Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

olhrwef.exe,rttrwq.exe.....theseis the malware that i found out,for now.


  • Please log in to reply
6 replies to this topic

#1 devil_eddie

devil_eddie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 18 January 2009 - 12:40 AM

i'm using window xp sp3, and kaspersky AV 7.when i open the update window for the antivirus,its just wont start.after that i start a scan with the antivirus and get 5 infection of some internet files. and then i start an online scan with micro trend and it shows my computer got a few autorun file but it cannot clean all of it.the windoe explorer will pop up another window when open C or D drive.and it won't show the hidden files even when i choose to show.i used cobo fix and the pop up problem is solve.but i stil cannot update my antivirus.after that i downloaded removeIT pro v7 trial 2 scan my computer and it show my C and D drive is badly infected.48 files if im nt wrong.but th trial software won't clean it for me.i then try using doctor spyware,and it clean up some of the malware for me.dunno the name, but mostly trojan with high and medium risk.now i discover that a IE icon will suddenly pop up on my desktop, and it will sometime pop up a window showing that i have too work offline.that all.hopefully somebody can help out here...
thank you in advance.

i have scanned my computer again.and here is the report from the removeIT pro v7.hopefully this will helped..tahnk you again.


RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.
Generated at: 1/18/2009 on 2:59:32 PM
Microsoft Windows XP Professional Service Pack 3 (Build 2600)

2:59:32 PM: Scanning, please wait...
3:02:42 PM: Infected file (Sys32.afmain0) C:\WINDOWS\system32\afmain0.dll -> No action taken.
3:03:43 PM: Infected file (Sys32.nmdfgds0) C:\WINDOWS\system32\nmdfgds0.dll -> No action taken.
3:03:47 PM: Infected file (Sys32.olhrwef) C:\WINDOWS\system32\olhrwef.exe -> No action taken.
3:04:00 PM: Infected file (Sys32.rttrwq) C:\WINDOWS\system32\rttrwq.exe -> No action taken.
3:04:50 PM: Infected file (Sys32.ahnrpta) C:\WINDOWS\ahnrpta.exe -> No action taken.
3:04:57 PM: Infected file (Sys32.kb913800) C:\WINDOWS\kb913800.exe -> No action taken.
3:05:00 PM: Infected file (Sys32.nircmd) C:\WINDOWS\nircmd.exe -> No action taken.
3:05:48 PM: Infected file (Sys32.regxpcom) C:\Program Files\mozilla firefox\regxpcom.exe -> No action taken.
3:05:50 PM: Infected file (Sys32.Uninstall_CDS) C:\Program Files\Uninstall_CDS.exe -> No action taken.
3:05:51 PM: 9 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
3:06:01 PM: Scanning, please wait...
3:06:53 PM: Infected file (Sys32.rttrwq) C:\il0byu3h.com -> No action taken.
3:07:45 PM: Infected file (Sys32.regxpcom) C:\Program Files\Thunder
Network\Thunder\Components\ExplorerHelper\regxpcom.exe -> No action taken.
3:09:10 PM: Infected file (Sys32.ahnrpta) C:\WINDOWS\notepad.exe -> No action taken.
3:09:26 PM: Infected file (Sys32.ahnrpta) C:\WINDOWS\ServicePackFiles\i386\notepad.exe -> No action taken.
3:09:34 PM: Infected file (Sys32.afmain0) C:\WINDOWS\system32\afmain1.dll -> No action taken.
3:10:00 PM: Infected file (Sys32.nmdfgds0) C:\WINDOWS\system32\nmdfgds1.dll -> No action taken.
3:10:01 PM: Infected file (Sys32.ahnrpta) C:\WINDOWS\system32\notepad.exe -> No action taken.
3:10:16 PM: Infected file (Sys32.olhrwef) C:\x2csvg.exe -> No action taken.
3:10:16 PM: Infected file (Sys32.olhrwef) D:\x2csvg.exe -> No action taken.
3:10:16 PM: Infected file (Sys32.rttrwq) D:\il0byu3h.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0024831.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025616.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025662.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025663.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025687.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025690.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025693.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025694.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025696.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025697.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025705.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP219\A0025706.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP220\A0025724.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP220\A0025725.com -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP221\A0025740.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP221\A0025741.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP221\A0025993.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP221\A0025994.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP222\A0026001.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP222\A0026002.com -> No action taken.
3:10:17 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP222\A0026065.exe -> No action taken.
3:10:17 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP222\A0026066.com -> No action taken.
3:10:18 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP223\A0026080.exe -> No action taken.
3:10:18 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP223\A0026084.com -> No action taken.
3:10:18 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP224\A0026089.exe -> No action taken.
3:10:18 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP224\A0026099.com -> No action taken.
3:10:18 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP225\A0026220.com -> No action taken.
3:10:18 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP225\A0026254.exe -> No action taken.
3:10:18 PM: Infected file (Sys32.rttrwq) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP225\A0026296.com -> No action taken.
3:10:18 PM: Infected file (Sys32.olhrwef) D:\System Volume Information\_restore{63BD1FE8-EB3F-4373-8806-
EFC14C65F57E}\RP225\A0026299.exe -> No action taken.
3:10:37 PM: 49 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
Finished...

