TechSpot

Infected with Antivirus 2009 and etc.

By multimedia
Oct 11, 2008
  1. So I was stupid and clicked on an .exe which unleased all these trojans and malware on my computer. I took those 8steps at the top and I was wondering if the computer is all right now or not. For symptons, the computer seems all right, its running much faster than before I did those 8 steps. But occasionally (everytime I restart the computer after the steps) theres a gay porn icon on my desktop and there are processes that I'm pretty sure is bad for the computer (mainly are numbers like 0.exe, 1.exe etc etc and also stuff like yur1.exe) on the task manager
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You do realize that your issues came from this program:
    C:\Program Files\uTorrent\uTorrent.exe
    If you want to continue safe surfing, then I would suggest for you to uninstall it. Otherwise you may be back!

    Please remove the following lines in HJT (Tick and Fix)
    There are also a number of "file missing" entries, all these can be removed too

    This entry shows that Norton is still running as a Service, even though you use Avast
    Please run the Norton Removal tool, on your system http://www.techspot.com/vb/topic100496.html#2


    Please follow these steps to remove older version Java components and update.

    Download the latest version of Java Runtime Environment (JRE) 6 Update 7
    Scroll to Java Runtime Environment (JRE) 6 Update 7 and click on the download button
    http://java.sun.com/javase/downloads/index.jsp
    http://i26.photobucket.com/albums/c109/TheGlaswegian/Java6u7.jpg
    (if you don't want the google toolbar -- uncheck this option before installing Java.)

    Click on the Accept License Agreement button
    Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
    Download Now! Windows Offline Installation, Multi-language

    Now close all windows, including your browser.
    Double click on the Java installation that you downloaded and follow the prompts.

    NEXT-remove all older versions of Java
    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    Select it and click Remove.
    Close any programs you may have running - especially your web browser.
    Repeat as many times as necessary to remove each older Java versions.
    Reboot your computer once all Java components are removed.
     
  3. multimedia

    multimedia TS Rookie Topic Starter

    Ok I did everything you said but theres still a problem.
    When I restarted after I removed the Java components, I still got the problem with Rapid Antivirus and PCHealthCenter still being there along with the gay sex icon on the desktop
    Also, when I checked HJT again, the YUR files were still there but just renamed to YUR1A, 1B etc
    Also there is a setup.exe on the desktop that was not there before the computer got infected. What should I do about that?
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Once completing all the above steps
    And removing uTorrent (otherwise you are just sharing, and downloading all the time; please note: selecting Don't share, is still not safe)

    Then just delete those Desktop icons/Programs that you don't want
    Or if they don't delete, use HJT again, but this time select the "Miscellaneous Tools" button, then select "remove a file on next bootup" (the labels may be slightly different)

    Then run CCleaner after reboot

    Then restart again

    Then provide a new HJT log (make sure you do all of the above first though!)
     
  5. rf6647

    rf6647 TS Maniac Posts: 829

    In addition to threats identified by Kimsland, check the following HJT entries:

    O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe
    O4 - HKCU\..\Run: [] C:\Documents and Settings\THU TRAN\Application Data\Adobe\Player.exe

    The following is a video codec and is considered a threat @ bleeping computer. Go into safe mode & delete the file. It is your choice to follow this advice.

    O21 - SSODL: lfstbwvd - {68632BC3-F296-4457-B245-1FBDB84B345F} - C:\WINDOWS\lfstbwvd.dll (file missing)


    Other posts here strongly urge using the latest version of Adobe Reader or switch to alternative viewers. New threats are coming through Adobe security holes.

    Post logs to confirm progress.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Thanks those 3 are pretty bad, and critical misses I made :confused:
    I'll blame it on a large log. Would have got it second time around :) (I say!) But thanks
     
  7. multimedia

    multimedia TS Rookie Topic Starter

    Well I did as you said. The problem is that they (YUR files and Rapid Antivirus, pchealthcenter) reappear after I reboot and all.

    Heres another log and the YUR files and Rapid Antivirus are still there even after I deleted them before. I already deleted them again from this log but I think that theyre still coming back.

    I also downloaded AVG in hopes that it will catch anything Avast missed and its finding alot of trojans that I think Avast also found and deleted..
     
  8. FoReWoRd

    FoReWoRd TS Rookie Posts: 204

    i had i similar problem. i used KAV 7 trial and SPYBOT free to remove the apps and then scanned hijackthis
     
  9. rf6647

    rf6647 TS Maniac Posts: 829

    This is bad. Still looking for enabler.
    C:\WINDOWS\system32\spoolsv.exe

    Pleae remind us about MBAM and SAS logs. They shoud be re-run as we remove signifcant threats. HJT is always expected.

    While repeating actions is a "mark of insanity", everytime we run HJT to clean, remember to clean out the recurring problems until we find the enabler. Some of these nasties protect each other.

    Try Control panel > ADD/REMOVE programs to remove this highly questionable application
    O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe

    [edit] RENAME "Rapid Antivirus.exe" TO "Rapid Antivirus.exx"; This is an experiment to disable this file without deleting it or removing the application. I am trying to anticipate difficulty removing application.
    [/edit]

    For purposes of clarity in the logs please consider:
    For Adobe Reader, use properties/tools to turn off auto launch & updates.
    If this proves too difficult, use HJT (checkmark) to disable. (Eventually Adobe re-enables itself)
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    I have similar feeling about AOL stuff. Your choice. HJT (advanced) can selectively bring back these.


    AVG = good; oaiblo.dll = ????
    I do not have experience to know advisability of mixing AVG with AVAST.
    RENAME oaiblo.dll TO oaiblo.dlx; This is an experiment to disable this file without deleting it or removing the application.
    I favor removing removing the application. If oaiblo.dll remains, we have another clue.
    O20 - AppInit_DLLs: oaiblo.dll,avgrsstx.dll


    DO NOT act on this. Try to determine what application(s) are using this as part of its environment. Majors such as HP and ATI probably have ties to this service.
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  10. momok

    momok TS Rookie Posts: 2,265

    Clearly, something is hiding from HJT.
    Please download and run Combofix from HERE.
    The log C:\Combofix.txt will be generated; Attach that in your next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...