Rogue antispyware "XP 2008" installed itself out of nowhere while opening ipmart

Hi there. First of all, I want to say that I consider myself as a user with above average computer knowledge, and I am well aware of the rules of keeping a windows installation clean. That’s why, during the past 1 year, I haven’t caught any real virus infections.

However, today, a nasty malware invaded into my system literally out of nowhere, and I am still unable to find out how it hit me, what the precise identity of the malware is (besides it’s a rogue antispyware product that has taken over the desktop settings and internet connection), or how to get rid of it.

How I got infected

I just visited ipmart forum (yes, I am 100% sure I typed it correctly), a reputable site with nothing malicious till now. I tried to click on a subforum and then, disaster hit out of nowhere. Acrobat reader opened (!), and then a program named “a” (without the quotes), was detected by Windows Firewall, and I blocked it. However, I noticed the whole Windows Firewall had already being disabled before I managed to click the “block” button, and I had to enable the firewall manually after that. Then, a window with “Antispyware XP 2008” or something like that in it’s title apperared, with a block of text in the middle, and an “I accept and Agree” button at the bottom. I closed the window from the task manager and killed the “a” process, but the virus had already infected the system. Note that all these just happened by clicking on a single subforum of the ipmart, I didn’t even had the chance to view the page with the topics (and didn’t downloaded anything from the site).

Damages made to the system

First of all, the wallpaper had been changed (is this supposed to be some kind of sick humor by the malware maker?), the display settings had the “desktop” and “screensaver” tabs missing. The malware prevents IE from opening. Even with firefox, it wouldn’t allow me to access the sites of spybot and avast (I had to download spybot from download.com). Also, it prevented avast, spybot, and ad-aware from connecting to the servers and get any kind of update. So this thing took over my desktop and internet connection

Attempts to clean

When I started avast, it immediately detected one infected file in memory C:\WINDOWS\System 32\blphcp3aj0etbv.scr as Win32:Trojan-gen {other} and deleted it. I made a boot time scan. The full scan also detected C\Documents and settings<username>\Local Settings.ttF.tmp.vbs as VBS:Malware-gen and C:\System Volume Information_restore{FEA67111 - 3CBO - 4374 - AE5F - C4b91CA5BL0C3} RP232 \ A00066719.scr as Win32: Trojan-gen {other}.

When I deleted all of these infections (after a system lockup that happened when the boot time scan finished and a reset) all of the malicious files had been respawned back to their places. I started avast (it detected the file in the memory again), and made a boot time scan for second time, but it kept detecting and deleting the same files over and over again.

With spybot (it wasn’t able to retrieve any updates by the way), the only thing it did was to block some registery changes twice during (every) boot.

Finally, with hijack this (I will post a full report tomorrow) I managed to fix the C:\WINDOWS\System 32\lphcp3aj0etbv.exe infection which is obviously an infection Avast! missed. The malware/rogue antispyware actually complained for his “protection” being corrupted! This allowed me to change the wallpaper back to normal (but not the display settings), files stopped respawing, the spybot blocks only one regisery change now.

What was the identity of the malware that hit me? (so I can look it in a virus encyclopedia)

How can i completely fix this? (spybot keeps nagging about one registery change, the display settings still have missing tabs, Internet Explorer is still dead, so the problem is unfortunately still there).

Damn, you’ve been hit pretty damn badly.

EDIT::
[b]**I am not sure whether or not the below method is the same exact piece of malware. What you should do: still post the hijackthis logfile and let experts examine it.

Also, I provided some links where you can download definition files. That should be good to keep you up-to-date. However, it is never guaranteed to recover your PC. Avast! is antivirus dedicated (not rouge malware and spyware is slowly being incorporated). So, that means Avast! will miss some things. Try to get some other specialist rouge removing program.

The site where I got some of the removal instructions has many others for other rouge programs. Look around and search around for yours if the instructions I provided aren’t the ones you are looking for.[/b]

Holy crap … Looks like it killed some .dll’s (wininet.dll). Be careful with those. Also, when you end processes, end it with End process tree → ends the process and any others it may have started (like say IE7 opens SiteAdvisor process, IE7 end process tree also kills SiteAdvisor).

But, you should do it manually to check which ones are open and stuff. Make sure you take a good glance at the info.
–End Edit–

Alright, now, you need some updated definitions … Can you access the link http://files.avast.com/iavs4pro/vpsupd.exe or http://www.spybotupdates.com/updates/files/spybotsd_includes.exe ?

