TechSpot

TR/Downloader.Gen Trojan - svchost.exe in the C:\Windows\Temp

By Arthurik_jan
Dec 23, 2009
  1. Hi guys!

    This is a peculiar problem that I'm having. Exactly every 5 minutes I get two warnings from Avira Antivir that say the following:
    http://img696.imageshack.us/img696/8982/001i.png

    This is how that folder looks like:
    http://img199.imageshack.us/img199/2508/002ep.png

    According to Avira there was a virus that was aparently hiding under the svchost.exe name in every one of these folders .

    - Malwarebytes' Anti-Malware shows that the system is clean.
    - Avira complete scan shows the system is clean.
    - Spybot shows the system is clean.
    - Windows and all of the malware scanners' are up to date.
    - I cleaned the temp folders with CCleaner a few times already, did a complete scan, waited a few minutes and BAM the warning appeared again.

    What should I do?

    I have a Windows 7, 6.1 build 7600 with all of the updates
    I also have the latest softwares with up to date databases:
    - Avira Anti-Vir Personal
    - Malwarebytes' Anti-Malware
    - Spybot Search & Destroy
    I use Firefox 3.5.6 for surfing

    Thanks for all the advice in advance,

    Arthur
     
  2. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Please post the 3 logs required.
     
  3. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Thank you, AnonymousSurfer. Already on it.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Suggest trying this first sinc it refers to a file in the temp files:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
     
  5. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Alright so here's the report. Bobbye I ran TFC and it cleaned 1GB worth of information from my computer (also erasing all of the pinned folders from the Windows Explorer taskbar shortcut, which doesn't upset me, no worries ;)) and the problem persists. Every 5 minutes I get a virus detected message. Is it possible that Avira is just freaking out?

    Anyway here is the Malwarebytes' log (hope you don't mind that it's on Google Docs):
    http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfOWQ3YmczZmhq&hl=en

    Here's the HiJackThis log:
    http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMTVoY2pteHhjaw&hl=en

    Here's the Avira log:
    http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMTZkazY3aG5kcQ&hl=en

    Here's one of the Avira's events exported:
    http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMThxc2tnMzVnMg&hl=en

    Took me over 2 hours to get this done.

    Let me know if the links don't work.

    Thank you in advance for your time guys.

    Arthur
     
  6. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Update: Similar problem over here

    It seems as though this guy has been having the same 5 minute virus alert issue with Avira:

    http://forums.techguy.org/malware-r...google-redirecting-numerous-avira-trojan.html

    Although the case was never resolved it might help experienced users solve the riddle. I am definitely not giving up and reinstalling windows. What if it happens again or with someone else? ;)

    (Speaking of riddles, two guys walk into a bar. They both have 10 shots of tequila. The first one has 8 more than the other. How many shots did each of the guys have? Try asking this to people you know and demand a quick answer. They never get it right the first time :))
     
  7. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Another update :)

    So this is how Avira describes it:

    Virus: TR/Downloader.Gen
    Date discovered: 23/01/2007
    Type: Trojan
    Subtype: Downloader
    In the wild: Yes
    Reported Infections: Low
    Distribution Potential: Low
    Damage Potential: Low
    Static file: No
    Engine version: 7.03.00.29

    I've just quarantined one of the alerts and uploaded it to Avira with the suspicion of false positive.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Actually I do mind. For instance, HijackThis makes a backup of it's removals- doesn't do any good on Google. I also don't open .doc files.

    Additionally, if you want to add, remove or otherwise change your reply, please use the Edit function instred of a new reply.

    If you'd like to relocate the logs, I'll check them. For HijackThis:

    You are currently using HijackThis from a temporary directory, this can cause problems.
    HijackThis creates backups, these are needed in case of any recovery issues.
    Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

    STEPS For Creating Folder

    1. 1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

      2. Download HijackThis to the new folder:

      3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

      4. Close ALL windows except HJT

      5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

      6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
    Please make sure you post the entire log including the top portion:

    Don't make any changes or click on "Fix Checked" until we check the log- some of the files are legitimate and vital to the function of the computer.
     
  9. Polcsi

    Polcsi TS Rookie

    Hello!

    I am experincing the exact same problem, as you do, except that I am using Comodo Internet Security. I had this problem some weeks ago, it started spamming my windows Temp folder with the exact same ****.temp folders with svchost.exe's inside them as you described, Comodo kept promping me up every 5 or less minutes, and I didn't found any help on the internet. And suddenly, one day, it stopped. No more temp folder spamming, no more comodo prompting. I thought it was just a bad dream, but yesterday, it started _again_. Comodo keeps prompting me that it detected a Heur.Packed.Unknown virus or trojan or something. It is back, again.

