Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 Blue Screensaver


  • Please log in to reply
19 replies to this topic

#1 winterspring33

winterspring33

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 June 2008 - 11:00 AM

I've followed all of the steps to remove the actual virus (antivirus xp 2008) and i think i've successfully removed it, however the blue screen saver is still there and i cant seem to remove that. SuperAntispyware detects it and i try to remove it with that program but when i reboot, the screen saver comes back up. I've also noticed that when i right click and go to "properties" , the "Desktop" tab thats supposed to be at the top along with "Theme" and "Settings" etc, is gone. I'm really confused because when i scan my computer with SuperAntispyware the only thing it detects is this screensaver problem, but when i run spyware Doctor, it tells me i have a "Trojan Gaslide B". Are those the same thing? Is one the cause of the other?
Thanks for any help! :D

Edit:: ok, well i solved the spyware doctor problem. I updated and i also deleted a suspicious file associated with the Antivirus XP 2008 virus. I ran spyware doctor again after that, and it didnt detect anything. The screensaver however, is still not going away.

Edit 2:: Nope, i still have the virus. I just rebooted again, and the Antivirus XP appeared again. I keep on running SuperAntispyware, it detects the "Rogue.Antivirus XP 2008" and i proceed in quarantining it. The program asks me to reboot so i do, and after windows loads, the virus is back again.

Edit 3:: The "desktop" tab problem was just a registry error.

Edited by winterspring33, 26 June 2008 - 06:32 PM.


BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 12:50 PM

1. Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2. Do part 1 of 2 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

#3 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 26 June 2008 - 01:17 PM

Malwarebytes' Anti-Malware 1.18
Database version: 893

2:14:43 PM 6/26/2008
mbam-log-6-26-2008 (14-14-40).txt

Scan type: Quick Scan
Objects scanned: 40552
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\pphccluj0en0t.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:
C:\Program Files\rhc9luj0en0t\rhc9luj0en0tSkin.Dll (Rogue.AntivirusXP2008) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> No action taken.

Files Infected:
C:\Program Files\rhc9luj0en0t\rhc9luj0en0tSkin.Dll (Rogue.AntivirusXP2008) -> No action taken.
C:\WINDOWS\system32\pphccluj0en0t.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\Dianna Solano\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.

SmitFraudFix v2.328

Scan done at 14:15:24.48, Thu 06/26/2008
Run from C:\Documents and Settings\Dianna Solano\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\lphccluj0en0t.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\rhc9luj0en0t\rhc9luj0en0t.exe
C:\WINDOWS\system32\pphccluj0en0t.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dianna Solano\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dianna Solano


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dianna Solano\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DIANNA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 M Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 167.206.251.130
DNS Server Search Order: 167.206.251.129

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 01:38 PM

Run both tools again, and post the logfiles.
Do you have XP or Vista?

#5 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 June 2008 - 01:42 PM

i have xp

Edited by winterspring33, 26 June 2008 - 01:43 PM.


#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 01:44 PM

Run both tools again, and post the logfiles.



#7 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 26 June 2008 - 01:46 PM

SmitFraudFix v2.328

Scan done at 14:41:11.18, Thu 06/26/2008
Run from C:\Documents and Settings\Dianna Solano\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\lphccluj0en0t.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\rhc9luj0en0t\rhc9luj0en0t.exe
C:\WINDOWS\system32\pphccluj0en0t.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dianna Solano


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dianna Solano\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DIANNA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 M Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 167.206.251.130
DNS Server Search Order: 167.206.251.129

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FF40AE2C-DB2D-4816-BF63-69D7A98249B5}: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Malwarebytes' Anti-Malware 1.18
Database version: 893

2:45:59 PM 6/26/2008
mbam-log-6-26-2008 (14-45-59).txt

Scan type: Quick Scan
Objects scanned: 40504
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\pphccluj0en0t.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\rhc9luj0en0t\rhc9luj0en0tSkin.Dll (Rogue.AntivirusXP2008) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\rhc9luj0en0t\rhc9luj0en0tSkin.Dll (Rogue.AntivirusXP2008) -> Delete on reboot.
C:\WINDOWS\system32\pphccluj0en0t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dianna Solano\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

MBAM told me to reboot to remove a file, so i did. Nothings changed, the Antivirus XP 2008 is still on my computer :thumbsup:

Edited by winterspring33, 26 June 2008 - 01:52 PM.


#8 Uberstroker

Uberstroker

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 26 June 2008 - 02:01 PM

I seem to have the same problem you do. I tried to manually remove the files of the "xp antivirus 2008" from my files, and it seemed successful, but when I rebooted, there it was again as if I did nothing. When I searched through my files again, the search turned up nothing, because I supposedly removed all the files, but the virus still exists. Is this the same for you?

I'm starting to think that it's in a hidden file somewhere under a new name or something. Maybe a trojan keeps re-initialazing it?

I'm beginning to think that the xp antivirus bug, might be just a side-effect of what's really going on here. Unfortunately, you may have to reformat like I plan to.

Edited by Uberstroker, 26 June 2008 - 02:03 PM.


#9 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 26 June 2008 - 02:09 PM

Yeah, every time i run MBAM or SuperAntiSpyware I quarantine the Antivirus files. Then i'm forced to reboot to remove a certain file and when i do, the virus is still there. I just searched for any Antivirus XP files and i've found them all reinstalled again. So what i think is happening is that either im not fully removing the virus or its somehow reintstalling itself everytime i reboot.

Edited by winterspring33, 26 June 2008 - 02:10 PM.


#10 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 June 2008 - 02:11 PM

And now the clock on my toolbar has changed from 3:00 to 15:00

Edit:: fixed through the control panel.

Edited by winterspring33, 26 June 2008 - 06:38 PM.


#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 02:23 PM

Winterspring33,

Please reboot the pc. How are the problems now? :flowers:


Uberstroker,

Please start your own topic. :thumbsup:

#12 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 26 June 2008 - 02:27 PM

Nothing has changed. The virus is still running. :flowers:
I'm thinking of reformatting but i'd really like to avoid that option.
Installing drivers and codecs is so annoying :thumbsup:

Edited by winterspring33, 26 June 2008 - 02:28 PM.


#13 Uberstroker

Uberstroker

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 26 June 2008 - 02:28 PM

heh, I do. I'll keep an eye on this thread too, because I think we're experiencing the same issue. http://www.bleepingcomputer.com/forums/t/154405/a-very-malicious-virus/

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 02:41 PM

Uberstroker,

That's all right ofcourse. :thumbsup:

Winterspring33,

1. Scan again with MBAM. Post that log in your next reply.

2. Go to Kaspersky Online scanner.
Klick Accept
Follow the instructions, and scan your whole system.
Post the logfile in your next reply. :flowers:

Edited by superbird, 26 June 2008 - 02:42 PM.


#15 winterspring33

winterspring33
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 June 2008 - 02:45 PM

Ok, im scanning with MBAM right now. Should i reboot when prompted?
And i went to the online scanner but it says i need to run it with Administrator privileges. Does that mean i have to switch to safe mode?

Edited by winterspring33, 26 June 2008 - 02:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users