questions asked. Repeat, no questions asked. Involving the slow, error-prone human being is a mistake when you're trying to nuke 50 pieces of malware at a time. Set it to automatically delete stuff on its own recognizance, both for the real-time protection and the scheduled disk scanning.

 

[UnderPantKnome]

Hey Josh7289,

If you are not sure of a process you can check here Text, you can also have your HijackThis Log analyzed.

Hope that helps.

 

[erikistired]

C:\WINDOWS\igjvilvA.exe
C:\WINDOWS\poolsv.exe

O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346E99} - C:\Program Files\Batty\Batty.dll
O20 - AppInit_DLLs: BattyRun.dll
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe

------

without doing anything but looking at your logs those things pop out as things i'd check into. update your AV, reboot in safe mode, do a full scan. same with spybot or adaware (or both).

 

[Josh7289]

fisher, thanks, but I still have igjvilvA.exe running in my processes and it is not in the Windows folder, and the same is true for poolsv.exe. Any idea about what to do?

 

[erikistired]

it's there, it's probably just hidden. you ran an updated spybot s&d and it didn't say anything about either of those? and a full antivirus scan?

 

[Sunday Ironfoot]

I'm surprised you got a virus just from clicking on a link to a web page, do you have the latest Windows Security Updates installed on your machine?

 

[mechBgon]

Try what I suggested above, Josh7289.

 

[Josh7289]

Alright, I'm right now scanning with Kaspersky in Safe Mode, but it says it's going to take three freaking days! and it's still going up! Does this sound correct or what? I have all the Kaspersky settings maxed. Should I just scan it in normal mode?

 

[Josh7289]

Well, now that the scan is over (it lied, it ended around 4:00 PM), this is my new HijackThis! log:

[log snipped]

However, my CPU usage is constantly hanging around 50%. What is that? Is there anything in there that could be causing this? Or is it because I have all of Kaspersky's settings maxed?

 

[MrChad]

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

All of that looks suspicious

 

[Josh7289]

Originally posted by: MrChad

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

All of that looks suspicious

Nope, all of those have to do with East Asian text support, inputting and displaying, etc.

But still, my computer is running like crap. Everything takes forever to load and there's is a (relatively) long delay after I click on anything before the desired effect happens. Meh...I can't figure out what it could be...Nothing else looks suspicious in there?

 

[potato28]

Originally posted by: Josh7289

Originally posted by: MrChad

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

All of that looks suspicious

Nope, all of those have to do with East Asian text support, inputting and displaying, etc.

But still, my computer is running like crap. Everything takes forever to load and there's is a (relatively) long delay after I click on anything before the desired effect happens. Meh...I can't figure out what it could be...Nothing else looks suspicious in there?

Format Windows and reinstall.

 

[Josh7289]

Originally posted by: potato28
Format Windows and reinstall.

No. Too much to put back on.

 

[jiwq]

get rid of the remnants
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe (file missing)

 

[Josh7289]

Originally posted by: jiwq
get rid of the remnants
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe (file missing)

I was able to "fix"/delete the first one (O2) through HijackThis!, but no matter how many times I try to do the same with the second one (O23), it is still there when I scan again. Have any ideas?

Also, what is this all about?:
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

 

[Medea]

Well, to be thorough, do the following.

First, go to Start -> Run and type: services.msc
Scroll down and see if either Service: Microsoft SCC Host Protocol or POOLSVR is listed. If you see it/them, then:
Go to Start -> Run and type: sc service Microsoft SCC Host Protocol or sc service POOLSVR

Then, start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe (file missing)

Close ALL browsers and open windows except HijackThis and click 'Fix Checked'.

Reboot your computer.

Finally, delete the following file:
C:\dfndrd_4.exe

You should be able to delete it in normal mode but, if you can't, set your system to show hidden files, boot into safe mode and delete it from there.

 

[Josh7289]

Medea, I did not see either Service: Microsoft SCC Host Protocol or POOLSVR in the list. Do you want me to continue with the rest of your instructions?

EDIT: Oh, and the mentioned "things" are still in HijackThis.

 

[mechBgon]

Can you list the precise viruses that Kaspersky killed? It can help to know what exactly you're up against. In the Kaspersky panel, click the All threats have been treated and then see what the threats were.

 

[Josh7289]

not found: Trojan program Trojan-Downloader.Win32.Adload.cu File: C:\dfndrd_4.exe
deleted: Trojan program Trojan-Downloader.Win32.VB.nw File: C:\WINDOWS\igjvilvA.exe/PE_Patch/TeLock
deleted: Trojan program Trojan-Downloader.Win32.Adload.cu Running module: dfndrd_4.exe\dfndrd_4.exe
deleted: adware not-a-virus:AdWare.Win32.BHO.ao File: c:\windows\system32\nodeipproc.dll
detected: riskware Invader (loader) Running process: C:\Program Files\Logitech\SetPoint\KEM.exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.mu File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6G2OYTOG\626_101[1].exe/UPX
deleted: Trojan program Trojan-Downloader.Win32.Adload.cu File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6G2OYTOG\dfndrd_4[1].exe
deleted: adware not-a-virus:AdWare.Win32.PurityScan.ep File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G5LM86VE\axsetup1[1].exe/data0002
deleted: Trojan program Trojan-Downloader.Win32.Small.cyh File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RY2LGZ91\ac3_0003[1].exe
deleted: Trojan program Trojan-Clicker.Win32.VB.nh File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RY2LGZ91\dfndrc_4a[1].exe
deleted: Trojan program Trojan-Downloader.Win32.VB.nw File: C:\WINDOWS\offun.exe/PE_Patch/TeLock
detected: riskware Invader (loader) Running process: C:\Program Files\Trillian\trillian.exe

There you go.

 

[mechBgon]

Awesome I would 100% burn that Windows installation to the ground with DBAN, unplug the network cable, reinstall Windows, and not let it be networked to anything until I'd got Service Pack 2 installed offline by using the SP2 full-file installer (pre-save this on a CD or USB drive). Then I'd make a dedicated Admin account, and switch my daily-driver account to Limited, and watch the next one of these malwares bounce harmlessly off your Limited account.

If you're not ready to nuke it, then post your latest HJT log and also look in Task Manager to see what's eating 50% of your CPU? It's not normal for Kaspersky to do that unless it's actively running scans, or fighting nonstop attacks perhaps.

 

[Medea]

Just fix those three things in HijackThis and reboot. Like mech noted, Kaspersky got the rest of the crap. The O4 might be gone now because Kaspersky nuked the file. HJT will fix the registry which is why it's important to close browsers/open windows before you click 'Fix Checked' and to reboot.