Update.exe, AVG, and Downloader.Generic6.AEPH

[freemont]

Hello all. The bug in the subject is refusing to go away without a fight. It reappears with every reboot. After the machine's up, as soon as I start IE7, AVG notifies of a threat detected.

Have turned off System Restore and emptied the Recycle Bin. Have deleted all history from IE7. Spybot removed over 800 nasty adware bugs. AVG removed about 20 trojan-infected files. It was a hosed-up machine. It runs much, much better now. But this one bug remains.

I'll attach the HJT log. If someone smarter than I could have a look and suggest something I would be grateful.

Note: Two minutes after I posted this, I was looking at the log file and I answered my own question.

The relevant line is:

C:\WINDOWS\?dobe\w?crtupd.exe

That's how it reads in the log, but the actual directory is C:\WINDOWS\Adobe, which contained the exe mentioned.

Deleted the directory, emptied Recycle Bin, rebooted, and all is well.

Maybe this will help someone.

freemont

 

[kimsland]

C:\WINDOWS\?dobe\w?crtupd.exe
C:\Program Files\RcvSystem\httpdchk.dll

Files seem a bit sus.

Also looks as though you may have run most programs from the following, but you may want to continue, or do them all:-

Viruses/Spyware/Malware, preliminary removal instructions

 

[freemont]

Thank you. As I note above, with fresh eyes this morning the ?dobe directory stuck out like a sore thumb.

Indeed C:\Program Files\RcvSystem\httpdchk.dll looked fishy as well, so I got rid of it too.

freemont

 

[Blind Dragon]

You may want to print this, or save it in a notepad on your desktop, as you won't be able to access it once in safemode

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to Start -> Add/Remove Programs -> highlight and remove all references to Viewpoint
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Run Hijackthis and select Do a System Scan only then put a checkmark next to the following entries and select Fix Checked:

• O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
  O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
  O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
  O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
  O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
  O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
  O20 - Winlogon Notify: __c00CC469 - C:\WINDOWS\system32\__c00CC469.dat (file missing)
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Use Windows Explorer to navigate to and delete the following files or folders:

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

Files:
C:\WINDOWS\?dobe\w?crtupd.exe <-This file only

Folders:
C:\Program Files\RcvSystem<--and delete this folder
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Reboot into normal mode and post a fresh log please.

You may also want to run Housecall just to be sure
Trend Micro Housecall Free Online Scanner

• 
  It`s one of the very few online scanners that will actually disinfect viruses etc.
• First Open Internet Explorer
• Go to Trend Micro's Housecall website which can be found HERE
• Click on the link that says "Scan now. It's Free"
• A new tab will open where you will have to tick a box to agree to the terms of service.
• Click "Launch House Call"
• Follow any additional on screen instructions
• Select any infections then Fix Checked after the scan

 

[freemont]

Thank you, sir. Worked a treat.

 

[Blind Dragon]

Good deal. Let us know if you have any more problems

 

[gadge]

help also please

i too have the above trojan, have to heal the file with avg at every restart. i have looked but cannot find the c\windows?dobe file. any help would be greatly appriciated.

 

[Blind Dragon]

hi gadge,

Can you please start your own thread as this one was for the specific use of Freemont. You can make it from here-> https://www.techspot.com/vb/menu28.html

You may have the same trojan but that doesn't mean you have the same files, infections ect..

in your thread please include a Hijackthis log
Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***