Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp2008 Virus...can I Really Get Rid Of It?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Yannie

Yannie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 August 2008 - 12:47 AM

Hi, I am not too savvy regarding PC health issues. I windows XP, and am currently using (and was using when this happened) AVG free ver. 8.0. I recently began experiencing pop ups with "AntiSyware XP 2008" info telling me of all the 600+ infections I have. Thought it was odd especially when my desktop background changed to blue. So I googled it and it appeared to be a nasty virus. Looked at some of your existing forums and did the following:

downloaded and Ran Malware...here is the log:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

11:11:48 PM 8/23/2008
mbam-log-08-23-2008 (23-11-48).txt

Scan type: Quick Scan
Objects scanned: 62086
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
s
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicki\Application Data\rhcgpnj0er7c\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\rhcgpnj0er7c\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xqbgoogx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqnnnm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cjivnxch.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\DataBase.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\license.rtf (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\SpywareBot.url (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\unins000.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\unins000.exe (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Microsoft.VC80.CRT\msvcp80.dll (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Microsoft.VC80.CRT\msvcr80.dll (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Microsoft.VC80.MFC\mfc80.dll (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Microsoft.VC80.MFC\Microsoft.VC80.MFC.manifest (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\SpywareBot\Log\2008 Mar 05 - 12_18_53 PM_078.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\SpywareBot\Quarantine\21-02-2008-11-25-38\0.qit (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\SpywareBot\Quarantine\21-02-2008-11-25-38\0.qnf (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Desktop\SpywareBot.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Rebooted, scanned again, came up clean

Downloaded Ad-Aware, ran it, came up with 68 more infections, but for some reason I can't get a detailed log.

Logged off - downloaded Spybot S&D - ran update. It found 18 infections (can't get a log there either...like I said I'm not too savvy - if you know of a way let me know.) I do see information about issues with "Spyware Bot", "WildTangent" "SpywareBOT.spywarestop" & "Virtumonde"

So I am at a loss...I use my PC for everything. I have read some articles where folks suggest wiping the PC clean. Is that the direction I should be going? I want my info to be safe, and I am worried it will never be clean unless I do a reinstall.

Thanks in advance for your help!!
Vicki

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:49 AM

Posted 24 August 2008 - 03:40 PM

Hi Vicki,

Let's follow up your scans with the following procedure:

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please be sure to post the log in its entirety.
Thanks,
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Yannie

Yannie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 August 2008 - 09:51 PM

Hi
I ran the scan, nice directions, easy to follow. I rebooted, but my PC is still super slow.

Here is what SuperAntiSyware came up with:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2008 at 10:32 PM

Application Version : 4.20.1046

Core Rules Database Version : 3541
Trace Rules Database Version: 1530

Scan type : Complete Scan
Total Scan Time : 01:00:23

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 6399
Registry threats detected : 10
File items scanned : 17473
File threats detected : 7

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{3212BDB6-6B0C-4DB7-8DA7-AE36AE8CEA94}
HKCR\CLSID\{3212BDB6-6B0C-4DB7-8DA7-AE36AE8CEA94}
HKCR\CLSID\{3212BDB6-6B0C-4DB7-8DA7-AE36AE8CEA94}\InprocServer32
HKCR\CLSID\{3212BDB6-6B0C-4DB7-8DA7-AE36AE8CEA94}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTSQ.DLL
HKLM\Software\Classes\CLSID\{9058EEE8-BD5C-4D8D-8D19-004BB997139C}
HKCR\CLSID\{9058EEE8-BD5C-4D8D-8D19-004BB997139C}
HKCR\CLSID\{9058EEE8-BD5C-4D8D-8D19-004BB997139C}\InprocServer32
HKCR\CLSID\{9058EEE8-BD5C-4D8D-8D19-004BB997139C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3212BDB6-6B0C-4DB7-8DA7-AE36AE8CEA94}

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{634BBAB7-3F60-4426-944F-A62B9007F67F}

Adware.Tracking Cookie
C:\Documents and Settings\Vicki\Cookies\vicki@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Vicki\Cookies\vicki@apmebf[1].txt
C:\Documents and Settings\Vicki\Cookies\vicki@media6degrees[1].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\QSTWA.INI
C:\WINDOWS\SYSTEM32\QSTWA.INI2

Thanks for your help!!

Edited by Yannie, 24 August 2008 - 09:53 PM.


#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:49 AM

Posted 25 August 2008 - 12:52 PM

Hi Vicki,

Please run a new scan of Malwarebytes. Please post the new log for us to review and we will go from there.


I ran the scan, nice directions, easy to follow.


Thank you for the comment. It is good to hear feedback on the usability of these scripts!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Yannie

Yannie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 25 August 2008 - 06:19 PM

Hi Rigel
I ran a full system scan using Malware and it came up clean...here is my log:
Malwarebytes' Anti-Malware 1.25
Database version: 1086
Windows 5.1.2600 Service Pack 2

7:15:59 PM 8/25/2008
mbam-log-08-25-2008 (19-15-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 100859
Time elapsed: 26 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Am I safe yet? I use this PC for banking, I haven't used it since this started, but I am hesitant to resume.

Thanks so much!
Vicki

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:49 AM

Posted 25 August 2008 - 07:23 PM

This looks better!

Since it is banking - one more scan please...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Yannie

Yannie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 26 August 2008 - 04:33 PM

Hi
I ran the scan, the log is below. Can't help but notice that when Kaspersky's site checked my system requirements they said I needed to update the Java I had, so I did (off the link in the site), b/c it wouldn't run without it. Now, the trojan issue has Java in it? I don't really understand Trojan Horses...but is the download and the trojan connected?? Thanks again!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 26, 2008 19:01:24
Records in database: 1148706
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\

Scan statistics:
Files scanned: 62646
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:46:21


File name / Threat name / Threats count
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\14\467e7c0e-32dcc3a6 Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-3f7c9b56.zip Infected: Trojan-Downloader.Java.Agent.f 1

The selected area was scanned.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:49 AM

Posted 26 August 2008 - 06:12 PM

Hi Vicki,

I don't feel comfortable with this infection, and would rather not take any chances. Let's get you transfered to the HJT Team. They have a more powerful arsenal to kill malware.

Please start at step (9) of the Preparation Guide for use before posting a HijackThis Log . When you post a log, please note this thread. That will give the team member who takes your log an idea of what we have already done.
Please be patient with your log. This team is extremely busy.

Best wishes Vicki! You will be in good hands...

rigel


Edit: The Java you downloaded was clean. I just downloaded it myself.

Edited by rigel, 26 August 2008 - 06:13 PM.
Added comments

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:49 AM

Posted 27 August 2008 - 06:11 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry926128

Hi Vicki,

Since you now have an active log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusing, I am closing this topic.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users