Antivirus 2008 keeps recreating itself

Discussion in 'Malware Help (A Specialist Will Reply)' started by rwalsh3711, Sep 4, 2008.

  1. rwalsh3711

    rwalsh3711 Private E-2

    Hello all,

    I'm looking for some help as I am at my wits end. I have a client with a PC that contracted the Antivirus XP 2008 virus and I have been unable to get it cleaned up to the point where it won't come back. Here are all the solutions I've tried so far:

    Kaspersky SOS
    ComboFix
    SUPER AntiSpyware
    Malwarebytes

    I've tracked down the actual processes and removed them and the entries in the registry. However, something in the system keeps recreating everything and within five minutes of rebooting the system after the clean up the "Antivirus XP 2008" icon reappears. After a second reboot the wallpaper changes to the Warning Message. Any help would be much appreciated.
     
    rwalsh3711, Sep 4, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Based on some of the scans you said you have run, I assume you were running this:

    READ & RUN ME FIRST. Malware Removal Guide


    If you were running that, then attach the logs from SUPERAntiSpyware, Malwarebytes and ComboFix that were requested and finish the final step with MGtools and attach that log too.


    If you were not running the READ & RUN ME, you need to run it and attach the 4 requested logs (3 of which you already ran).
     
    chaslang, Sep 4, 2008
    #2
  3. rwalsh3711

    rwalsh3711 Private E-2

    Thank you very much for your assistance. I'm attaching the logs now. I did try running ComboFix one more time to get an updated version of the log, however when I tried to run it, it did a quick "update" and then stated that it was not a valid win32 application. :confused Instead, I'm uploading the ComboFix log from last evening.
     

    Attached Files:

    rwalsh3711, Sep 4, 2008
    #3
  4. rwalsh3711

    rwalsh3711 Private E-2

    Final log
     

    Attached Files:

    rwalsh3711, Sep 4, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not useful since you ran things in the wrong order. This log shows that ComboFix was run before the other scans which is not what we requested. Let's uninstall whatever you have from ComboFix right now.

    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /u
      • Notes: The space between the combofix" and the /u, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    • Delete the C:\combofix and C:\QooBox folders if they still exist.
    Now continue on with the below.

    Uninstall Viewpoint Media Player per step 1 of the READ & RUN ME.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis ( select Do a system scan only ) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [frun] C:\WINDOWS\derc32xz.exe
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lphc7f4j0er4a] C:\WINDOWS\system32\lphc7f4j0er4a.exe
    O4 - HKLM\..\Run: [SMrhc3f4j0er4a] C:\Program Files\rhc3f4j0er4a\rhc3f4j0er4a.exe
    O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
    O15 - Trusted Zone: http://update.randhi.com (HKLM)
    O20 - Winlogon Notify: trattap - C:\WINDOWS\SYSTEM32\trattap32.dll

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.



    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).




    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 6, 2008
    chaslang, Sep 5, 2008
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds