Help with virus... Can't get rid of it!

[Yellowhello]

OK, so it seems like I have a virus of some kind... It's an icon in the system tool bar (the one in the bottom right of Windows) and every so often it pops this up: AntispyGolden :: Cutting-Edge Anti-Spyware Protection <--***NOT LEGIT SITE***

I scanned my PC with AVG's scanner, SpyBot S&D, and with HijackThis!, And both AVG and SpyBot detected something bad, but they couldn't get rid of it. Here's the log from HijackThis!:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Image Add-on\icthis.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Online Image Add-on\icmntr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\yellowhello\Desktop\Core Temp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\yellowhello\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Image Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1189286829234
O22 - SharedTaskScheduler: hydria - {79cdca21-5055-4cae-b609-e1685ef55cf7} - C:\WINDOWS\system32\hymww.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

...So I need to know how to get rid of this annoying thing!

Any help appreciated!

-Nate

[gvblake22]

What is the "something bad" that Spybot and AVG's scanner detected? If it gave you a filename, you can just do a search on your machine for that file and try and delete it yourself. I've found it is better to remove these files in Safe Mode (especially if it is a worm).

[qazwsx]

I looked through and did some research and found
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Image Add-on\icthis.exe

I think thats the guilty exe

[halutzparilla]

check you control panel add/remove program if its installed there uninstall it and check
C:\WINDOWS\system32\drivers\etc\, use a text editor to remove the following entries from the hosts file that is related to this *.exe / file ...

[One4yu2c]

Safe mode, safe mode, safe mode.

For your HiJackThis log, there are some handy online auto-analyzers, including THIS ONE. IN short:

C:\Program Files\Online Image Add-on\icthis.exe
C:\Program Files\Online Image Add-on\icmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Image Add-on\icthis.exe

[insomnia]

Yeah definitely if your going to remove it do it in Safe Mode. Once you find out exactly what the virus is called Google it and see what they say about removing it. Seems to work for me every time.

[polobunny]

Download SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Reboot into safe mode and follow instructions.

[Yellowhello]

Quote:

Originally Posted by gvblake22

What is the "something bad" that Spybot and AVG's scanner detected? If it gave you a filename, you can just do a search on your machine for that file and try and delete it yourself. I've found it is better to remove these files in Safe Mode (especially if it is a worm).

Well, thats just it, they tell me the name of them (and the location) but when I go to manually delete them they're not where AVG or SpyBot says they are... Strange, huh?

...I'll try in Safe Mode and report back.

[Yellowhello]

OK, so I'm pretty sure I fixed it... I booted into Windows in Safe Mode and manually deleted the files that One4 said were the problem and I haven't gotten a pop-up in the last few minutes (usually a pop-up would have popped-up by now) so I think I can safely say this virus is busted.

Thanks all who contributed to this thread and helped me with my problem.

[One4yu2c]

Run your virus and spyware scans in safe mode too, just in case there are any hidden remnants lurking around.