Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Antivirusxp 2008 :(


  • This topic is locked This topic is locked
7 replies to this topic

#1 dionjuan2004

dionjuan2004

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 19 August 2008 - 10:45 PM

Hello everyone,

Its the same old story about AntivirusXp :) .

I followed instructions from another thread any have been able to remove this permanent message - "Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer" from my desktop, now I can also change desktop background. But I'm not sure if the virus has been kicked out. I just followed the instructions from another thread and this is what I've done so far -

1. Installed AVG
2. Ran a scan, it detected 5 infections. I am attaching a snapshot of Virus Vault. As of now, I dont know what to do with these infections. They are just lying there in the vault.

Attached File  Virus_Vault.JPG   73.28KB   26 downloads


3. Installed and ran OTMoveIt2 by OldTimer. Here is the log created after clicking on "MoveIt!"

File/Folder C:\WINDOWS\system32\lphc3osj0et9e.exe not found.
File/Folder C:\Program Files\rhc7osj0et9e not found.
File/Folder C:\WINDOWS\system32\qjspidwx.exe not found.
File/Folder C:\WINDOWS\system32\xgngtkhi.exe not found.
File/Folder C:\WINDOWS\system32\cjedudmd.exe not found.
File/Folder C:\Documents and Settings\All Users\Application Data\ivkfodmp not found.
File/Folder C:\Program Files\qmhuwbg not found.
File/Folder C:\WINDOWS\system32\pphc3osj0et9e.exe not found.
File/Folder C:\Documents and Settings\the old doctor\Application Data\rhc7osj0et9e not found.
File/Folder C:\WINDOWS\system32\blphc3osj0et9e.scr not found.
File/Folder C:\Program Files\temp995.bat not found.
File/Folder C:\WINDOWS\system32\apsrarqt.exe not found.
File/Folder C:\WINDOWS\system32\rcpaxwnu.exe not found.
File/Folder C:\WINDOWS\system32\cjedudmd.exe not found.
File/Folder C:\WINDOWS\system32\pehuzovw.exe not found.
File/Folder C:\WINDOWS\system32\hohszong.exe not found.
File/Folder C:\WINDOWS\system32\ryrolatk.exe not found.
File/Folder C:\WINDOWS\system32\rcdmlexs.exe not found.
File/Folder C:\WINDOWS\system32\slubsxsh.exe not found.
File/Folder C:\WINDOWS\system32\nolatcxm.exe not found.
File/Folder C:\WINDOWS\system32\rehynkzo.exe not found.
File/Folder C:\WINDOWS\system32\zalkpilw.exe not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc3osj0et9e >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc3osj0et9e not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhc7osj0et9e >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhc7osj0et9e not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\setdb >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\setdb not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uiadm >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uiadm not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\apimsgapp >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\apimsgapp not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\GaVceWvq5q >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\GaVceWvq5q not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\UiShEn >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\UiShEn not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08202008_085650


4. Installed and ran Malware Bytes Antimalware. It found 39 infections and removed all of them. Here is the log -

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

9:00:04 AM 8/20/2008
mbam-log-08-20-2008 (09-00-04).txt

Scan type: Quick Scan
Objects scanned: 64693
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcrqbj0et1g (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcrqbj0et1g (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcrqbj0et1g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\rhcrqbj0et1g (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\rhcrqbj0et1g\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrqbj0et1g\rhcrqbj0et1g.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.


After doing all this, I realized I should not be following the advice given to someone else, as his virus and infection may be different from mine. :thumbsup:
So, here I am posting this message requesting you professionals to help me. I just want to get rid of this infection and I dont know if its gone yet. It still shows when I click on start icon.

Highly appreciate your time and assistance,
Dion

BC AdBot (Login to Remove)

 


#2 dionjuan2004

dionjuan2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 August 2008 - 12:10 PM

still no replies?? :thumbsup:

Dion

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:15 PM

Posted 30 August 2008 - 07:07 PM

Hello and welcome to BC


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
    Note: If you are using Windows Vista, right click at RSIT.exe and select 'Run as administrator'.

  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply please post back with the following reports:
  • RSIT log.txt
  • RSIT info.txt
  • Kaspersky report
Regards
SNOWHITE
Posted Image

#4 dionjuan2004

dionjuan2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 31 August 2008 - 08:12 AM

Thanks Snowhite!

So I selected My computer and ran a scan with Kaspersky Online Scanner. It gave me this result -

No malware has been detected. The scan area is clean.

I also tried RSIT.exe but it just stops at "Performing Registry Dump" and nothing else happens. I left it like this for 30 minutes but still nothing happened. Please help.

Appreciate your time,
Dion

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:15 PM

Posted 31 August 2008 - 08:26 AM

Thanks Snowhite!

So I selected My computer and ran a scan with Kaspersky Online Scanner. It gave me this result -

No malware has been detected. The scan area is clean.

I also tried RSIT.exe but it just stops at "Performing Registry Dump" and nothing else happens. I left it like this for 30 minutes but still nothing happened. Please help.

Appreciate your time,
Dion

Lets try this scanner, download OTViewIt from this link http://oldtimer.geekstogo.com/OTViewIt.exe to your desktop
Double click OTViewIt.exe to run the program, it should produce two logs OTViewIt.txt and Extras.txt, post the contents of both reports back here.
SNOWHITE
Posted Image

#6 dionjuan2004

dionjuan2004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 31 August 2008 - 10:27 PM

I have attached both the text files.

Attached File  Extras.Txt   66.48KB   18 downloads
Attached File  OTViewIt.Txt   62.87KB   28 downloads

Thanks,
Dion

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:15 PM

Posted 06 September 2008 - 03:54 PM

Hello dionjuan2004,

Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

SNOWHITE
Posted Image

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:15 PM

Posted 21 September 2008 - 04:22 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users