Help how do I get rid of this "Viruscan"

Daff_Duck · 13 Sep 2006 at 11:08

Son managed to download this programe to his hard drive "viruscan" however after removing it from add remove programes and running a full anti trojan and malaware sweep of my hard drive there is still an icon in the taskbar saying that there is a critical windows issue!

This is not the case but after looking in Msconfig I cannot find any entry that looks like this programe does anyone know how to get rid of this blighter ?

Your help would be apprecaited

daven1986 · 13 Sep 2006 at 11:33

delete all files related to it from program files. there is probably something hiding in the windows directory too. tbh just format and reinstall and kick your son out of the house

VeNT · 13 Sep 2006 at 11:34

whats it called, check google for instructions on how to remove things like this.
it sounds like a winfixer clone.

Brian Stuart · 13 Sep 2006 at 12:09

A client of mine had something like this last week.
I got rid of it with a combination of disabling system restore, running ewido and the AOL free antivirus
Brian

PsiFox · 13 Sep 2006 at 12:34

You may need to edit the registry.

The_KiD · 13 Sep 2006 at 12:45

grab a copy HiJackThis from www.merijn.org, choose a site from the list on the left of this site http://asap.maddoktor2.com/ and explain to the people of that site your problem and include the log generated by HiJackThis.

They will give you expert steps for removing your malware.

bledd · 13 Sep 2006 at 17:06

paste the log in here
http://hijackthis.de/

Daff_Duck · 14 Sep 2006 at 00:26

This is the log from HJT anyone got any ideas as to what is causing the problem

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\K-Lite Codec Pack\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\K-Lite Codec Pack\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F06741E-8982-4013-A34B-8FD2A2136EA4}: NameServer = 192.168.1.1
O21 - SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - C:\WINDOWS\system32\oqabf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

fini · 14 Sep 2006 at 00:40

EDIT: Presuming you don't, to your knowledge, have trojan hunter and imtranslator installed on your computer:

Go into safe mode and get it to fix these:

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)

O21 - SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - C:\WINDOWS\system32\oqabf.dll

At the same time, in safe mode, run ewido (time limited demo available off their site), and smitfraudfix (just in case).

fini

Steve09 · 14 Sep 2006 at 00:41

This is exactly why I am going to get my kids when I am older a PC for £200 odd

So if they mess that up, it wont matter

benjo plz. · 14 Sep 2006 at 00:44

All except "oqabf.dll" seem legit. How about SFC?

fini · 14 Sep 2006 at 00:46

stevechapman said:
This is exactly why I am going to get my kids when I am older a PC for £200 odd

So if they mess that up, it wont matter

Not that I have kids, but I'd imagine dual-boot would be the best option - if they muck up their partition that's their fault - and you could store a norton ghost backup on your partition and then just wipe straight over whatever mess they've managed to get themselves into.

Also, run as a limited account - there's no reason to run day to day with admin privileges, it just makes it easier for things to muck up your computer.

fini

Daff_Duck · 14 Sep 2006 at 11:15

fini said:
EDIT: Presuming you don't, to your knowledge, have trojan hunter and imtranslator installed on your computer:

Go into safe mode and get it to fix these:

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)

O21 - SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - C:\WINDOWS\system32\oqabf.dll

At the same time, in safe mode, run ewido (time limited demo available off their site), and smitfraudfix (just in case).

fini

Thanks to everyone who helped but as above the proggy ewido found the little blighter hiding in my system 32 directory

Once again thank you I have set up a limited account on his pc and installed the above proggy just in case

VeNT · 14 Sep 2006 at 11:20

fini said:
Also, run as a limited account - there's no reason to run day to day with admin privileges, it just makes it easier for things to muck up your computer.

fini

Wise man say, " He who plays with root, kills tree."

bledd · 14 Sep 2006 at 14:22

bledd. said:
paste the log in here
http://hijackthis.de/

i meant to post the log in that link

The_KiD · 14 Sep 2006 at 15:54

The_KiD said:
grab a copy HiJackThis from www.merijn.org, choose a site from the list on the left of this site http://asap.maddoktor2.com/ and explain to the people of that site your problem and include the log generated by HiJackThis.

They will give you expert steps for removing your malware.

Am quoting myself because you dont seem to have read it, I know it can be pain registering and posting a log on a new site, however the member sites of ASAP are all malware experts have undergone rigorous training on HiJackThis log file analysis.

HiJackThis.de is great as a reference, but it should not be used exclusively as it does not know every program there is and will sometimes ask you to fix entries that do not need fixing.