Av security suit virus

Solved/Closed
Gervarod - Jun 11, 2010 at 04:33 AM
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jun 13, 2010 at 05:39 AM
Hello, my dear friends again on the other desktop computer at my place some how it installed Av Security Suite on it owns but i am doing a Malware scan it remove it and it's found 49 infected files. should i leave it going or other.

P.S. the person who was using this was looking up porn not me as you see i got a laptop of my own which i do not lend to no one but myself. i told him not to look up porn at all

if i can get help thanks ASAP

Regards, Gervarod



Related:

4 responses

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 11, 2010 at 05:33 AM
Hello Friend,

I believe that you solved the problem with Malwarebyte.

Should the problem reoccur, please let me know.

Have a most pleasant day.

Regards
0
but one thing is im doing a scan and every time i do the scan with my Avast anti-virus scan it show that......File C:/Gerva/AppData?Local/sysvc.exe is infected by win32: PUP-gen [PUP] . every time i do a scan which is a boot scheled scan i still have this file on it still it says it moves to chest.


and yes Malwarebyte did fix the problem in an hour Ambucias.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 11, 2010 at 04:50 PM
Greetings Gervarod,

Well, it seems that we may have a little rootkit in our hands.

I suspect that Avast is detecting some left over dung.

Please go to F-Secure and perform a scan. Usually F-Secure is able to detect and remove this sort of thing.

http://www.f-secure.com/en_EMEA/security/tools/online-scanner/

Let me know
0
No worries i will let you know ASAP catch ya later.
0
Dear, Ambucias i did a scan with F-secure but near the end some how the scan went away on its own and now i did a scan with trend Micro HouseCall online scan, but one thing it's funny that it picked up a readme.chm File, the threat was TROJ Generic.DIT and the action the scanner did was ignored why?if you want me to i can do a scan wit F-Scure again and give you the results from that. Regards, Gervarod
Regards, Gervarod
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 12, 2010 at 04:18 PM
Dear Aussie Friend

It is a good thing that your system is still operational despite this parasite.

First can you download, install and run Spybot Search and Destroy and see what it finds.

https://ccm.net/downloads/security-and-maintenance/4561-spybot-search-destroy/

Also, please check the quarantine file of your antivirus and clean what is in there if any.

If you still feel there is still the presence of a virus, please send me a HJT log, I believe your know the procedure:

http://free.antivirus.com/hijackthis/

See you later alligator
0
one funny thing is when i turned the computer on all it went to is Avast scan before it booted up to get to the desktop at all. but the only time it goes there is if i do a Boot-time scan. it's action funny too do that any way
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 13, 2010 at 05:21 AM
That is because of the process that I asked to remove in the other thread, processes start at boot time.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jun 13, 2010 at 05:39 AM
For posterity and others who experiences the same issue, here is a copy of the exchange from another thread which follows this one.

ok i did what you wanted me to with spybot and i got the log file report from Hijack this here is it....... hope to hear from you ASAP thanks for the help Ambucias with the things i gone through.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:10:39 PM, on 13/06/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internode\mum.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehmsas.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\Users\Ace\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

ANSWER

Hello Gervarod,

6AM presently here.

Did Spybot find anything? I forgot to tell you not to install the Tea-Timer component which gets annoying. You can remove it though the add/remove programme utility.

It seems that your system got infected through YouTube. One must be carefull with YouTube, not as malicious as Limewire but...

Concerning your log, there is one process which need to be terminated and removed:

C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe

Please run another scan with HJT, no log. Once the scan is finished please check the following:


C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)

O3 - Toolbar: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)

O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe"

If the following is not precious to you, I would delete it:

O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll

Once checked, please click on fix checked and do another scan with Malwarebyte.

Let me know

Farewell
0