PDA

View Full Version : Anti-Virus XP 2008 VIRUS! PLEASE HELP!


Nenya awakens
14-09-08, 11:15
Hi guys,

Right i'm having a bit of a problem this end, Last night before work, my laptop decided it was going to download and install a Anti-Virus programme by itself,
the programme set itself up and immediatly started attacking my laptop, telling me i had no firewall turned on and that i had 21 Trojans attacking the system, my AVG Anti-Virus immediatly started attacking and every 20 seconds popped up asking me to heal a file that had been infected by this apparent virus.

The programme wont let me delete it, i have tried removing it with AVG, SPYdoctor, Stinger and Malwarebytes Anti-malware. but it never seems to be able to get all the files, do i have to just keep scanning until everything is gone?

I cant close the programme from my taskbar as there is no option to, and it now says that i have 1459 Trojans lol. i've had to disable AVG as i cant do anything with it popping up flashing red every 5 seconds.

any help would be great please.


cheers fellas.

Marc x

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

EscondeR
14-09-08, 12:39
Boot in Safe Mode, run Autoruns (http://technet.microsoft.com/ru-ru/sysinternals/bb963902(en-us).aspx) and kill all entries related to this crappy malware, so called Anti-Virus XP 2008. The corresponding files are listed on the page you have a link to already.

Then run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the report here.

Nenya awakens
14-09-08, 14:00
I went into Regedit and managed to De-activate the startup programme so it's not coming up whenever i turn my laptop on.

However, the diseased files are STILL on my system. and even Spyware doctor is not able to heal some of the files. they are hiding from the scan.

here is the ARDiag report


---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"AVG Alert Manager"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Avg7Alrt
Program path & name:
"d:\program files\grisoft\avg7\avgamsvr.exe"
Enabled: [V]


Program:
"AVG Update Service"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Avg7UpdSvc
Program path & name:
"d:\program files\grisoft\avg7\avgupsvc.exe"
Enabled: [V]


Program:
"AVG E-Mail Scanner"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AVGEMS
Program path & name:
"d:\program files\grisoft\avg7\avgemc.exe"
Enabled: [V]


Program:
"gusvc"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
gusvc
Program path & name:
"d:\program files\google\common\google updater\googleupdaterservice.exe"
Enabled: [V]


Program:
"Provides auxiliary PC Tools Security services. If this service is disabled spyware protection will be reduced."
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sdAuxService
Program path & name:
"d:\program files\spyware doctor\pctsauxs.exe"
Enabled: [V]


Program:
"Provides spyware and malware protection for the system. If this service is disabled spyware protection will be disabled."
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sdCoreService
Program path & name:
"d:\program files\spyware doctor\pctssvc.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
WLTRYSVC
Program path & name:
d:\windows\system32\wltrysvc.exe"
Enabled: [V]


Program:
"AVG Scanning Engine"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Avg7Core
Program path & name:
"d:\windows\system32\drivers\avg7core.sys"
Enabled: [V]


Program:
"AVG Resident Shield Unload Helper"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Avg7RsW
Program path & name:
"d:\windows\system32\drivers\avg7rsw.sys"
Enabled: [V]


Program:
"AVG Resident Anti-Virus Shield"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Avg7RsXP
Program path & name:
"d:\windows\system32\drivers\avg7rsxp.sys"
Enabled: [V]


Program:
"AVG7 Clean Driver"
Publisher:
"(Verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AvgClean
Program path & name:
"d:\windows\system32\drivers\avgclean.sys"
Enabled: [V]


Program:
"AVG Network connection watcher"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AvgTdi
Program path & name:
"d:\windows\system32\drivers\avgtdi.sys"
Enabled: [V]


Program:
"System Filter Device Driver"
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
IKSysFlt
Program path & name:
"d:\windows\system32\drivers\iksysflt.sys"
Enabled: [V]


Program:
"System Security Device Driver"
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
IKSysSec
Program path & name:
"d:\windows\system32\drivers\iksyssec.sys"
Enabled: [V]


