TechSpot

Update.exe, AVG, and Downloader.Generic6.AEPH

By freemont
Feb 22, 2008
  1. Hello all. The bug in the subject is refusing to go away without a fight. It reappears with every reboot. After the machine's up, as soon as I start IE7, AVG notifies of a threat detected.

    Have turned off System Restore and emptied the Recycle Bin. Have deleted all history from IE7. Spybot removed over 800 nasty adware bugs. AVG removed about 20 trojan-infected files. It was a hosed-up machine. It runs much, much better now. But this one bug remains.

    I'll attach the HJT log. If someone smarter than I could have a look and suggest something I would be grateful.

    Note: Two minutes after I posted this, I was looking at the log file and I answered my own question. :)

    The relevant line is:

    C:\WINDOWS\?dobe\w?crtupd.exe

    That's how it reads in the log, but the actual directory is C:\WINDOWS\Adobe, which contained the exe mentioned.

    Deleted the directory, emptied Recycle Bin, rebooted, and all is well.

    Maybe this will help someone.

    freemont
     

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. freemont

    freemont TS Rookie Topic Starter Posts: 20

    Thank you. As I note above, with fresh eyes this morning the ?dobe directory stuck out like a sore thumb.

    Indeed C:\Program Files\RcvSystem\httpdchk.dll looked fishy as well, so I got rid of it too.

    freemont
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You may want to print this, or save it in a notepad on your desktop, as you won't be able to access it once in safemode

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Go to Start -> Add/Remove Programs -> highlight and remove all references to Viewpoint
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Run Hijackthis and select Do a System Scan only then put a checkmark next to the following entries and select Fix Checked:
    • O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
      O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
      O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
      O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
      O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
      O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
      O20 - Winlogon Notify: __c00CC469 - C:\WINDOWS\system32\__c00CC469.dat (file missing)
      O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Use Windows Explorer to navigate to and delete the following files or folders:
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

    Files:
    C:\WINDOWS\?dobe\w?crtupd.exe <-This file only

    Folders:
    C:\Program Files\RcvSystem<--and delete this folder
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    Reboot into normal mode and post a fresh log please.

    You may also want to run Housecall just to be sure
    Trend Micro Housecall Free Online Scanner

    • It`s one of the very few online scanners that will actually disinfect viruses etc.
    • First Open Internet Explorer
    • Go to Trend Micro's Housecall website which can be found HERE
    • Click on the link that says "Scan now. It's Free"
    • A new tab will open where you will have to tick a box to agree to the terms of service.
    • Click "Launch House Call"
    • Follow any additional on screen instructions
    • Select any infections then Fix Checked after the scan
     
  5. freemont

    freemont TS Rookie Topic Starter Posts: 20

    Thank you, sir. Worked a treat. :)
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good deal. Let us know if you have any more problems
     
  7. gadge

    gadge TS Rookie

    help also please

    i too have the above trojan, have to heal the file with avg at every restart. i have looked but cannot find the c\windows?dobe file. any help would be greatly appriciated.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    hi gadge,

    Can you please start your own thread as this one was for the specific use of Freemont. You can make it from here-> http://www.techspot.com/vb/menu28.html

    You may have the same trojan but that doesn't mean you have the same files, infections ect..

    in your thread please include a Hijackthis log
    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
      ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...