First time in the forum. I having problems with the antivirus xp 2008 software/malware. I tried running the Avast software, I followd what was suggested during the scan, but after rebooting, the same problem exists. I can see the antivirus xp 2008 shortcut on my desktop… I tried to put the system restore in off mode and did the scan, same thing.
Hi nasty you have there but usually fixable
leave your system restore alone
what os? firewall? any other anti-malware apps?
first rt click the ball update>programs (just to be sure)
then open avast and schedule a boot time scan and reboot
(just rebooting may remove some early versions of this malware if nothing was clicked)
move any hits to the avast chest and post the log
then go to malwarebytes.org download page and run their free ROGUE REMOVER and Anti Malware
With Anti Malware put a check next to any hits then click REMOVE CHECKED- a backup will be made
a quick scan is fine- post the log
then download, update, and run SuperANTISPYWARE -
send any hits to quarantine do not delete/ remove - post the log - exclude cookies
Thanks for the reply Wyrmrider. I have Windows XP, firewall is the one provided by Microsoft. I’m not well-versed and up-to-date with softwares, first time to get hit with malware (lap top.)
I will scan again and post (cut & paste?) the log from the chest. Will do the downloads as well and will keep you posted.
great replies
you actually answered the questions what a breath of fresh air
let’s talk about a firewall with outbound protection when when we get the fire out
also make a note to run “Secunia Software Inspector” and get everything updated
if you find your java is out of date then run “javara” to help remove all old versions which remain on your computer and are still vulnerable
looking forward to your posts- but I’ll be gone a couple of days
but as you can tell you are in good hands
ps-DavidR Polonus is in Poland till Friday
I downloaded malwarebytes and i think it solved my problem. I did another scan (Avast) last night and I’m trying to copy & paste the log but won’t let me (maybe I’m doing it wrong.) PART 1
Below are the logs from malwarebytes:
Malwarebytes’ Anti-Malware 1.28
Database version: 1159
Windows 5.1.2600 Service Pack 2
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.XPAntivirus2008) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.XPAntivirus2008) → No action taken.
C:\Program Files\rhccd8j0en0o\MFC71.dll (Rogue.Multiple) → No action taken.
C:\Program Files\rhccd8j0en0o\MFC71ENU.DLL (Rogue.Multiple) → No action taken.
C:\Program Files\rhccd8j0en0o\msvcp71.dll (Rogue.Multiple) → No action taken.
C:\Program Files\rhccd8j0en0o\msvcr71.dll (Rogue.Multiple) → No action taken.
C:\Program Files\rhccd8j0en0o\rhccd8j0en0o.exe (Rogue.Multiple) → No action taken.
C:\Program Files\rhccd8j0en0o\rhccd8j0en0o.exe.local (Rogue.Multiple) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\base.dat (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\base2.dat (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\Desc.dat (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\log.dat (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\spline.dat (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\WinXDefender\WinXDefender.ini (Rogue.WinXDefender) → No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) → No action taken.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) → No action taken.
C:\Documents and Settings\Boss Ve\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) → No action taken.
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt15.tmp (Trojan.Agent) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt9.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttA.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttB.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttC.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttD.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → No action taken.
C:\WINDOWS\system32\blphc9d8j0en0o.scr (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\lphc9d8j0en0o.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\phc9d8j0en0o.bmp (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\pphc9d8j0en0o.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) → No action taken.
I will continue to download rogueremover and superantispyware and run them and will post logs, if any. Also, I will do the same on my desktop (for some reason I can’t update the Avast 4.7 to 4.8)
Will keep you posted. Thanks a lot guys, I really appreciate your help!!!
I did another scan in avast after the malwarebystes, rogueremover and superantispyware and below are the logs:
11/25/2007 6:30:43 PM Boss Ve 2728 Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.
1/25/2008 4:48:03 PM SYSTEM 1628 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
1/25/2008 4:48:07 PM SYSTEM 1628 An error has occured while attempting to update. Please check the logs.
