Spyware Virus - Free Antivirus Forum

Spyware Virus

BullGuard Antivirus Forum > Virus Removal > Removal Help > Spyware Virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Dirk
New Member

Date Joined Apr 2005
Total Posts : 22

Posted 8-16-2008 1:16 (GMT +1)

i have a virus that masks itself as a spyware virus messge. it killed my desktop background and replaced it with a window that says spyware detected ; i am also getting a windows message box flashing saying please instal new version video Active X object and another that says your browser cannot play this video file; there are a number of other message boxes but they are flashing extremely fast and i cant read any of the messages.

i was on a web site that looked like it was downloading files (virus) to my computer; i have not rebooted but i did use the hijack this program to delete some processes with a 04 beginning number because they looked like obvious malicious procedures. Any help is very much appreciated

here is the current hijack this log;

Logfile of HijackThis v1.99.1
Scan saved at 8:05:30 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WISPTIS.EXE
c:\0xf9.exe
C:\Program Files\Microsoft Security Adviser\mssadv_sp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Security Adviser\mssadv.exe
C:\Program Files\rhcpvrj0er7e\rhcpvrj0er7e.exe
C:\WINDOWS\system32\pphctvrj0er7e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MS\Desktop\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType

Pro\type32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend

Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe"

-logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMrhcpvrj0er7e] C:\Program

Files\rhcpvrj0er7e\rhcpvrj0er7e.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program

Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI05E6~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client

Control (redist)) - https://mjmain.mjmanagementservices.com/Remote/msrdp.cab
020 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToMyPC - C:\Program

Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program

Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NeroSVC - ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: info@ahead.de - C:\Program Files\ahead\Nero\NeroSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. -

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. -

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program

files\verizon wireless\venturi\Client\ventc.exe

Dirk
New Member

Date Joined Apr 2005
Total Posts : 22

Posted 8-16-2008 1:33 (GMT +1)

one more thing; there is a new shortcut icon on my desktop called Antivirus XP2008

I went into the properties to get the target of the shortcut and its "C:\Program Files\rhcpvrj0er7e\rhcpvrj0er7e.exe" and the start in is "C:\Program Files\rhcpvrj0er7e"

A window is popping up that i cant close saying the comptuer is infected with spyware and adware. the screen also can not be minimized or closed and i cant get to the task manager to terminate the program; when i go to the task manager, the task manager is greyed out and you cant select that option.

The desktop background now says its a windows warning message and has two lines in the window;

warning Win32/Adware.virtumonde detected on your computer
and
warning Win32/Adware.virtumonde detected on your computer

and the text please activate your anit virus software to clean your computer

thanks!

Forum Information

Currently it is Friday, January 09, 2009 10:56 PM (GMT +1)
There are a total of 66.008 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 109 reply posts. View Active Threads