Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Xp Antivirus Virus + Malware. Please Help

  • This topic is locked This topic is locked
2 replies to this topic

#1 KPbandguy731


  • Members
  • 2 posts
  • Local time:02:37 PM

Posted 26 August 2008 - 08:06 PM

Will someone please help me, somehow I got the XP Antivirus VIRUS.

It disabled all of my admin settings, and then put a giant VIRUS ALERT notice next to the time in the task bar, also there is a yellow exclaimation point there as well.. For the most part thought I think I've fixed it. But i just want someone to take a look just to make sure i got everything because when i restart my computer, there is still a program the puts up a RED "YOUR PRIVACY IS BEING COMPRAMISED" wallpaper.

here is what I've done so far.

1. Adaware scan
2. NOrton Scan
3. SDFIX got rid of most of it in safe mode. ( I WILL PROVIDE THE LOG TEXT BELOW)
4. Hijackthis scan, and deleted everything (Provide LOG BELOW)
5. now i'm just running SUPERANTIspyware... and it is still scanning

will someone please look at the logs from SDfix, and HIJACKTHIS and tell me if theres anything else i can do to restore my computer back to normal




SDFix: Version 1.219
Run by Owner on Tue 08/26/2008 at 16:31

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Owner\Desktop\SDFix\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Restoring Windows Product ID To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\rqRKEWNd.dll - Deleted
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\Antivirus 2008\Antivirus-2008.exe - Deleted
C:\Program Files\Antivirus 2008\vscan.tsi - Deleted
C:\Program Files\Antivirus 2008\zlib.dll - Deleted
C:\Program Files\PCHealthCenter\0.exe - Deleted
C:\Program Files\PCHealthCenter\0.gif - Deleted
C:\Program Files\PCHealthCenter\1.exe - Deleted
C:\Program Files\PCHealthCenter\1.gif - Deleted
C:\Program Files\PCHealthCenter\1.ico - Deleted
C:\Program Files\PCHealthCenter\2.exe - Deleted
C:\Program Files\PCHealthCenter\2.gif - Deleted
C:\Program Files\PCHealthCenter\2.ico - Deleted
C:\Program Files\PCHealthCenter\3.exe - Deleted
C:\Program Files\PCHealthCenter\3.gif - Deleted
C:\Program Files\PCHealthCenter\4.exe - Deleted
C:\Program Files\PCHealthCenter\5.exe - Deleted
C:\Program Files\PCHealthCenter\7.exe - Deleted
C:\Program Files\PCHealthCenter\sc.html - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\sflpt.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\sfsrv.exe - Deleted

Folder C:\Program Files\Antivirus 2008 - Removed
Folder C:\Program Files\PCHealthCenter - Removed
Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 16:38:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
"C:\\Program Files\\Vuze\\Azureus.exe"="C:\\Program Files\\Vuze\\Azureus.exe:*:Enabled:Azureus"


Remaining Files :

File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 24 Aug 2008 196 A.SHR --- "C:\BOOT.BAK"
Thu 10 Apr 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Thu 10 Apr 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 26 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT3.tmp"
Tue 26 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT4.tmp"
Mon 25 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94e2de28cb8ee27606822ca199876d4a\BIT5D.tmp"
Tue 12 Jul 2005 39,424 A..H. --- "C:\Documents and Settings\Owner\Desktop\Main\Documents\Documents\business\~WRL0001.tmp"
Wed 21 Feb 2007 21,504 A..H. --- "C:\Documents and Settings\Owner\Desktop\Main\Projects\Old Projects\Songs\~WRL0005.tmp"
Wed 10 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\Owner\Desktop\Main\Projects\Old Projects\Songs\~WRL1501.tmp"
Wed 10 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\Owner\Desktop\Main\Projects\Old Projects\Songs\~WRL4069.tmp"




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01:01, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = About:Blank
O4 - HKLM\..\Run: [38265eb3] rundll32.exe "C:\WINDOWS\system32\cfrgwmnk.dll",b
O20 - AppInit_DLLs: dkxzra.dll
O21 - SSODL: rqbmvpso - {AEECCB9A-3922-4A39-8159-BD550941EFC1} - C:\WINDOWS\rqbmvpso.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\RangeBooster G WDA-2320\JSWUtil\jswpsapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

End of file - 2612 bytes


THANK YOU GUYS SO MUCH I LOVE YOU!!!!!!!!!!!!!!!!!!!!

please let me know what i should do to see my C drive again, and stop the start up wallpaper. I know i'm almost there...


BC AdBot (Login to Remove)


#2 Baabiouz


    Finnish Malware Fighter

  • Members
  • 3,355 posts
  • Gender:Male
  • Location:Finland
  • Local time:12:37 AM

Posted 12 September 2008 - 06:38 AM


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image

#3 Baabiouz


    Finnish Malware Fighter

  • Members
  • 3,355 posts
  • Gender:Male
  • Location:Finland
  • Local time:12:37 AM

Posted 18 September 2008 - 12:47 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users