    I've tested my computer with Comodo antivirus, Kaspersky Virus Removal Tool, cleaned my computer with Regcure, CCleaner, and they found nothing! Not a virus or trojan. Nothing helped me.

    I can't imagine what is doing this. Maybe something like an updater or a downloader or what? Maybe Google Toolbar (I had some problems with them before...)?

    And one more thing: I observed, that the prompting usually starts _after_ I start Firefox, at least it always did. Maybe it is just a coincidence, I really don't know.

    EDIT: Hi, I am back! It looks like that my problem is solved! On the Comodo forums someone suggested to me, that I may download this software:

    http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

    It checked my computer in a few minutes and it found a Rootkit in my Windows folder. I deleted it (need restart) and it seems that it solved my problem! Since restart (20 minutes ago) I didn't get any promptings, no Temp folder spamming with ****.temp folders with svchost.exe's.
    So I hope that this incredibly annoying problem is gone. Hope that it helps you too! Good luck with it, you will need it!
     
  10. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    :wave: Wolcome to Techspot Polcsi and thank you for the reply! I'll certainly give that a try.

    Here is the HJT log. I did it just as you told me Bobbye:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:03:07, on 25.12.2009
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\System32\StikyNot.exe
    C:\Program Files\Winamp\winamp.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Arthur\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')
    O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E26EEEBC-DF43-4AAB-AAED-A4D7E09FBBB8}: NameServer = 192.168.2.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

    --
    End of file - 4404 bytes
     
  11. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Solved

    Alright so I did as Polcsi did. I installed Hitman Pro 3.5. The scan took about 20 seconds and it immediately located a certain virus located in C:\Windows\System32\Drivers called nvstor32.dll. I had this file deleted and not a single notification showed up since. I've been without an alert for over half an hour now.

    Thank you Polcsi for joining techspot to post the message. You're the man! Bobbye you're made of gold too :)

    I love Techspot!

    Arthur

    Update: Oh and by the way if your firewall is off (just like mine) in order to initiate the trial period for Hitman you have to first enable your Firewall, add an exception for Hitman Pro and then you'll be able to initiate the trial period.

    Thank you once again.
     
  12. Polcsi

    Polcsi TS Rookie

    You are welcome!

    I am glad it helped you too!
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Then you don't need me to point out the malware in the HijackThis log? Okay.

    Happy Holiday!
     
  14. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    Hahaha :D Bobbye aren't you a tease! Listen, if it wouldn't be much of a problem for you, please, could you point out the malware in the HTJ log? I'd love to see where that bastard was hiding.

    I would be VERY grateful to you Bobbye! ;)

    Merry Christmas and a Happy New Year to everyone! :)
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A reminder that this is a family site. Please watch your language.

    Please post a new HijackThis log.
     
  16. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    :eek: Sorry for that Bobbye. Here's the new log. Just wanted to say I didn't get a single alert for over a day now.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:04:58, on 27.12.2009
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\System32\StikyNot.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Arthur\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')
    O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E26EEEBC-DF43-4AAB-AAED-A4D7E09FBBB8}: NameServer = 192.168.2.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

    --
    End of file - 4410 bytes
     
  17. end1snear

    end1snear TS Rookie

    i had the same problem but am using xp, the TFC dint help but was usefull anyway.
    hitmanpro program really fixed it i've been on for like 1hour without the annoyin message from my AV. Thanks alot
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')


    The following entry, Zdroje informací translates to Sources of information. Is this your entry that you know is legitimate? If so, leave the entry. If not, check to have HJT remove.
    O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    Close all Windows except HijackThis and click on "Fix Checked."

    I spent some time trying to track down the files shows in the image of the folder. the most frequents hits I got were for Matt's Anti-Spam harvester script

    Most of the sites related to the folders were foreign sites, none of which I translated.

    You might find this information helpful:
    How do spammers harvest email addresses ? http://www.private.org.il/harvest.html

    The following sections apply with my guess that #8 has been used: 5, 6, 7, 8, 13, 14, 15, 19> look up finger daemen on Google

    If your address was harvested and you get spammed, the suggestions on the site could assist you in tracking the spammer down.

    I don't know if this will work, but would like you to try it: I'm going to have you run Combofix afterwards to mke sure all are removed. Sometimes it's good to try something a bit different.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Then go to Windows Explorer. Click on Tools> Folder Options> View tab> Check 'show hidden files and folders' and Uncheck 'hide system and protected files- Recommended> Apply> OK.

    Bring up the screen in image 2 showing the 10 tmp folders: highlight each folder, one at a time and do a right click delete or use Delete in File.

