TR/Downloader.Gen Trojan - svchost.exe in the C:\Windows\Temp

[Arthurik_jan]

Hi guys!

This is a peculiar problem that I'm having. Exactly every 5 minutes I get two warnings from Avira Antivir that say the following:
http://img696.imageshack.us/img696/8982/001i.png

This is how that folder looks like:
http://img199.imageshack.us/img199/2508/002ep.png

According to Avira there was a virus that was aparently hiding under the svchost.exe name in every one of these folders .

- Malwarebytes' Anti-Malware shows that the system is clean.
- Avira complete scan shows the system is clean.
- Spybot shows the system is clean.
- Windows and all of the malware scanners' are up to date.
- I cleaned the temp folders with CCleaner a few times already, did a complete scan, waited a few minutes and BAM the warning appeared again.

What should I do?

I have a Windows 7, 6.1 build 7600 with all of the updates
I also have the latest softwares with up to date databases:
- Avira Anti-Vir Personal
- Malwarebytes' Anti-Malware
- Spybot Search & Destroy
I use Firefox 3.5.6 for surfing

Thanks for all the advice in advance,

Arthur

 

[AnonymousSurfer]

Please post the 3 logs required.

 

[Arthurik_jan]

Thank you, AnonymousSurfer. Already on it.

 

[Bobbye]

TR/Downloader.Gen Trojan - svchost.exe in the C:\Windows\Temp

Suggest trying this first sinc it refers to a file in the temp files:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

 

[Arthurik_jan]

Alright so here's the report. Bobbye I ran TFC and it cleaned 1GB worth of information from my computer (also erasing all of the pinned folders from the Windows Explorer taskbar shortcut, which doesn't upset me, no worries ) and the problem persists. Every 5 minutes I get a virus detected message. Is it possible that Avira is just freaking out?

Anyway here is the Malwarebytes' log (hope you don't mind that it's on Google Docs):
http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfOWQ3YmczZmhq&hl=en

Here's the HiJackThis log:
http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMTVoY2pteHhjaw&hl=en

Here's the Avira log:
http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMTZkazY3aG5kcQ&hl=en

Here's one of the Avira's events exported:
http://docs.google.com/Doc?docid=0AYokFeBLl6deZGdxazdrcnpfMThxc2tnMzVnMg&hl=en

Took me over 2 hours to get this done.

Let me know if the links don't work.

Thank you in advance for your time guys.

Arthur

 

[Arthurik_jan]

Update: Similar problem over here

It seems as though this guy has been having the same 5 minute virus alert issue with Avira:

http://forums.techguy.org/malware-r...google-redirecting-numerous-avira-trojan.html

Although the case was never resolved it might help experienced users solve the riddle. I am definitely not giving up and reinstalling windows. What if it happens again or with someone else?

(Speaking of riddles, two guys walk into a bar. They both have 10 shots of tequila. The first one has 8 more than the other. How many shots did each of the guys have? Try asking this to people you know and demand a quick answer. They never get it right the first time )

 

[Arthurik_jan]

Another update

So this is how Avira describes it:

Virus: TR/Downloader.Gen
Date discovered: 23/01/2007
Type: Trojan
Subtype: Downloader
In the wild: Yes
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low
Static file: No
Engine version: 7.03.00.29

I've just quarantined one of the alerts and uploaded it to Avira with the suspicion of false positive.

 

[Bobbye]

(hope you don't mind that it's on Google Docs)

Actually I do mind. For instance, HijackThis makes a backup of it's removals- doesn't do any good on Google. I also don't open .doc files.

Additionally, if you want to add, remove or otherwise change your reply, please use the Edit function instred of a new reply.

If you'd like to relocate the logs, I'll check them. For HijackThis:

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder

1. 
   1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
   
   2. Download HijackThis to the new folder:
   
   3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
   
   4. Close ALL windows except HJT
   
   5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
   
   6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

Please make sure you post the entire log including the top portion:

Don't make any changes or click on "Fix Checked" until we check the log- some of the files are legitimate and vital to the function of the computer.

 

[Polcsi]

Hello!

I am experincing the exact same problem, as you do, except that I am using Comodo Internet Security. I had this problem some weeks ago, it started spamming my windows Temp folder with the exact same ****.temp folders with svchost.exe's inside them as you described, Comodo kept promping me up every 5 or less minutes, and I didn't found any help on the internet. And suddenly, one day, it stopped. No more temp folder spamming, no more comodo prompting. I thought it was just a bad dream, but yesterday, it started _again_. Comodo keeps prompting me that it detected a Heur.Packed.Unknown virus or trojan or something. It is back, again.

