Unable to shake off malware: antit.exe

By Vlaew · 22 replies
Jun 6, 2009
  1. Hello guys, I just became aware of this when friends on my msn messenger list (using 2009 version) told me I started sending them a spam message.

    The message was "Hot! Hot! (website was isexsexsex)" obviously it was an attack site, but what puzzled me was HOW I was sending it.

    It happens when I sign in, it doesn't happen anytime I'm offline.

    Looking at my process list I find a process called "antit.exe" that I didn't recognize as anything and found out from google it was malware, so I delete the jerk in safe mode (and the registries it has) only to find it come back 5 minutes later on startup. (At one point I saw 0.exe pop up on the process list, then disappear, leaving antit.exe running)

    And the trick to finding antit.exe (for some reason there is no 0.exe in sys) is to go to folder options and to see hidden SYSTEM files. It's being treated as a system file, which makes me wonder if that's why Spybot resident doesn't complain in paranoid mode because it just lets the thing install itself.

    Spybot doesn't have anything like this in its database, it's useless. I also tried AVG, it recognizes the antit.dll as a threat and removes it, but thats about it, next start up it will only come back. Even if you kill the process you have to delete the files in safe mode because it says its still being used.

    I checked some database sites, apparently this thing is fairly new, hence not showing up on most scanners or programs, and when they do, they just delete the dll and exe which doesn't solve the problem.

    Another thing is apparently I spam the message on msn even when the antit.exe ISN'T running!

    I tried almost all the resources I can get, now I need professional help. Please help me out? Thank you in advance.

    I completed the 8 steps without any problems except for the fact the thing keeps coming back. SUPERAntiSpyware was able to find more then the others did, but it still came back..
  2. nitro912gr

    nitro912gr TS Rookie

    I have the same problem! I was trying to get rid of this malware with everything. I did, for a short time at least.

    Last night I though I was clear, I scanned in safe mode with spybot, adaware, and malwarebytes. The fist 2 failed me, but the malwarebytes found the antit problem and the registry keys and some folders and files in my program files (it make me wonder how it is possible, since I took a look myself and couldn't locate the folder, with the folder options to see everything).

    Anyway I removed the infections with the malwarebytes, the log reported that everything was successful and I continue working on my pc till early morning. Then I turned it off and went to sleep. So today, full of confident I started up the pc, and went to check my mails and start working (I'm in Graphics Design college, and I have exams these days, you can get an idea of the stress here) and here we go again. My contacts in msn informs me that I spam links to them, again.

    I did a scan with malwarebytes again, removed it again, and now it appeared again. I did another scan and guess what, here it is again.

    Any solution?

    (forgot to mention I work on Windows XP SP3 greek)

    edit: I noticed the quick appear of 0.exe before the antit.exe appear in processes again.
  3. touch

    touch TS Rookie Posts: 978

    nitro912gr ->

    Please run the steps in this guide:

    8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Post attached log´s from:


    In your own new topic

    Vlaew -->>>

    Please download Combofix:
    And save to the desktop.

    Close all other browser windows.

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.
  4. booom3

    booom3 TS Rookie

    I know I'm not the same person, but I have the exact same problem.
  5. kritius

    kritius TS Guru Posts: 2,084

    Start your own thread then!
  6. Vlaew

    Vlaew TS Rookie Topic Starter

    Did it

    Did the combofix.exe
  7. ThexDarksider

    ThexDarksider TS Rookie Posts: 28

    This is a new worm (or a new variant of an existing worm, which is more likely) that spreads through MSN (of course, only if someone clicks that link). You should upload that antit.exe file to AV vendors so they can update their signature files.

    And the 0.exe is probably a dropper (it's run before antit.exe, and it creates it at that moment).

    If you want to make sure again that it's only that .exe's fault, and not the account's, try to log in from another computer (or another OS on your computer, such as a distro of Linux, if available).

    If nothing else, upload that antit.exe and the 0.exe if you find it in a password-protected RAR archive to a file sharing service and PM me the link + the password and I'll run it sandboxed and try to observe its behavior.

    Good luck solving this problem!
    -- ThexDarksider

    P.S. I found this thread on Google by searching for 'HOT!HOT! isexsexsex' because I got the same spam message from one of my contacts today (although I believe he was offline; this definitely needs further investigation!)
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    This thread is for the use of Vlaew only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

    Malware cleaning is customized for each individual system.
  9. Vlaew

    Vlaew TS Rookie Topic Starter

    SuperAntiSpyware just found something called pve.exe in windows, it deleted it and so far that exe hasn't come back yet.