Program:
"AEGIS Protocol (IEEE 802.1x) v2.3.1.7"
Publisher:
"(Not verified) Meetinghouse Data Communications"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MDC8021X
Program path & name:
"d:\windows\system32\drivers\mdc8021x.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"d:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"BCMLogon DLL"
Publisher:
"(Not verified) Broadcom Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
Entry name:
D:\WINDOWS\System32\BCMLogon.dll
Program path & name:
"d:\windows\system32\bcmlogon.dll"
Enabled: [V]


Program:
"Windows Live Photos Screen Saver"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKCU\Control Panel\Desktop\Scrnsave.exe
Entry name:
D:\WINDOWS\WLXPGSS.SCR
Program path & name:
"d:\windows\wlxpgss.scr"
Enabled: [V]


Program:
"AVG Control Center"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
AVG7_CC
Program path & name:
"d:\program files\grisoft\avg7\avgcc.exe"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"d:\program files\java\jre1.6.0_06\bin\jusched.exe"
Enabled: [V]


Program:
"Adobe Acrobat SpeedLauncher"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Adobe Reader Speed Launcher
Program path & name:
"d:\program files\adobe\reader 8.0\reader\reader_sl.exe"
Enabled: [V]


Program:
"Logitech QuickCam Startup Application"
Publisher:
"(Not verified) Logitech Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
LogitechVideoRepair
Program path & name:
"d:\program files\logitech\video\isstart.exe "
Enabled: [V]


Program:
"ImageStudio Tray Application"
Publisher:
"(Not verified) Logitech Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
LogitechVideoTray
Program path & name:
"d:\program files\logitech\video\logitray.exe"
Enabled: [V]


Program:
"PC Tools Tray Application"
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ISTray
Program path & name:
"d:\program files\spyware doctor\pctstray.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"GoogleToolbarNotifier"
Publisher:
"(Verified) Google Inc"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
swg
Program path & name:
"d:\program files\google\googletoolbarnotifier\googletoolbarno tifier.exe"
Enabled: [V]


Program:
"Logitech Software Update"
Publisher:
"(Not verified) Logitech Inc."
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
LogitechSoftwareUpdate
Program path & name:
"d:\program files\logitech\video\manifestengine.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
Symantec NetDetect.job
Program path & name:
File not found: D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE"
Enabled: [ ]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Reader Link Helper
Program path & name:
"d:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"d:\program files\java\jre1.6.0_06\bin\ssv.dll"
Enabled: [V]


Program:
"Google IE Client Toolbar"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Toolbar Helper
Program path & name:
"d:\program files\google\googletoolbar2.dll"
Enabled: [V]


Program:
"GoogleToolbarNotifier"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Toolbar Notifier BHO
Program path & name:
"d:\program files\google\googletoolbarnotifier\3.0.1225.9868\s wg.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
"AVG Shell Extension"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
AVG7 Shell Extension
Program path & name:
"d:\program files\grisoft\avg7\avgse.dll"
Enabled: [V]


Program:
"AVG Shell Extension"
Publisher:
"(Not verified) GRISOFT s.r.o."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
AVG7 Find Extension
Program path & name:
"d:\program files\grisoft\avg7\avgse.dll"
Enabled: [V]


Program:
"Logitech Namespace2"
Publisher:
"(Not verified) Logitech Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
My Logitech Pictures
Program path & name:
"d:\program files\logitech\video\namespc2.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"d:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
"Google IE Client Toolbar"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
googletoolbar2.dll
Program path & name:
"d:\program files\google\googletoolbar2.dll"
Enabled: [V]

spikejones
14-09-08, 18:50
i dont see it in there meself to be honest. look in the program files directory for the folder containing the application. best to be in safe mode while working with this. delete the installation directory when you have found it... rather than using add/remove software. if the application is listed in the add/remove program, you can delete the msi reference using windows installation cleanup utility. (http://support.microsoft.com/kb/290301)

ive yet to figure out how so many people have been getting infected with this thing as well as the smitfraud bug. those two are pretty bugged out little *******s. any rate, you'll probably be getting reports from your AVG for a while saying that so and so sytem file is infected. Which is something that needs to be cleaned. XP antivirus will attack system files and corrupt them. I think that it may be possible for the files to be directed to automatically download more stuff.. sooo..... there you have it. a nasty little bugger you have there.




