Computer Security & Viruses/Setup_bs.exe

Advertisement

Expert: - 5/25/2009


Question
Could someone please help with this problem. I am getting constant messages from AVG about a trojan,
Trojan horse Downloader.Generic_r.EA;"shefo2.fileave.com/setup_bs.exe";"";"5/25/2009, 6:18:06 PM";"file";"C:WindowsSystem32svchost.exe"
but it is unable to resolve the issue. I am running vista business, it is associated with the 'BITS' service and when I disable the service the problem goes away. But how can i clean this from my system. I have tried the solutions posted in previous messages but to no availe. I downloaded and ran malware program, in safe mode, and turned of AVG while I did it. It fouind no issues
Hijack this
Logfile of HijackThis v1.99.1
Scan saved at 6:37:00 PM, on 5/25/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)

Running processes:
C:Program FilesBioscryptVeriSoftBinAsGHost.exe
C:Windowssystem32   askeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANOTIF.EXE
C:Windowssnuvcdsm.exe
C:Program FilesHewlett-PackardHP Quick Launch ButtonsQLBCTRL.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
C:Program FilesJavajre6injusched.exe
C:Program FilesLogitechSetPointLBTWiz.exe
C:Program FilesAVGAVG8avgtray.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesPowerISOPWRISOVM.EXE
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesRocketDockRocketDock.exe
C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:Program FilesCommon FilesLogitechKhalSharedKHALMNPR.EXE
C:Program FilesHewlett-PackardHP Quick Launch ButtonsVolCtrl.exe
C:Program FilesHewlett-PackardHP wireless AssistantWiFiMsg.EXE
C:Program FilesHewlett-PackardSharedHpqToaster.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesMioNetjvminMioNet.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticCCC.exe
C:Program FilesHijackThisHijackThis.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:Program FilesBioscryptVeriSoftBinItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [picon] "C:Program FilesCommon FilesIntelPrivacy IconPrivacyIconClient.exe" -startup
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [StartCCC] "C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe" MSRun
O4 - HKLM..Run: [SoundMAX] C:Program FilesAnalog DevicesSoundMAXsoundmax.exe /tray
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
O4 - HKLM..Run: [snuvcdsm] C:Windowssnuvcdsm.exe
O4 - HKLM..Run: [QlbCtrl.exe] C:Program FilesHewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe /Start
O4 - HKLM..Run: [HP Health Check Scheduler] c:Program FilesHewlett-PackardHP Health CheckHPHC_Scheduler.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHpHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [PDF Complete] C:Program FilesPDF Completepdfsty.exe
O4 - HKLM..Run: [hpWirelessAssistant] C:Program FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe"
O4 - HKLM..Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [PWRISOVM.EXE] C:Program FilesPowerISOPWRISOVM.EXE
O4 - HKLM..Run: [CognizanceTS] rundll32.exe C:PROGRA~1BIOSCR~1VeriSoftBinASTSVCC.dll,RegisterModule
O4 - HKLM..Run: [MioNet] C:Program FilesMioNetMioNetLauncher.exe /p
O4 - HKCU..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [RocketDock] "C:Program FilesRocketDockRocketDock.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointSetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~1OFFICE11EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:Program FilesBonjourExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~1OFFICE11REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:windowssystem32
laapi.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32
apinsp.dll
O10 - Unknown file in Winsock LSP: c:program filesonjourmdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:Program FilesLogitechDesktop Messenger8876480ProgramGAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:WindowsSYSTEM32DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:Windowssystem32AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:Windowssystem32agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:Windowssystem32Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - c:Program FilesFingerprint SensorAtService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardHP Quick Launch ButtonsCom4QLBEx.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:Windowssystem32 lcdlock.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%system32svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:Program FilesHewlett-PackardHP Health Checkhphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardSharedhpqWmiEx.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:Windowssystem32Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriverE0Intel 32IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogiShrdBluetoothLBTServ.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:Program FilesIntelAMTLMS.exe
O23 - Service: MioNet - Unknown owner - C:Program FilesMioNetMioNetManager.exe" -s "C:Program FilesMioNetwrapper.conf (file missing)
O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:Program FilesPDF Completepdfsvc.exe
O23 - Service: @%SystemRoot%system32qwave.dll,-1 (QWAVE) - Unknown owner - %windir%system32svchost.exe (file missing)
O23 - Service: @%SystemRoot%system32seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%system32svchost.exe (file missing)
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:Program FilesCommon FilesIntelPrivacy IconUNSUNS.exe
O23 - Service: @%ProgramFiles%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%Windows Media Playerwmpnetwk.exe (file missing)  

Answer
Hi Simon

I'd be happy to help you remove the trojans.  I will first require you to download and install the latest version of HijackThis from here:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Run a scan and save a logfile and post it in a follow-up to me.  Please make sure that you copy and paste directly from notepad, as this last file is not formatted properly making it difficult to read.  Your entries look like this:
C:WindowsSystem32svchost.exe
When they should look like this:
C:\Windows\System32\svchost.exe
Also, please let me know what anti-malware programs you have used besides AVG and include any log files you may have from them.  Thanks!

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.