    I think antit is now downloading stuff now
  10. Vlaew

    Vlaew TS Rookie Topic Starter

    Bump for great justice!

    I think I killed it!

    Here is how I did it. (This doesn't mean it might be the SAME solution to YOUR problem because there are variants to this "virut", I'm not an expert, but I try, don't blame me if you do the same thing I did and screw up.) But this is how I did it to explain to the moderators:

    I disabled my wireless. Then did scans from SAS and Malwarebites.
    I downloaded F-Secure Anti-Virus, because their database was more up to date with this mofo and plus their trial has the monitor of any changes to the system. So after doing a bunch of scans, I booted in safe mode and repeated just so there wasn't anything else running. Then I booted in normal mode with the internet off still, and then it happened...

    I finally caught the "0.exe" that was responsible for this, because it was caught by the monitor scanner thingy that tried to launch cmd.exe, It asked if I should let it run, course I didn't, but it didn't bother to delete it either so I had to go to the source (It's in common files in my programs on C, not hidden or system tagged.) and I deleted it. I rebooted and did some final scans that reported clean and then enabled my wireless and waited..and waited...and it did NOT show up again. I logged on to msn and so far none of my friends said I spammed them anything.

    Awesome. I'm ganna keep the F-Secure thing running to make sure it doesn't come back again through some exploit. Just look for 0.exe.BAT <---hah a bat

    I had no sleep and I am wired up on skittles.

    Here is a HJT log if you want.

    Spread the word about that 0.exe.bat, I like to hit malware coders where it counts.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36


    Please read this: Credit to kritius:
    You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player:

    To remove, find and remove Viewpoint Media Player

    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
    • ViewpointService.exe
    • ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.

      Click on Start > Run and type: services.msc> OK
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder
  12. Vlaew

    Vlaew TS Rookie Topic Starter

    Thank you Bobbye, I use bitcomet as a downloader and it was marked as clean by one of the links you gave me. I used to have frostwire and before that, bearshare, but bearshare for some reason couldn't connect to the host anymore (I think they died) and frostwire had more files pretending to be what they are then real files. Anyway, I'm sticking with the comet because it was one of the safer apps from the list.

    But thank you for the viewpoint guide, I do have VLC player. <3
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please tell me what that link was. I would never knowingly pass on anything that said BitComet is clean.

    And please remember, when you share files, you get the bad with what you may think if the good.
  14. kritius

    kritius TS Guru Posts: 2,084

    Its in the MalwareRemoval link,

    They went through a long stage of testing the various programs and advising people which ones to use. They have since changed policy and now instruct users to remove all programs prior to any fixes.

    (List last updated 19 December 2008)
  15. touch

    touch TS Rookie Posts: 978

    Vlaew - I think we need a fresh combolog now ;)
  16. Vlaew

    Vlaew TS Rookie Topic Starter

    Here it is, it's odd because it said it removed antit.exe and dll and the folder again but it was non existent in the first place, AND there is no 0.exe.bat around to run it up either.

    So...should I remove bitcomet? What's a safer app?

    Attached Files:

  17. ThexDarksider

    ThexDarksider TS Rookie Posts: 28

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    None of these is safe. You have a port allowing Bearshare traffic and you're using BitCommet. Please read the information in the P2P Warning.
  19. Vlaew

    Vlaew TS Rookie Topic Starter

    I used to use bearshare.
  20. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the codebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    c:\documents and settings\Vlaew\Application Data\Mozilla\Firefox\Profiles\r3ck0uhq.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
    c:\program files\BitComet
    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\program files\MicPhone

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  21. Vlaew

    Vlaew TS Rookie Topic Starter

    I did what you told me touch, unfortunately when it restarted and was preparing a log I got a blue screen of a memory dump and it restarted again. (I usually get it when the computer gets stressed out from doing so much ****. It's like 5 years old)

    I also uninstalled BitComet before the combofix thing, which is a really interesting program.

    Want me to run combofix again or is that unhealthy?
  22. kritius

    kritius TS Guru Posts: 2,084

    Get the log file, should be at c:\combofix.txt.

    No need to run it again for now.
  23. Vlaew

    Vlaew TS Rookie Topic Starter

    The log isn't there. Hence why I asked.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...