C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\pntqkflv.dll
c:\Program Files\rhcnkrj0etfg
c:\Program Files\rhcnkrj0etfg\database.dat
c:\Program Files\rhcnkrj0etfg\license.txt
c:\Program Files\rhcnkrj0etfg\MFC71.dll
c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
c:\Program Files\rhcnkrj0etfg\msvcp71.dll
c:\Program Files\rhcnkrj0etfg\msvcr71.dll
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe.local
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfgSkin.dll
c:\Program Files\rhcnkrj0etfg\Uninstall.exe
c:\WINDOWS\system32\pphcjkrj0etfg.exe
c:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
%UserProfile%\Application Data\rhcnkrj0etfg
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllU sers
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurr entUser
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Packages

Some of those files may or may not exist and some of them may or may not be named the same... ie... random name generation. But the main thing is to look in the LOCATIONS mentioned by their report. If you get a file access denied report when trying to manually delete the files, you can use either command line to remove the read only attribute, or you can use Unlocker (http://ccollomb.free.fr/unlocker/)

Nenya awakens
14-09-08, 18:59
It looks like i have gotten rid of the actual programme by deactiviating it. my spywear doctor picked up the main programme and kicked it's ass. as spike said infected files are everywhere so im having to scan and find new ones each time. i've put my Firewall on full so nothing will come in or out without my knowing about it.

what a nightmare

spikejones
14-09-08, 19:06
hehe... i been editing that post to, so you might want to do a follow up on the spyware applications work using the information that I provided above.

Nenya awakens
14-09-08, 19:56
I dont reall understand what all that means to be honest, i wouldnt no where to begin to look to find those files? :confused:

spikejones
14-09-08, 20:51
go to my computer..
open the c drive
you will see the first folder in the path, open it
then you will see the second folder in the path, open it
continue down the line until you find the final file in the path

for instance on this part:

c:\Program Files\rhcnkrj0etfg
c:\Program Files\rhcnkrj0etfg\database.dat
c:\Program Files\rhcnkrj0etfg\license.txt
c:\Program Files\rhcnkrj0etfg\MFC71.dll
c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
c:\Program Files\rhcnkrj0etfg\msvcp71.dll
c:\Program Files\rhcnkrj0etfg\msvcr71.dll
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe.local
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfgSkin.dll
c:\Program Files\rhcnkrj0etfg\Uninstall.exe


this is saying that all of that stuff is located in the folder "rhcnkrj0etfg" which is located in the folder "Program Files" which is located in the C drive.

so you open "my computer"... double click the C drive to open it... double click the "program files" folder to open IT. then you located the folder called "rhcnkrj0etfg" (this may be disguised as something else though since it appears to generate random file/folder names). Inside of that folder will be the following files(or variation of those names, so that you know you are looking at the proper one..)

database.dat
license.txt
MFC71.dll
MFC71ENU.DLL
msvcp71.dll
msvcr71.dll
rhcnkrj0etfg.exe
rhcnkrj0etfg.exe.local
rhcnkrj0etfgSkin.dll
Uninstall.exe


you want to make sure that all of the files, as well as the folder that they are contained within, are DELETED.


c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk


this section means that all that stuff is located in the start menu for ALL USERS. you can follow the method of navigating the filesystem to locate those files and delete them, or you could navigate through your start menu like so..
start -> all programs -> Right Click on the folder "Antivirus XP 2008" and choose "delete"


%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
%UserProfile%\Application Data\rhcnkrj0etfg
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllU sers
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurr entUser
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Packages


this section means that all those files are located in the USER PROFILE. the path to the user profile is:

c:\Documents and Settings\(your name here)

so the stuff is actually located at:

C:\Documents and Settings\(your name here)\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllU sers
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurr entUser
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
C:\Documents and Settings\(your name here)\Application Data\rhcnkrj0etfg\Quarantine\Packages


theres a few more i didnt specifically list here since you should hopefully have gotten the idea how to navigate the filesystem. Just run through that list (print it) and make sure that you have located and deleted any trace of what that "application" put on your computer. Check each thing off the list as you find it.