–softpedia link (I trust it) → http://www.softpedia.com/get/Others/Signatures-Updates/avast-Virus-Definitions.shtml (Avast)
http://www.softpedia.com/get/Others/Signatures-Updates/Spybot-Search-and-Destroy-Detection-Update.shtml (Spybot)

**Try some scans in safe mode. Spybot can also do boot-time scans (semi-boot, not something like Avast!'s DOS boot scan).

Got access to this site (Google search, and WOT detected legitimate, and looks like it works :wink: ) http://www.spyware-techie.com/antispyware-2008-xp-removal-guide/ ?

Antispyware 2008 XP Removal Guide

Published by WildStallion on August 11, 2008 07:33 am under Spyware Help
Ads by Linksmile
Do you know what Antispyware 2008 XP is?

DESCRIPTION

Antispyware 2008 XP a.k.a. Antispyware2008XP or AntispywareXP2008, is a vicious rogue anti-spyware program which is known to be installed undetected at times from a Trojan infection such as Vundo or Zlob. Antispyware 2008 XP was found to target Italian speaking areas of the world but can be installed on any computer that is connected to the internet.

Antispyware 2008 XP, after installed, annoys most computer users with popup alerts and messages which are all proven to be bogus reports of infections that are not present on your machine. Antispyware 2008 XP will eventually prompt you to purchase the full version of Antispyware 2008 XP but you must not proceed.

In non-techie terms: Do not purchase Antispyware 2008 XP under any circumstances. It does not remove spyware or fix your computer. All Antispyware 2008 XP will do for you is waste your time and money.

Aliases: Antispyware 2008 XP, Antispyware2008XP, Antispyware XP 2008, AntispywareXP2008.
Antispyware 2008 XP Automatic Removal Instructions

This automatic removal method is for non-techie computer users. If you’re too lazy to learn about spyware removal or how to access sensitive files in your computer, then this is the method for you.
Before you start: Print or bookmark these instructions because you’ll have to reboot into Safe Mode. Also back up your computer in case you make a mistake.

  1. Download and save SmitFraudFix to your desktop.
  2. Restart your computer in Safe Mode (how to do safe mode). Once the
    desktop appears, double click on the SmitfraudFix.exe on your desktop.
  3. After the credits screen, you’ll see a menu. Select the option number 2, which is ‘Clean (safe mode recommended)’, and then
    press Enter to delete infect files.
  4. SmitFraudFix will begin cleaning your computer and take a series of cleanup processes. When the process is over, it will automatically begin the Disk Cleanup program.
  5. Once the Disk Cleanup program is complete, you will be prompted with the message ‘Registry cleaning - Do you want to clean the registry’. Answer Y (Yes) and hit Enter. Reboot your computer.
  6. SmitFraudFix will now check if wininet.dll is infected. SmitFraudFix will ask you whether to replace the infected file (if there’s any) ‘Replace infected
    file?’ Answer by typing Y (Yes) and hit Enter.
  7. Reboot your computer to complete the cleaning process.
  8. After reboot, a Notepad screen may appear containing a log of all the files
    removed from your computer. If it doesn’t appear, a file will be created called
    rapport.txt in the root of your drive, (Local Disk C:).
  9. Restart your computer in Safe Mode (how to do safe mode).
  10. Go to C:\Windows\Temp, click Edit, click Select All, press DELETE, and then
    click Yes to confirm that you want all the items to go to the Recycle Bin.
  11. Go to C:\Documents and Settings[listED USER]\Local Settings\Temp, click Edit, click Select All, press DELETE, and then click Yes to confirm that
    you want all the items to go to the Recycle Bin.
  12. Reboot your computer back to normal mode. Go to Windows Update and download all critical updates.

Antispyware 2008 XP Manual Removal Instructions

This manual removal method is for techie computer users. Antispyware 2008 XP manual removal may be difficult and time consuming to remove. There’s no guarantee that Antispyware 2008 XP will be removed completely. So read the Antispyware 2008 XP removal steps carefully and good luck.
Before you start: Close all programs and Internet browsers. Also back up your computer in case you make a mistake and your computer stops working.

  1. Uninstall Antispyware 2008 XP Program
    Click on Start > Settings > Control Panel > Double-click on Add/Remove Programs. Search for and uninstall Antispyware 2008 XP if found.

  2. To stop Antispyware 2008 XP processes (view process removal steps)
    Go to Start > Run > type taskmgr. The click the Processes tab and you’ll see a list of running processes.
    Search and stop these Antispyware 2008 XP processes:
    as2008xp.exe
    setup_100527_3_.exe
    For each unwanted process, right-click on it and then select “End task”.

