Infected with Antivirus 2009 and etc.

Status
Not open for further replies.
So I was stupid and clicked on an .exe which unleased all these trojans and malware on my computer. I took those 8steps at the top and I was wondering if the computer is all right now or not. For symptons, the computer seems all right, its running much faster than before I did those 8 steps. But occasionally (everytime I restart the computer after the steps) theres a gay porn icon on my desktop and there are processes that I'm pretty sure is bad for the computer (mainly are numbers like 0.exe, 1.exe etc etc and also stuff like yur1.exe) on the task manager
 
You do realize that your issues came from this program:
C:\Program Files\uTorrent\uTorrent.exe
If you want to continue safe surfing, then I would suggest for you to uninstall it. Otherwise you may be back!

Please remove the following lines in HJT (Tick and Fix)
O4 - HKCU\..\Run: [\YUR35E.exe] C:\Windows\system32\YUR35E.exe
O4 - HKCU\..\Run: [\YUR35F.exe] C:\Windows\system32\YUR35F.exe
O4 - HKCU\..\Run: [\YUR360.exe] C:\Windows\system32\YUR360.exe
O4 - HKCU\..\Run: [\YUR361.exe] C:\Windows\system32\YUR361.exe
O4 - HKCU\..\Run: [\YUR36E.exe] C:\Windows\system32\YUR36E.exe
O4 - HKCU\..\Run: [\YUR36F.exe] C:\Windows\system32\YUR36F.exe
O4 - HKCU\..\Run: [\YUR370.exe] C:\Windows\system32\YUR370.exe
O4 - HKCU\..\Run: [\YUR371.exe] C:\Windows\system32\YUR371.exe
O4 - HKCU\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe

There are also a number of "file missing" entries, all these can be removed too

This entry shows that Norton is still running as a Service, even though you use Avast
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Please run the Norton Removal tool, on your system https://www.techspot.com/vb/topic100496.html#2


Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 7
Scroll to Java Runtime Environment (JRE) 6 Update 7 and click on the download button
http://java.sun.com/javase/downloads/index.jsp
http://i26.photobucket.com/albums/c109/TheGlaswegian/Java6u7.jpg
(if you don't want the google toolbar -- uncheck this option before installing Java.)

Click on the Accept License Agreement button
Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
Download Now! Windows Offline Installation, Multi-language

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

NEXT-remove all older versions of Java
Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Close any programs you may have running - especially your web browser.
Repeat as many times as necessary to remove each older Java versions.
Reboot your computer once all Java components are removed.
 
Ok I did everything you said but theres still a problem.
When I restarted after I removed the Java components, I still got the problem with Rapid Antivirus and PCHealthCenter still being there along with the gay sex icon on the desktop
Also, when I checked HJT again, the YUR files were still there but just renamed to YUR1A, 1B etc
Also there is a setup.exe on the desktop that was not there before the computer got infected. What should I do about that?
 
Once completing all the above steps
And removing uTorrent (otherwise you are just sharing, and downloading all the time; please note: selecting Don't share, is still not safe)

Then just delete those Desktop icons/Programs that you don't want
Or if they don't delete, use HJT again, but this time select the "Miscellaneous Tools" button, then select "remove a file on next bootup" (the labels may be slightly different)

Then run CCleaner after reboot

Then restart again

Then provide a new HJT log (make sure you do all of the above first though!)
 
In addition to threats identified by Kimsland, check the following HJT entries:

O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe
O4 - HKCU\..\Run: [] C:\Documents and Settings\THU TRAN\Application Data\Adobe\Player.exe

The following is a video codec and is considered a threat @ bleeping computer. Go into safe mode & delete the file. It is your choice to follow this advice.

O21 - SSODL: lfstbwvd - {68632BC3-F296-4457-B245-1FBDB84B345F} - C:\WINDOWS\lfstbwvd.dll (file missing)


Other posts here strongly urge using the latest version of Adobe Reader or switch to alternative viewers. New threats are coming through Adobe security holes.

Post logs to confirm progress.
 
Thanks those 3 are pretty bad, and critical misses I made :confused:
I'll blame it on a large log. Would have got it second time around :) (I say!) But thanks
 
Well I did as you said. The problem is that they (YUR files and Rapid Antivirus, pchealthcenter) reappear after I reboot and all.

Heres another log and the YUR files and Rapid Antivirus are still there even after I deleted them before. I already deleted them again from this log but I think that theyre still coming back.

I also downloaded AVG in hopes that it will catch anything Avast missed and its finding alot of trojans that I think Avast also found and deleted..
 
i had i similar problem. i used KAV 7 trial and SPYBOT free to remove the apps and then scanned hijackthis
 
This is bad. Still looking for enabler.
C:\WINDOWS\system32\spoolsv.exe

Pleae remind us about MBAM and SAS logs. They shoud be re-run as we remove signifcant threats. HJT is always expected.

While repeating actions is a "mark of insanity", everytime we run HJT to clean, remember to clean out the recurring problems until we find the enabler. Some of these nasties protect each other.

Try Control panel > ADD/REMOVE programs to remove this highly questionable application
O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe

[edit] RENAME "Rapid Antivirus.exe" TO "Rapid Antivirus.exx"; This is an experiment to disable this file without deleting it or removing the application. I am trying to anticipate difficulty removing application.
[/edit]

For purposes of clarity in the logs please consider:
For Adobe Reader, use properties/tools to turn off auto launch & updates.
If this proves too difficult, use HJT (checkmark) to disable. (Eventually Adobe re-enables itself)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

I have similar feeling about AOL stuff. Your choice. HJT (advanced) can selectively bring back these.


AVG = good; oaiblo.dll = ????
I do not have experience to know advisability of mixing AVG with AVAST.
RENAME oaiblo.dll TO oaiblo.dlx; This is an experiment to disable this file without deleting it or removing the application.
I favor removing removing the application. If oaiblo.dll remains, we have another clue.
O20 - AppInit_DLLs: oaiblo.dll,avgrsstx.dll


DO NOT act on this. Try to determine what application(s) are using this as part of its environment. Majors such as HP and ATI probably have ties to this service.
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
Clearly, something is hiding from HJT.
Please download and run Combofix from HERE.
The log C:\Combofix.txt will be generated; Attach that in your next reply.
 
Status
Not open for further replies.
Back