Nenya awakens
14-09-08, 21:09
I only have 1 Item in my programme files, and thats Adobe....

Local disk (C:\)
Programme Files
Adobe
acrobat 5.0
Help/resource/reader

ect.


I've Stopped the programme from starting up. BUT its still on my system, My avg is not brining up any theats from for the last few hours, since it was deactiviated, and my virus scans are bringing nothing up..

i cant find any of those files you are talking about tho,

spikejones
14-09-08, 22:41
make sure that you are viewing the hidden files and folders.

in my computer go to:
tools -> folder options -> select the option for "show hidden files and folders" as well as "display the contents of system folders" as well as UNselecting the option for "hide extensions for known filetypes"

Nenya awakens
14-09-08, 22:59
make sure that you are viewing the hidden files and folders.

in my computer go to:
tools -> folder options -> select the option for "show hidden files and folders" as well as "display the contents of system folders" as well as UNselecting the option for "hide extensions for known filetypes"

yeah i just did all of that and its still coming up blank, doesnt seem to be there for some reason :confused:

spikejones
14-09-08, 23:15
please post a screen shot of the contents of the Program files folder as well as the Application Data folder for your user name.

I find it quite hard to believe that there is only Adobe in your Program Files directory, even spybot s&d should be located in that directory.


matter of fact, do you have TWO hard drives? and the actual operating system is on say the G:\ drive? If your Operating system is installed to a drive other than C:\ then you should be looking at THAT drive instead.

Nenya awakens
14-09-08, 23:21
please post a screen shot of the contents of the Program files folder as well as the Application Data folder for your user name.

I find it quite hard to believe that there is only Adobe in your Program Files directory, even spybot s&d should be located in that directory.


matter of fact, do you have TWO hard drives? and the actual operating system is on say the G:\ drive? If your Operating system is installed to a drive other than C:\ then you should be looking at THAT drive instead.


All of that is in my D Drive which is my back up drive. im just checking it out now

Nenya awakens
14-09-08, 23:27
OK i have found the files they are in my D drive under the file {3}



MSVCP.71.DLL ect

spikejones
14-09-08, 23:45
rather than delete the file straight out, make sure that you scan it first to make sure it is not a valid file. if you would post a screen shot though i'd appreciate it. im just kinda iffy since the file name you put has a dot in it where as the report from bleeping computers does not have that dot there.

I'll add to this that i just realized that there are actually valid .dll files that go by the name of msvcp71.dll as I had to download a copy of that to get BitPim version 1.0.6 to run on my computer. I got that version from here: http://www.dll-files.com/dllindex/dll-files.shtml?msvcp71

so if you are unsure about THAT one at least, you can replace it with the copy available there.

Nenya awakens
14-09-08, 23:55
ok, remind me how to take a screen shot again im crap at these things,

its definutly the files as i clicked on it and opend the whole thing up again, just spend 10 mins tearing my hair out triying to close it


when i tried to delete it it wouldnt let me.

spikejones
14-09-08, 23:58
to take a screen shot simply press the Print Screen button on your keyboard, then open mspaint and press Ctrl+V. upload the saved image to tinypic and copy the code over to here.

or if you have GIMP, you can just go to file -> acquire -> screenshot

Nenya awakens
15-09-08, 00:01
I've just removed all files and add ons with that Unlocker thing you mentioned earlier, im just running a scan

Nenya awakens
15-09-08, 00:06
http://i14.photobucket.com/albums/a303/veronica5464/Viruspic.jpg

here are the files from the recycle bin after i deleted them and the main file.

as soon as i clicked on either the Uninstall 3 or the main 3 file it booted up the Anti Virus .. virus ..

spikejones
15-09-08, 00:12
ooooppps... yeah. thats why i mentioned to delete them rather than to use the uninstaller.

so it is safely deleted now, or is back up and running?


i also recommend you to not use IE anymore as its a total security risk despite what MS says about it. Better to use Mozilla Firefox or Opera.