I've tested my computer with Comodo antivirus, Kaspersky Virus Removal Tool, cleaned my computer with Regcure, CCleaner, and they found nothing! Not a virus or trojan. Nothing helped me.

I can't imagine what is doing this. Maybe something like an updater or a downloader or what? Maybe Google Toolbar (I had some problems with them before...)?

And one more thing: I observed, that the prompting usually starts _after_ I start Firefox, at least it always did. Maybe it is just a coincidence, I really don't know.

EDIT: Hi, I am back! It looks like that my problem is solved! On the Comodo forums someone suggested to me, that I may download this software:

http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

It checked my computer in a few minutes and it found a Rootkit in my Windows folder. I deleted it (need restart) and it seems that it solved my problem! Since restart (20 minutes ago) I didn't get any promptings, no Temp folder spamming with ****.temp folders with svchost.exe's.
So I hope that this incredibly annoying problem is gone. Hope that it helps you too! Good luck with it, you will need it!

 

[Arthurik_jan]

:wave: Wolcome to Techspot Polcsi and thank you for the reply! I'll certainly give that a try.

Here is the HJT log. I did it just as you told me Bobbye:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:03:07, on 25.12.2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Winamp\winamp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Arthur\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26EEEBC-DF43-4AAB-AAED-A4D7E09FBBB8}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 4404 bytes

 

[Arthurik_jan]

Solved

Alright so I did as Polcsi did. I installed Hitman Pro 3.5. The scan took about 20 seconds and it immediately located a certain virus located in C:\Windows\System32\Drivers called nvstor32.dll. I had this file deleted and not a single notification showed up since. I've been without an alert for over half an hour now.

Thank you Polcsi for joining techspot to post the message. You're the man! Bobbye you're made of gold too

I love Techspot!

Arthur

Update: Oh and by the way if your firewall is off (just like mine) in order to initiate the trial period for Hitman you have to first enable your Firewall, add an exception for Hitman Pro and then you'll be able to initiate the trial period.

Thank you once again.

 

[Polcsi]

You are welcome!

I am glad it helped you too!

 

[Bobbye]

Then you don't need me to point out the malware in the HijackThis log? Okay.

Happy Holiday!

 

[Arthurik_jan]

Hahaha Bobbye aren't you a tease! Listen, if it wouldn't be much of a problem for you, please, could you point out the malware in the HTJ log? I'd love to see where that bastard was hiding.

I would be VERY grateful to you Bobbye!

Merry Christmas and a Happy New Year to everyone!

 

[Bobbye]

A reminder that this is a family site. Please watch your language.

Please post a new HijackThis log.

 

[Arthurik_jan]

Sorry for that Bobbye. Here's the new log. Just wanted to say I didn't get a single alert for over a day now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:58, on 27.12.2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Arthur\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26EEEBC-DF43-4AAB-AAED-A4D7E09FBBB8}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 4410 bytes

 

[end1snear]

i had the same problem but am using xp, the TFC dint help but was usefull anyway.
hitmanpro program really fixed it i've been on for like 1hour without the annoyin message from my AV. Thanks alot

 

[Bobbye]

Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')

The following entry, Zdroje informací translates to Sources of information. Is this your entry that you know is legitimate? If so, leave the entry. If not, check to have HJT remove.
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

Close all Windows except HijackThis and click on "Fix Checked."

I spent some time trying to track down the files shows in the image of the folder. the most frequents hits I got were for Matt's Anti-Spam harvester script

Most of the sites related to the folders were foreign sites, none of which I translated.

You might find this information helpful:
How do spammers harvest email addresses ? http://www.private.org.il/harvest.html

The following sections apply with my guess that #8 has been used: 5, 6, 7, 8, 13, 14, 15, 19> look up finger daemen on Google

If your address was harvested and you get spammed, the suggestions on the site could assist you in tracking the spammer down.

I don't know if this will work, but would like you to try it: I'm going to have you run Combofix afterwards to mke sure all are removed. Sometimes it's good to try something a bit different.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Then go to Windows Explorer. Click on Tools> Folder Options> View tab> Check 'show hidden files and folders' and Uncheck 'hide system and protected files- Recommended> Apply> OK.

Bring up the screen in image 2 showing the 10 tmp folders: highlight each folder, one at a time and do a right click delete or use Delete in File.