Edited by devil_eddie, 18 January 2009 - 02:13 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 18 January 2009 - 06:43 AM

Use MalwareBytes AntiMalware to find and remove the malware. Instructions for using are in the link below.
http://www.bleepingcomputer.com/forums/ind...st&p=944365
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 devil_eddie

devil_eddie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 18 January 2009 - 09:45 AM

i had used anti-malware before Buddy's post.and its cleaned a few malware in the computer.then i scan it with bitdefender, and clean a few of the trojan also. but after that i scan with RemoveIT pro v7 again.the same malware shown again..
does i need to wait for the bitdefender antivirus to update then scan it again?

any other choice?

thank anyway Buddy

#4 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 18 January 2009 - 10:28 AM

MalwareBytes AntiMalware, which you say you have used, is one of the two best programs to use. You should UPDATE it and run another scan. Be sure to reboot after scanning to remove the malware.

The other program is Super Antispyware. After downloading, installing and updating, reboot into safe mode to run the scan.
Directions for using it are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Bit Defender is a good program but the RemoveIt Pro I am not familiar with and it may be finding things that are not there.

Be sure to post both of the logs from MBAM and SAS in your next reply.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 devil_eddie

devil_eddie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 January 2009 - 12:05 PM

this is the antimalware log file. i have uninstall the kaspersky antivirus.
the other anti virus work as usual,i mean can update and scan.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/18/2009 10:39:39 PM
mbam-log-2009-01-18 (22-39-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94043
Time elapsed: 1 hour(s), 0 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by devil_eddie, 19 January 2009 - 12:08 PM.


#6 devil_eddie

devil_eddie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 January 2009 - 12:07 PM

this is the super antispyware log file

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2009 at 08:08 PM

Application Version : 4.24.1004

Core Rules Database Version : 3715
Trace Rules Database Version: 1689

Scan type : Complete Scan
Total Scan Time : 02:56:33

Memory items scanned : 179
Memory threats detected : 0
Registry items scanned : 5143
Registry threats detected : 0
File items scanned : 43083
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\ming ann\Cookies\ming ann@atdmt[2].txt
C:\Documents and Settings\ming ann\Cookies\ming ann@adbrite[2].txt

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\NMDFGDS0.DLL
C:\WINDOWS\SYSTEM32\NMDFGDS1.DLL

#7 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 19 January 2009 - 12:48 PM

Are you still having any problems?

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit
Then just run another quick scan with SAS to remove the third party cookies that were installed before changing the settings.

Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files".
Click on the more options tab, click on the "cleanup" button next to "system restore" (this will remove all of the restore points but the last one as many are infected) click OK and allow cleanup to run.

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users