Nenya awakens
15-09-08, 00:16
I'm not sure about these ones tho..




http://i14.photobucket.com/albums/a303/veronica5464/untitled-10.jpg



I havent done a scan yet to see if its all gone but i managed to remove it from my Control panel via the add or remove selection. its not active atm. but avg is still going a bit mental lol

spikejones
15-09-08, 00:22
i see the folder is called "ado" but what is the path for that folder? where is it located at?

Nenya awakens
15-09-08, 00:28
D:\
programme files
Common Files
System
Ado


http://i14.photobucket.com/albums/a303/veronica5464/Virus1.jpg

spikejones
15-09-08, 00:37
ah yeah... those file are fine. what you want to look for is under

D: (or C: whichever is the place it is located at)
Windows\
System\

look for:


qegbdmwf.dll
pntqkflv.dll


and then look in:
D: (or C: whichever is the place it is located at)
Windows\
System32\

look for:

pphcjkrj0etfg.exe


your spyware/antivirus applications may be having difficulties finding stuff when you have your OS data spread across different drives like that. Best thing to do in that case is to set the applications to scan ALL drives (not just the windows directory and not just the C drive) that way you will be sure that everything is being scanned. also set to not ignore any kind of files.

Nenya awakens
15-09-08, 00:48
cheers fella.

right in my System 32 file i have some MFC71.Dll MFC71CHS.DLL MFC71CHT.DLL

delete??

spikejones
15-09-08, 01:03
i would scan them actually seeing as they may be valid files... what you should be able to do is to right click the file and there should be an option to "scan with AVG" as well as "scan with spybot search and destroy"

note the selections in the context menu when i right clicked a file on my desktop: (click the image for a larger view)
http://i383.photobucket.com/albums/oo279/stryderjones/trf/scan_small.jpg (http://i383.photobucket.com/albums/oo279/stryderjones/trf/scan.jpg)

Nenya awakens
15-09-08, 01:17
I did try that with the [3] Anti-Virus and it brought nothing up even tho that was the source of the Virus, Spyware doctor, AVG and Anti-Malware missed it.

the codes are the same as the ones you mentioned.

im running an AVG scan on D drive atm, and before that the Spybot picked up the XP ANTI-VIRUS in my HKEY_CURRENT_CONFIG files. so i just removed that.

i really appreciate your help by the way, you've been a star ;)

spikejones
15-09-08, 01:28
hey... no problem. i've been up late nights on the phone with a friend who apparently has reformatted someones PC !!5 TIMES!! trying to deal with some spyware the likes of what you are dealing with. and everytime he does it, it keeps coming back within a matter of days. now either the thing attached itself into the MBR, or whatever the persons browsing habits are is the cause of THAT.

Nenya awakens
15-09-08, 01:39
90 infected files found and its only half way through,
i've been reading other peoples complaints, so many people have been infected by this, it literally just downloaded itself onto my laptop without me knowing and screwed around and turned off ALL my security!! i wasnt even on a dodgy web site

EscondeR
15-09-08, 06:08
The easiest way to deal with some spy/malware is to boot from clean media (another system drive, flash drive, or special Recovery Vista CD) and delete the compromised files (listed) manually.
If you delete them booting from your infected drive, BOOT IN SAFE MODE.

