I was infected with the antivirus 2008 virus and was trying to get rid of it. i had come across this website in hopes for a cure for the virus. I had read some of the threads and took its recommended course of action however the background (wallpaper) is still that menacing warning window stating that i must install its antivirus software -- which I didn't, by the way -- in order to rid my pc of threatening viruses. I used spybot to search for infected files in normal and safe mode. after a day later, it said that i do not have any more infected files, however, the forlorn warning sign is still looming in the background. I also used the Smitfraudfix program in the safe mode and did what I was directed to do. I think I got rid of it the virus but I want my wallpaper back! I can't even change the wallpaper or use the screen saver feature. Could anybody give me a hand with this? I would appreciate any help I can get. Thank you. Dr3gor
I have just scanned my pc again for the umpteenth time and now it is telling me that I have a Killav.T Trojan horse. two of them. And on top of all this I can no longer use volume control. No volume at all. I use AVG antivirus scan. I would appreciate any help on this. Thanks. Dr3gor
Hello Dr3gor, First of all, antivirus 2008 is not a virus. It’s a Rogue antivirus malware. Try this to rid it: Download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. <-- Don't forget this. 2OG
To 2OG, Thank you very much. I now have the warning wallpaper replaced by the blue screen. Thank you also for your correction of my mistaken terminology. I can better my knowledge of computer science with experts like yourself helping me along the way. I can now replace the missing files (features) by inserting my OS Cd, right? Are there other things I could do to ensure that my PC isn't infected? Thanks again, Dr3gor
@ Dr3gor, You should be able to set a new wallpaper by right clicking on the desktop and go to properties. If you are afraid you may have more infection, we can run a scan with ComboFix and clear anything left over. Download ComboFix from Here Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". • Double click combofix.exe and follow the prompts. • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. 2OG
2OG I was able to replace the sound system just fine; and the screensaver/ wallpaper feature, which was hitherto nonexistent, magically reappeared. Thanks a lot for your help. Dr3gor
ah, I just got your reply, sorry. i did the combofix thing. And here is what i got: ComboFix 08-08-23.03 - Rodger Coker 2008-08-25 11:53:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT 9:00] Running from: C:\Documents and Settings\Rodger Coker\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Noemi\Cookies\noemi@hi5[2].txt C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0234\v\swf\qplayer.swf\youku.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0284\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0290\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0291\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0293\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0294\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0296\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0309\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0311\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\#SharedObjects\UECAAHLB\static.youku.com\v1.0.0312\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com C:\Documents and Settings\Rodger Coker\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol C:\Documents and Settings\Rodger Coker\Cookies\rodger_coker@insightexpressai[1].txt C:\Program Files\Common Files\companion wizard C:\Program Files\Common Files\companion wizard\WapCHK{F386E172-17D1-431A-9DBE-D5710A87798F}.dll C:\Program Files\internet explorer\msimg32.dll C:\Program Files\Ofb1 C:\Program Files\Ofb1\Ofb1.dll C:\Program Files\Ofb1\Uninstall.exe C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\actskn43.ocx C:\WINDOWS\system32\Cache C:\WINDOWS\system32\stera.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FOPN -------\Legacy_VSPF -------\Legacy_VSPF_HK -------\Service_sysrest.sys ((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 ))))))))))))))))))))))))))))))) . 2008-08-25 09:04 . 2008-08-25 11:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-25 09:04 . 2008-08-25 09:04 <DIR> d-------- C:\Documents and Settings\Rodger Coker\Application Data\Malwarebytes 2008-08-25 09:04 . 2008-08-25 09:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 09:04 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-25 09:04 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-24 07:19 . 2008-08-24 07:50 4,392 --a------ C:\WINDOWS\system32\tmp.reg 2008-08-23 20:15 . 2008-08-23 20:15 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy) 2008-08-23 19:33 . 2008-08-24 07:13 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-08-05 01:33 . 2008-08-24 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-08-04 22:58 . 2008-08-04 22:58 <DIR> d-------- C:\Program Files\Bonjour 2008-08-04 22:52 . 2008-08-04 22:52 <DIR> d-------- C:\Program Files\Safari . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-24 23:55 --------- d-----w C:\Documents and Settings\Rodger Coker\Application Data\AVG7 2008-08-24 15:21 --------- d-----w C:\Program Files\Mother Of All Battles 2008-08-23 23:49 --------- d-----w C:\Program Files\MSN Messenger 2008-08-23 23:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-23 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-23 11:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-08-18 13:51 --------- d-----w C:\Program Files\Apple Software Update 2008-08-13 14:01 --------- d-----w C:\Documents and Settings\Rodger Coker\Application Data\uTorrent 2008-08-05 08:22 --------- d-----w C:\Program Files\Conquest 2008-08-05 00:19 --------- d-----w C:\Program Files\Picasa2 2008-08-04 16:34 --------- d-----w C:\Program Files\Google 2008-08-04 15:46 --------- d-----w C:\Documents and Settings\Rodger Coker\Application Data\Apple Computer 2008-08-04 13:59 --------- d-----w C:\Program Files\iTunes 2008-08-04 13:59 --------- d-----w C:\Program Files\iPod 2008-08-04 13:57 --------- d-----w C:\Program Files\QuickTime 2008-07-11 10:39 --------- d-----w C:\Program Files\Logitech 2008-07-11 10:38 --------- d-----w C:\Program Files\Common Files\Logitech 2007-06-08 06:44 11,510 ----a-w C:\Program Files\INSTALL.LOG . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:07 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-09-13 11:12 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 10:07 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 10:07 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 10:07 455168] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-25 17:15 454656] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 21:11 180269] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648] "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-27 03:30 97357] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 14:26 7700480] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 14:26 86016] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 09:16 580096] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-02-25 16:15 221184] "LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-25 17:06 212992] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064] "nwiz"="nwiz.exe" [2007-04-19 14:26 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:07 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-03 08:04 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-07-11 19:37:49 169472] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 02:18 49152] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.enc"= ITIG726.acm "msvideo7"= STV680tg.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Documents and Settings\\Rodger Coker\\Desktop\\utorrent.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "13145:TCP"= 13145:TCP:BitComet 13145 TCP "13145:UDP"= 13145:UDP:BitComet 13145 UDP "3389:TCP"= 3389:TCPxpsp2res.dll,-22009 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99fc290-72c0-11dc-bc33-0011092f01ba}] \Shell\AutoRun\command - G:\188qsm.bat \Shell\explore\Command - G:\188qsm.bat \Shell\open\Command - G:\188qsm.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e22312fe-2cac-11dc-bbdf-0011092f01ba}] \Shell\AutoRun\command - G:\188qsm.bat \Shell\explore\Command - G:\188qsm.bat \Shell\open\Command - G:\188qsm.bat . Contents of the 'Scheduled Tasks' folder 2008-08-25 C:\WINDOWS\Tasks\A8B98BD391A20007.job - c:\docume~1\rodger~1\applic~1\idoleg~1\NURB SIGN ONE.exe [] 2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Jhoos - C:\Program Files\Jhoos\Jhoos.exe HKCU-Run-playamen - C:\DOCUME~1\RODGER~1\APPLIC~1\IDOLEG~1\wipe joy help.exe HKCU-Run-PopularScreensaversWallpaper - C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL HKLM-Run-Globe7 - C:\Program Files\Globe7\Globe7.exe HKLM-Run-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Rodger Coker\Application Data\Mozilla\Firefox\Profiles\o649s9wi.default\ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-25 11:59:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\skeys.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-08-25 12:06:13 - machine was rebooted [Rodger Coker] ComboFix-quarantined-files.txt 2008-08-25 03:06:10 Pre-Run: 9,716,154,368 bytes free Post-Run: 9,847,267,328 bytes free 211 --- E O F --- 2008-08-13 14:03:58 I hope there is no more infections probing around my pc. I appreciate the time you are putting in for my benefit. Dr3gor.
@Dr3gor, You are clean now. I have listed all the deletions that combofix performed. As you can see there were quite a few. The rest of the Log is clean. You will also need to remove ComboFix from your computer. To do this: • Click START then RUN • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there. The above procedure will: • Delete the following: o ComboFix and its associated files and folders. o VundoFix backups, if present o The C:\Deckard folder, if present o The C:_OtMoveIt folder, if present • Reset the clock settings. • Hide file extensions, if required. • Hide System/Hidden files, if required. • Reset System Restore. Enjoy your clean computer 2OG