2/17/2008 12:58:38 PM SYSTEM 1444 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2/17/2008 12:58:38 PM SYSTEM 1444 An error has occured while attempting to update. Please check the logs.
3/5/2008 10:11:43 PM SYSTEM 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Desktop\s10.tmp” file.
3/8/2008 6:49:59 PM Boss Ve 1448 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\s9.tmp” file.
3/8/2008 8:16:39 PM Boss Ve 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\sB.tmp” file.
3/8/2008 8:51:00 PM Boss Ve 1448 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\s9.tmp” file.
3/8/2008 8:58:56 PM Boss Ve 3944 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\TAPCEG6L\wxdsetup[1].7z” file.
3/8/2008 9:28:45 PM Boss Ve 3944 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\TAPCEG6L\wxdsetup[1].7z” file.
3/8/2008 10:08:22 PM Boss Ve 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\VOOULN5Y\wxdsetup[1].7z” file.
3/8/2008 10:09:07 PM Boss Ve 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\sB.tmp” file.
3/8/2008 10:09:35 PM Boss Ve 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\sB.tmp” file.
3/9/2008 8:01:54 PM Boss Ve 1460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\0Z7NU4DD\wxdsetup[1].7z” file.
3/9/2008 8:02:01 PM Boss Ve 1460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\s9.tmp” file.
3/12/2008 9:11:31 PM SYSTEM 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\0Z7NU4DD\wxdsetup[1].7z” file.
3/12/2008 9:12:11 PM SYSTEM 1452 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\sA.tmp” file.
3/14/2008 9:03:48 PM Boss Ve 1468 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\0Z7NU4DD\wxdsetup[1].7z” file.
3/14/2008 9:05:34 PM Boss Ve 1468 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\s9.tmp” file.
3/18/2008 8:38:34 PM Boss Ve 1460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temporary Internet Files\Content.IE5\0Z7NU4DD\wxdsetup[1].7z” file.
3/18/2008 8:38:48 PM Boss Ve 1460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Boss Ve\s9.tmp” file.
9/13/2008 7:00:16 PM Jay 3996 Sign of “Win32:Adware-gen [Adw]” has been found in “c:\docume~1\jay\locals~1\temp\nsja.tmp\euladlg.dll” file.
9/13/2008 7:26:48 PM Jay 2720 Sign of “Win32:Adware-gen [Adw]” has been found in “c:\docume~1\jay\locals~1\temp\nsjb.tmp\euladlg.dll” file.
9/13/2008 7:37:36 PM Boss Ve 3728 Sign of “Win32:Adware-gen [Adw]” has been found in “c:\docume~1\bossve~1\locals~1\temp\nsqb.tmp\euladlg.dll” file.
9/13/2008 8:19:33 PM Boss Ve 828 Sign of “Win32:FraudTool-GI [Tool]” has been found in “c:\windows\system32\pphc9d8j0en0o.exe” file.
9/13/2008 8:22:31 PM Boss Ve 3296 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt9.tmp.vbs” file.
9/13/2008 8:22:41 PM Boss Ve 3296 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttD.tmp.vbs” file.
9/13/2008 8:24:18 PM Boss Ve 3296 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt9.tmp.vbs” file.
9/13/2008 8:24:27 PM Boss Ve 3296 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttD.tmp.vbs” file.
9/13/2008 8:45:40 PM Boss Ve 3296 Sign of “Win32:FraudTool-GI [Tool]” has been found in “C:\WINDOWS\system32\pphc9d8j0en0o.exe” file.
9/13/2008 9:08:57 PM Boss Ve 2068 Sign of “Win32:FraudTool-GI [Tool]” has been found in “c:\windows\system32\pphc9d8j0en0o.exe” file.
9/13/2008 9:09:32 PM Boss Ve 2068 Sign of “Win32:Bravix-B [Drp]” has been found in “c:\windows\system32\tdssadw.dll” file.
9/13/2008 9:16:15 PM Boss Ve 2068 Sign of “Win32:Bravix-B [Drp]” has been found in “c:\windows\system32\tdssl.dll” file.
9/13/2008 9:57:53 PM Boss Ve 4048 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.ttB.tmp.vbs” file.
9/13/2008 10:18:40 PM Boss Ve 4048 Sign of “Win32:FraudTool-GI [Tool]” has been found in “C:\WINDOWS\system32\pphc9d8j0en0oa.exe” file.
9/13/2008 10:19:11 PM Boss Ve 4048 Sign of “Win32:FraudTool-GI [Tool]” has been found in “C:\WINDOWS\system32\trz1F.tmp” file.
9/14/2008 6:24:54 PM Boss Ve 3052 Sign of “Win32:FraudTool-GI [Tool]” has been found in “c:\windows\system32\pphc9d8j0en0o.exe” file.
9/14/2008 11:39:22 PM Boss Ve 3268 Sign of “Win32:FraudTool-GI [Tool]” has been found in “c:\windows\system32\pphc9d8j0en0o.exe” file.
9/15/2008 12:41:51 AM Boss Ve 1300 Sign of “Win32:FraudTool-GI [Tool]” has been found in “c:\windows\system32\pphc9d8j0en0o.exe” file.
9/15/2008 12:42:03 AM Boss Ve 1300 Sign of “Win32:Bravix-B [Drp]” has been found in “c:\windows\system32\tdssadw.dll” file.
9/15/2008 12:42:12 AM Boss Ve 1300 Sign of “Win32:Bravix-B [Drp]” has been found in “c:\windows\system32\tdssl.dll” file.
9/15/2008 8:52:54 PM Boss Ve 4072 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt13.tmp.vbs” file.
9/15/2008 8:54:20 PM Boss Ve 4072 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt19.tmp.vbs” file.
9/15/2008 8:54:23 PM Boss Ve 4072 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt1C.tmp.vbs” file.
9/15/2008 8:54:24 PM Boss Ve 4072 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Documents and Settings\Boss Ve\Local Settings\Temp.tt29.tmp” file.
9/15/2008 8:58:02 PM Boss Ve 4072 Sign of “Win32:Bravix-B [Drp]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\tdssadw.dll.vir” file.
9/15/2008 8:58:16 PM Boss Ve 4072 Sign of “Win32:Bravix-B [Drp]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\tdssl.dll.vir” file.
9/15/2008 8:58:17 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\tdsslog.dll.vir” file.
9/15/2008 8:58:20 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\tdssmain.dll.vir” file.
9/15/2008 8:58:22 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\tdssserf.dll.vir” file.
9/15/2008 9:02:22 PM Boss Ve 4072 Sign of “Win32:Bravix-B [Drp]” has been found in “C:\System Volume Information_restore{2AE341E1-1D41-47B3-AE84-FDDC37834243}\RP0\A0000013.dll” file.
9/15/2008 9:02:47 PM Boss Ve 4072 Sign of “Win32:Bravix-B [Drp]” has been found in “C:\System Volume Information_restore{2AE341E1-1D41-47B3-AE84-FDDC37834243}\RP0\A0000015.dll” file.
9/15/2008 9:02:49 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{2AE341E1-1D41-47B3-AE84-FDDC37834243}\RP0\A0000016.dll” file.
9/15/2008 9:02:50 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{2AE341E1-1D41-47B3-AE84-FDDC37834243}\RP0\A0000017.dll” file.
9/15/2008 9:02:51 PM Boss Ve 4072 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{2AE341E1-1D41-47B3-AE84-FDDC37834243}\RP0\A0000018.dll” file.
I’m not sure if what I did was redundant. By the way, all of these posts are for my laptop computer. I’ve done the same steps for my desktop computer, please let me know if I can continue posting under this thread (the logs for my desktop scans.)
Having taken a look at the MBAM log, I too consider you should run it again, click the Show Results button and select ‘all’ the items listed and then click the Remove Selected button, see images.
There looks like there was a rootkit involved that was hiding a number of the files listed.