90 infected files found and its only half way through,
i've been reading other peoples complaints, so many people have been infected by this, it literally just downloaded itself onto my laptop without me knowing and screwed around and turned off ALL my security!! i wasnt even on a dodgy web site

That is why I'm recommending paid versions of Kaspersky Antivirus (Server version better) and Zone Alarm Pro. AVG is good but it still has "holes" and too many false positives.

spikejones
15-09-08, 07:50
If you delete them booting from your infected drive, BOOT IN SAFE MODE.



That is why I'm recommending paid versions of Kaspersky Antivirus (Server version better) and Zone Alarm Pro. AVG is good but it still has "holes" and too many false positives.

yeah... i mentioned that part way earlier myself.
i dont see it in there meself to be honest. look in the program files directory for the folder containing the application. best to be in safe mode while working with this.

it helps also to have a Linux Live Session CD handy too. That way you can boot into a fully functional operating system with full access to the drives. They make some versions of spyware and virus scan applications that will run from linux but target the MS malware apps. So basically speaking you can roam around freely on your live session CD and run the scanners against your hard drive as well as deleting things manually. Yes... you can install applications while running a live session although whether they remain intact upon your next live session depends on whether they are simply loaded into memory or if they are installed to the hard drive. At any rate, its possible to make a small scale custom distro with that stuff preloaded on it then you just use the net to update the definitions when you need to use it.;)

EscondeR
15-09-08, 08:15
Well... Vista CD gives not a complete OS, more of a graphic shell with limited number of apps (their enough for repair though), but you can get full access everywhere also within it ;)

spikejones
15-09-08, 08:17
bugger vista... me no likey. me likey linux better. you gotta buy that vista restore cd though dont you?

Nenya awakens
15-09-08, 10:50
Im with XP.

It looks like i've gotte rid of the MAIN virus file. all my scans have turned up clean and the suspicious files i found are clean, i guess i'll just have to keep an eye out for it!

Thanks so much for your help fellas :)

Tthe Spirit
15-09-08, 12:44
Ok...
a similar thing has happened to me...

I dont know how...
suddenly my laptop warns me that it has been attacked...

Windows Defender immediately starts a scan and orders for computer reboot so it can remove the threats...

Anyway, this antivirus appeared... callled micro anivirus...
I never saw this on my PC...
And i even have kaspersky...
when the infection occured kaspersky was turned off :yik:

after the scan, the infections were removed..
however this microantivirus keeps running and says thst the computer is infected...

Micro antivirus cant remove them because it says i have no license for it...
I mean, i doubt this program...

Look what widnows defender alerts me of: A fake Alert...

http://img234.imageshack.us/img234/8141/wtfkh0.th.jpg (http://img234.imageshack.us/my.php?image=wtfkh0.jpg)

So, what do you think???


EDIT: i THINK IT IS THIS AV...

AFTER I CLOSED IT, AND REMOVED THE INFECTION WITH WINDOWS DEFENDER, I CLICKED ON IT TO SEE WHAT HAPPENS AND YES, WINDOWS DEFENDER HAS POPED UP AND ORDERED FOR INFECTION REMOVAL...

MY GOD, WHO PLANNED THESE STUFF :cen::cen::cen:

NOW I AM HAPPY AGAIN...

REALLY, WINDOWS VISTA ROCKS :jmp:

EscondeR
15-09-08, 12:48
^ Well... If you read that thread attentively and apply our advice - you'll be fine.

Tthe Spirit
15-09-08, 12:52
yEAH I AM READING IT...
AND I AM FOLLOWING IT STEP BY STEP... :D:D:D

SEE UP TOO, I EDITED THE POST... :)

spikejones
15-09-08, 18:11
Looks like this Micro Antivirus 2009 is the little brother of Antivirus XP 2008

Nenya awakens
15-09-08, 20:51
great, another one to look out for. if i ever get that virus again i will pull all my teeth out in frustration.

EscondeR
15-09-08, 20:55
^ Consider getting those instead of dentist work:

That is why I'm recommending paid versions of Kaspersky Antivirus (Server version better) and Zone Alarm Pro. AVG is good but it still has "holes" and too many false positives.

:D