Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wallpaper Turns Blue & Antivirus 2008 Xp Malware Infection - Going To College Soon!


  • Please log in to reply
5 replies to this topic

#1 Boston Kid

Boston Kid

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 10 August 2008 - 08:12 PM

Hey Bleeping Computer Expert!

I'm freaking out here, I visited the site mp3000.net and afterwards I've come down with the following symptoms:

1. Wallpaper changes to blue and in the middle it says WARNING! Spyware detected on your computer in a yellow box and underneath in a blue box it says to install antivirus.

2. ZoneAlarm keeps detecting this threat, but I can't seem to find it on Google - lphcvq3j0eecn.exe

3. Upon booting the computer the following windows scripting error appears - tt3.tmp.vbs not found

4. Upon booting the BIOS had some errors but I wasn't able to write them down

5. Antivirus 2008 XP just came up as well

I've downloaded the necessary programs and I await your response.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:35 AM

Posted 10 August 2008 - 08:47 PM

http://www.bleepingcomputer.com/forums/ind...st&p=876163

run MBAM, let it reboot to finish removal, then run it again

post both logs

fast track
Chewy

No. Try not. Do... or do not. There is no try.

#3 Boston Kid

Boston Kid
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 10 August 2008 - 10:24 PM

Thanks Da Chew! It seemed to do the trick - here are the two logs

First Log

Malwarebytes' Anti-Malware 1.24
Database version: 1038
Windows 5.1.2600 Service Pack 2

7:33:52 PM 8/10/2008
mbam-log-8-10-2008 (19-33-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 86187
Time elapsed: 29 minute(s), 18 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 5
Registry Keys Infected: 10
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 21

Memory Processes Infected:
C:\Program Files\rhcrq3j0eecn\rhcrq3j0eecn.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\system32\lphcvq3j0eecn.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\pphcvq3j0eecn.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\rhcrq3j0eecn\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcrq3j0eecn\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcrq3j0eecn\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcrq3j0eecn\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\blphcvq3j0eecn.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcrq3j0eecn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcrq3j0eecn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcrq3j0eecn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcvq3j0eecn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhcrq3j0eecn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\rhcrq3j0eecn\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\rhcrq3j0eecn\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\rhcrq3j0eecn.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\rhcrq3j0eecn.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrq3j0eecn\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Belal\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcvq3j0eecn.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcvq3j0eecn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcvq3j0eecn.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcvq3j0eecn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

2nd Log

Malwarebytes' Anti-Malware 1.24
Database version: 1038
Windows 5.1.2600 Service Pack 2

8:16:48 PM 8/10/2008
mbam-log-8-10-2008 (20-16-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 85105
Time elapsed: 34 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:35 AM

Posted 11 August 2008 - 06:22 AM

Are all your malware symptoms gone?

I use FireFox with the noscript addon and Spybot S & D immunize for IE to protect my computer from these driveby infections.
A fellow mod at another forum has resorted to using a virtual machine for his duties investigating links.
Chewy

No. Try not. Do... or do not. There is no try.

#5 berend

berend

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 August 2008 - 06:57 AM

Just out of interest, do you have files c:\windows\el.ini and c:\windows\system32\el32.dll on your pc? I also got infected yesterday by just visiting a website (actually, a political satire site, did not expect it to be dangerous at all) and it not only gave me "Antivirus 2008 XP" but also those two files.

el.ini contained a list of dodgy web addresses with the header [proxy]. It looked as if the purpose of the infection was to use my pc as proxy server to send spam. If you have el32.dll and cannot delete it, I am afraid there is still some infection left.

I found three other posts mentioning the same: Google search for el.ini and el32.dll. Unfortunately, they are in Polish, Czech and French, respectively. The Polish and Czech posts are both dated yesterday, August 10, 2008. I am wondering if there is a new worm infecting webservers that is spreading this stuff around ...

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:35 AM

Posted 11 August 2008 - 10:20 PM

Do you have the game Eternal Lands installed as those files may belong to it.

If not please upload the files to Jotti's malware scan and/or Virustotal for a malware scan of the files.
Please post back here the results they send you.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users