  3. To unregister Antispyware 2008 XP registry keys (view registry keys removal steps)
    Go to Start > Run > type regedit > press OK.
    Edit the value (on the right pane) by right-clicking on it and selecting the Modify option. Select the Delete option.
    Search and delete these Antispyware 2008 XP registry keys:

    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp\2.1 installtime
    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp lid
    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp pid
    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp\2.1 start counter
    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp lgid
    HKEY_CURRENT_USER\software\secure solutions\antispyware 2008 xp\2.1\config

  4. If your homepage has been changed, go to Start > Control Panel > Internet Options > click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.

  5. Remove Antispyware 2008 XP Directories.
    To find Antispyware 2008 XP directories, go to Start > My Computer > Local Disk (C:) > Program Files > Show the contents of this folder.
    Search and delete the following Antispyware 2008 XP directories:
    C:\ProgramFiles\Antispyware 2008 XP
    C:\ProgramFiles\Antispyware2008XP

    Right-click on the Antispyware 2008 XP folder and select Delete.
    A message will appear saying ‘Are you sure you want to remove the folder Antispyware 2008 XP and move all its contents to the Recycle Bin?’, click Yes.
    Another message will appear saying ‘Renaming, moving or deleting Antispyware 2008 XP could make some programs not work. Are you sure you want to do this?’, click Yes.

  6. To remove Antispyware 2008 XP icons on your Desktop, drag and drop them to the Recycle Bin.

You’ve completed the Antispyware 2008 XP manual removal instructions!
I hope this article has helped you solve your Antispyware 2008 XP problems. If you want to contribute to this article, post your comment below.

Disclaimer: This article is for educational purposes. By using this information you agree to be bound by the disclaimer. There’s no guarantee that Antispyware 2008 XP will be completely removed from your computer. Seek professional help if your computer continues to experience problems.

Report back ASAP !!

**Note: Saw this thing hit one of the summer job computers. Horrible and damaging piece of software → Was able to destroy its system32 executable, but unfortunately, there was to much registry damage (hench, desktop and stuff tabs were unable to be recovered). We had to reformat … Let’s jope we don’t have to for you :wink: !!

I would download MBAM then update it then run a quick scan and let it remove what it detects and a reboot may be required to remove locked files:
http://www.malwarebytes.org/mbam.php

Do what yokenny says first before doing anything manual
MBAM
be sure to click REMOVE- a backup will be made so not to worry

Did you run Spybot in Safe mode? do not do so now as a reboot could cause a respawn?

post up a new HJT after doing the above (in normal mode)
do not turn off your computer

Thanks Happy-Dude, you are the man! I knew I would find the answer here. I run the search (it’s the first option, not the second) of SmitFraudFix, and it found some very bad files, all of them carefully hidden even with “hide system protected files” disabled, such as C:\Windows\system 32\tdssserver.dat, C:\Windows\system 32\tdssmain.dll, C:\Windows\system 32\tdssl.dll, C:\Windows\system 32\tdssadw.dll and a C\Windows\system 32\drivers\tdssserve.sys After I deleted them with IceSword (with that kickass sword at the first screen, I knew it was the right tool ;D), Internet Explorer came back to life, the internet connection hijack was gone (I was able to access sites like sophos and spybot’s site, safer networking), and Avast and Spybot updated like a charm. After the update, avast detected the C:\WINDOWS\System 32\lphcp3aj0etbv.exe infection it had missed (the updates were only one day old, dammit) and deleted everything hijackthis had left behind. This must have been a very nasty rootkit infection indeed. But I think I killed much of it.
After I scanned with Spybot, it found 4 more critical infections (virtumonde, AstaKiller, KillSec and Microsoft.Windows.System), and killed them all. The tabs in the display options are now all back in their place. No files respawned anymore.

The only problem is Spybot keeps complaining about one registery change during boot, but I can’t tell if it’s from a conflict with other software I have in the system.

Here is the current (after all these cleaning actions I described) hijackthis this report for my system: (I am still worried about that registery change spybot nags about, so please take a look).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:24, on 25/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\TVR\RecSche.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\emMON.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSI\Digi VOX AD II\HyperMediaCenter\DTVR\Scheduled.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\Program Files\ccxgui\ccxstream.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [RecSche] “C:\TVR\RecSche.exe”
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [ChildrenLock] “C:\Program Files\Children Control\chiconsrv.exe” -auto
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [emMON] emMON.exe
O4 - HKLM..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [Center Agent] C:\Program Files\MSI\Digi VOX AD II\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


End of file - 9420 bytes

And how the hijack this report looked BEFORE the cleaning:

Logfile … etc

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\TVR\RecSche.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\emMON.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\lphcp3aj0etbv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSI\Digi VOX AD II\HyperMediaCenter\DTVR\Scheduled.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings<userpath>\Τα έγγραφά μου\Downloads\Setup Files Κατεβασμένων Προγραμμάτων\Hijack this antihijack utility (freeware)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [RecSche] “C:\TVR\RecSche.exe”
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [ChildrenLock] “C:\Program Files\Children Control\chiconsrv.exe” -auto
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [emMON] emMON.exe
O4 - HKLM..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM..\Run: [lphcp3aj0etbv] C:\WINDOWS\system32\lphcp3aj0etbv.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [Center Agent] C:\Program Files\MSI\Digi VOX AD II\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Hi
DavidR will complain that your version of HJT is not current
so download a new one should be 2.02 or later
do NOT DL to a temp file or your desktop
some download sites create a folder in program files and some do not
if not create you own folder somewhere you will remember it

perhaps Polonus will look at your hjt

Fixed! The hijackthis report for the current condition of my system is now from 2.02 (sorry, the first result on google contained an old version)

The biggest problem with the old version is that it frequently reported a file missing and that wasn’t correct in many cases.

Since we frequently advise removing redundant entries like this
Old version:
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

New version:
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

So you can see it doesn’t report the file missing, whilst this wouldn’t be one we would recommend removing it shows the bug in the 1.99.1 version of HJT and why it is important to use the latest version.

This entry appears to be for AdAware, have you removed adaware as the file is missing (check if it is actually missing), if so then Fix the entry. Though there are also google hits reporting it as malware, http://www.bleepingcomputer.com/startups/wincqt32-14923.html, which is why we need to know if you have or had adaware.

O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

You seem to have got rid of a legit entry if the earlier post has the latest HJT log state. See, http://www.liutilities.com/products/wintaskspro/processlibrary/wgalogon/.
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

DavidR implies that you might want to check out that one file and restore it if necessary

you killed off some files but there could be lots of garbage left
I’d suggest running the Malwarebytes anti malware (ignore the nag) free and Rogue Remove
Click
REMOVE- they will make backups
and
an online anti-virus scan of your choice Kaspersky et all
please post the logs and a new HJT

put on your to do list
download spybot ver 1.6
completely remove spybot including running the tool when you change versions
and run an update this Wednesday and re-immunize, run another scan Wed-
Spybot did it’s job and is done for a couple of days

Hi kurkosdr,

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
WGA is something that has been so-called “pushed” by Microsoft, if you like to manually update Microsoft patches it is not really necessary on your Windows XP computer, so it is not a critical component. There was even a program developed to remove the initial version from your computer: http://www.firewallleaktester.com/removewga.htm
It is legit, but if you like to have it on your machine, that choice is yours, the first version of this Microsoft tool was rather controversial. I just give you this information, so you can decide for yourself what to do,

polonus

It is critical in the fact you could well have difficulty using Windows Update without it.

Hello kurkosdr,

Yes in the case of automatic updates for a legit Windows version, you need WgaLogon.dll,

polonus

P.S. But the original concept was “Frankenbuild”.

Hi kurkosdr,

If this malware has left your computer, it was put there by the so-called “clipboard”-malware, a silent drive-by download.
Using the Firefox browser with the NoScript extension on it, could have prevented this infection.
With the more recent malware, in-browser security becomes more and more critical to protect users from malware. If you search these forums you can read a lot on Firefox security,

polonus

Well you could use malwares bytes and then use hijack this to clean up, I got that thing and i used Malwares bytes.
That one comes to be bottled with other other things. You should deep scan with everything you’ve got.

The antispyware xp 2008 virus attacked my computer as well. Upon realizing what it was, I immediately searched online for ways to remove it. I found your solution, tried it, and the virus is gone! Thanks so much for posting that removal!!

Welcome to avast forums!

Ok not sure if anyone else has mention this but try to clean out as mush as you can with avast and hope you can get an internet browser up and use malware’s bytes to clean up the rest. after you’ve cleaned all of it reformat

Hello Folks-
I’m a newbie & have been using Avast for years. My daughter got hit with this Rogue antispyware “XP 2008” last nite while on YouTube. I’m no experienced PC Warrior, but this is a nasty one.
It clips all updates for Avast & Spybot. Denies access to most PC help sites (even ones I never heard of). I was lucky it let me on this forum, I went in thru the Avast software forum because it denies access to avast.com. I was able to partially disable it with Malwarebytes (downloaded to disc from another PC).
Anyway, thanks for all this help. MalwareBytes alone is not removing it after repeated scans.

I heard a rumor from some IT guys battling this one a while ago. They suspected it comes in thru the Google toolbar on IE. My daughter has this.
Anyone confirm??