    This entry: O20 - AppInit_DLLs: C:\Windows\system32\"RDOLIB.DLL" is a System Back Door. you can try to shut is down while yo have the hidden files showing and are in Widndows explorer:
    Navigate to the Local Drive (C)> Windows> click on + to expand System 32> look for rdolib.dll on the right screen> right click> Delete if found.

    Close Windows Explorer.
    Go back and hide the files and folders.
    Empty the Recycle Bin

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Attach Combofix report to next reply.

    Rescan with HJT and paste new logs into next reply.
     
  19. EnigmaCharisma

    EnigmaCharisma TS Rookie

    Hello there - Big Problem

    I'm having the same problems as these guys and have been having them since I had this computer for Christmas (My father built it from scratch) and the firewall wasn't set up so i seem to have a trojan galloping around my computer (Like the pun?) Anyway, every 5 minutes I get a note to my AVG/Norton saying that there is a trojan in the SVChost file in my temporary folder, so i remove it and 5 minutes later, it comes up again. I've tried most things so help please! :)

    I'm very new to all this tech side of stuff (With 5 years of my old computer, I only got one virus which went away easy), so any help would be very much appreciated.

    Anyway, I downloaded HJT and here's my log....

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 23:01:55, on 28/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    E:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
    C:\Program Files\RegCure\regcure.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    E:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\User\Desktop\HitmanPro35.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Rainlendar2] E:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\Windows Live Messenger.exe" /background
    O4 - HKCU\..\Run: [Center Agent] C:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261239083250
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 9263 bytes
     
  20. EnigmaCharisma

    EnigmaCharisma TS Rookie

    Just to add an update. Downloaded the hitman program listed earlier and that seems to have kicked it, but I'm still wondering if it'll come back because it did that before I believe. I'm also having the problem where my Google links keep getting redirected! As said earlier, any help would be greatly appreciated.
     
  21. Arthurik_jan

    Arthurik_jan TS Member Topic Starter Posts: 45

    :wave: Welcome to Techspot EnigmaCharisma! By the way, in order for Bobbye to be able to scan your HTJ log effectively, you have to:
    1. download and install the HiJackThis into C:\HJT
    2. close every program you have running
    3. scan with HJT
    4. copy paste the generated log without touching anything in it into your post (edit your previous one)

    Bobbye I did as told. I'll go point by point:

    1. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')


    were removed, as told. O9 entry was left untouched as it is a legitimate entry by MS Office 2003. Upon googling refiebar.dll i get a description stating that refiebar.dll is a module which allows you to use the Microsoft Office Research Library and its collection of information services from Microsoft Internet Explorer

    2. Read the whole article "How do spammers harvest email addresses?" and it was very educational. I am a very cautious user. I do not get more than 5-10 spams a day and I always read the subject before totally deleting them. I do not even open these messages at all. So I'm not going to track this spammer.

    3. rdolib.dll was not located in system32 after I'd done exactly what you told me in safe mode so I just checked the box and clicked on fix in HJT.

    4. I deleted the contents of the C:\Windows\Temp folder through safe mode as told.

    5. How is this ComboFix supposed to work? I downloaded it as Combo-Fix(.exe) just as told but is it supposed to look like Combo-Fix(.exe).exe or just Combo-Fix(.exe)? Here's what happens:

    a) I double click Combo-Fix(.exe).exe located on my desktop.
    b) A ComboFix process bar appears
    c) A warning screen appears, I confirm that I am aware of the risk I'm taking with this program (screenshot: http://img85.imageshack.us/img85/4039/003d.png)
    d) A folder appears in C:\ called 32788R22FWJFW with a hole bunch of files as if a program was installed there.

    - Am I doing something wrong here? (btw, Avira was off, Firewall was off, the internet connection was off and the network adapters were disabled during the above mentioned ComboFix procedure and I get the same thing in safe mode as well)

    Once again Bobbye I appreciate the effort. Thank you.

    Arthur
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    EnigmaCharisma: Please start a separate thread for your problem. While you may have "the same problem"> getting redirected when using the Google search, the cause may be different. You are also running the wrong version of HijackThhis. Use the links in the removal thread. Suggest you re-title to Subject: Trojan in the SVChost file

    end1snear Please start you own thread following the steps in the link below.

    While some of the same programs may be used, they are on instruction of and guidance of the helper. Hitman is NOT in our preliminary removal instructions and we ask that you follow the steps in the Preliminary Virus and Malware Removal first.

    Leave all three logs for review.
    ---------------------------------------------------------------

    This thread is for the use of member Arthurik_jan only. If you have a malware problem, please follow the steps in the Preliminary Virus and Malware Removal thread first.

    Start as new thread to post your problem and attach your logs.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...