This entry: O20 - AppInit_DLLs: C:\Windows\system32\"RDOLIB.DLL" is a System Back Door. you can try to shut is down while yo have the hidden files showing and are in Widndows explorer:
Navigate to the Local Drive (C)> Windows> click on + to expand System 32> look for rdolib.dll on the right screen> right click> Delete if found.

Close Windows Explorer.
Go back and hide the files and folders.
Empty the Recycle Bin

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report to next reply.

Rescan with HJT and paste new logs into next reply.

 

[EnigmaCharisma]

Hello there - Big Problem

I'm having the same problems as these guys and have been having them since I had this computer for Christmas (My father built it from scratch) and the firewall wasn't set up so i seem to have a trojan galloping around my computer (Like the pun?) Anyway, every 5 minutes I get a note to my AVG/Norton saying that there is a trojan in the SVChost file in my temporary folder, so i remove it and 5 minutes later, it comes up again. I've tried most things so help please!

I'm very new to all this tech side of stuff (With 5 years of my old computer, I only got one virus which went away easy), so any help would be very much appreciated.

Anyway, I downloaded HJT and here's my log....

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 23:01:55, on 28/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Program Files\RegCure\regcure.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\User\Desktop\HitmanPro35.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] E:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\Windows Live Messenger.exe" /background
O4 - HKCU\..\Run: [Center Agent] C:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261239083250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9263 bytes

 

[EnigmaCharisma]

Just to add an update. Downloaded the hitman program listed earlier and that seems to have kicked it, but I'm still wondering if it'll come back because it did that before I believe. I'm also having the problem where my Google links keep getting redirected! As said earlier, any help would be greatly appreciated.

 

[Arthurik_jan]

:wave: Welcome to Techspot EnigmaCharisma! By the way, in order for Bobbye to be able to scan your HTJ log effectively, you have to:
1. download and install the HiJackThis into C:\HJT
2. close every program you have running
3. scan with HJT
4. copy paste the generated log without touching anything in it into your post (edit your previous one)

Bobbye I did as told. I'll go point by point:

1. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')

were removed, as told. O9 entry was left untouched as it is a legitimate entry by MS Office 2003. Upon googling refiebar.dll i get a description stating that refiebar.dll is a module which allows you to use the Microsoft Office Research Library and its collection of information services from Microsoft Internet Explorer

2. Read the whole article "How do spammers harvest email addresses?" and it was very educational. I am a very cautious user. I do not get more than 5-10 spams a day and I always read the subject before totally deleting them. I do not even open these messages at all. So I'm not going to track this spammer.

3. rdolib.dll was not located in system32 after I'd done exactly what you told me in safe mode so I just checked the box and clicked on fix in HJT.

4. I deleted the contents of the C:\Windows\Temp folder through safe mode as told.

5. How is this ComboFix supposed to work? I downloaded it as Combo-Fix(.exe) just as told but is it supposed to look like Combo-Fix(.exe).exe or just Combo-Fix(.exe)? Here's what happens:

a) I double click Combo-Fix(.exe).exe located on my desktop.
b) A ComboFix process bar appears
c) A warning screen appears, I confirm that I am aware of the risk I'm taking with this program (screenshot: http://img85.imageshack.us/img85/4039/003d.png)
d) A folder appears in C:\ called 32788R22FWJFW with a hole bunch of files as if a program was installed there.

- Am I doing something wrong here? (btw, Avira was off, Firewall was off, the internet connection was off and the network adapters were disabled during the above mentioned ComboFix procedure and I get the same thing in safe mode as well)

Once again Bobbye I appreciate the effort. Thank you.

Arthur

 

[Bobbye]

EnigmaCharisma: Please start a separate thread for your problem. While you may have "the same problem"> getting redirected when using the Google search, the cause may be different. You are also running the wrong version of HijackThhis. Use the links in the removal thread. Suggest you re-title to Subject: Trojan in the SVChost file

end1snear Please start you own thread following the steps in the link below.

While some of the same programs may be used, they are on instruction of and guidance of the helper. Hitman is NOT in our preliminary removal instructions and we ask that you follow the steps in the Preliminary Virus and Malware Removal first.

Leave all three logs for review.
---------------------------------------------------------------

This thread is for the use of member Arthurik_jan only. If you have a malware problem, please follow the steps in the Preliminary Virus and Malware Removal thread first.

Start as new thread to post your problem and attach your logs.