BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
WinAntivirus12 Help
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > WinAntivirus12 Help  
Forum Quick Jump
 
New Topic Post reply to : WinAntivirus12 Help Printable version of : WinAntivirus12 Help
[ << Previous Thread | Next Thread >> ]

RussianWulf
New Member


Date Joined May 2012
Total Posts : 3
 
   Posted 5/5/2012 4:42 AM (GMT +3)    Quote: WinAntivirus12 HelpAlert an admin about: WinAntivirus12 Help
I believe I have this malware on my pc but I have no idea where to look for it or how to remove it.
Every once in a while my internet browser gets closed and replaced by the WinAntivirus12 spoof page.
I get notice of 50+ infected files and an offer to pay to remove them.
 
I've searched and cannot find it.
Here's my HJT Log. I hope you can help me!
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:23 PM, on 5/4/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Origin\Origin.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2504091
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: CrossriderApp0003491 - {11111111-1111-1111-1111-110011341191} - C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
O4 - HKLM\..\RunOnce: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [AOD] C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe AutoTune (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [AOD] C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe AutoTune (User 'Default user')
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A822CADE-2529-4422-890C-95ABADF365FD}: NameServer = 8.8.8.8,8.8.4.4
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AODService - Unknown owner - C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 6674 bytes
Back to Top
 

Robert Mateescu
Forum Moderator




Date Joined Sep 2011
Total Posts : 314
 
   Posted 5/5/2012 2:42 PM (GMT +3)    Quote: WinAntivirus12 HelpAlert an admin about: WinAntivirus12 Help
Hi RussianWulf,

Here is what I recommend:

A. Browse to C:\WINDOWS\system32\drivers\etc\ and delete the hosts file.

B.
1. Go to Start ->Run and type cmd , then press Enter.
2. Type ipconfig /flushdns and press Enter.
3. Repeat the second step 3 times.

C.
1. Exit all programs, including Internet Explorer (if it is running).
2. Click Start, and then click Run. Type the following command in the Open box, and then press ENTER: inetcpl.cpl .
3. Click the Advanced tab.
4. Under Reset Internet Explorer settings, click Reset. Then click Reset again.
5. When Internet Explorer finishes resetting the settings, click Close in the Reset Internet Explorer Settings dialog box.

D.
Go to Start ->Control Panel ->Programs and Features ->uninstall Conduit.

E. Download Malwarebytes' Anti-Malware (MBAM), install and update it. Decline the trial offer for the full version if you're already using an Antivirus (your Hijackthis log does not show any).
Run a C:\ drive scan and post the log.

Cheers!


Robert Mateescu
Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Contact our Support team directly: www.bullguard.com/support.aspx!

Back to Top
 

RussianWulf
New Member


Date Joined May 2012
Total Posts : 3
 
   Posted 5/8/2012 10:46 PM (GMT +3)    Quote: WinAntivirus12 HelpAlert an admin about: WinAntivirus12 Help
I have done as you instructed and this is what I come up with.

----------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
CLIENT :: CLIENT-PC [administrator]

5/5/2012 11:58:10 PM
mbam-log-2012-05-05 (23-58-10).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 440800
Time elapsed: 43 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Delete on reboot.

Registry Keys Detected: 13
HKCR\CrossriderApp0003491.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Quarantined and deleted successfully.

(end)
Back to Top
 

Robert Mateescu
Forum Moderator




Date Joined Sep 2011
Total Posts : 314
 
   Posted 5/9/2012 6:03 AM (GMT +3)    Quote: WinAntivirus12 HelpAlert an admin about: WinAntivirus12 Help
Hi there,


Let me know if the issue persists at this point, as the BHO was deleted by MBAM.


Cheers!


Robert Mateescu
Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Contact our Support team directly: www.bullguard.com/support.aspx!

Back to Top
 

RussianWulf
New Member


Date Joined May 2012
Total Posts : 3
 
   Posted 5/10/2012 12:13 AM (GMT +3)    Quote: WinAntivirus12 HelpAlert an admin about: WinAntivirus12 Help
No issues anymore! Spasibo bratan
Back to Top
 
New Topic Post reply to : WinAntivirus12 Help Printable version of : WinAntivirus12 Help
 
Forum Information
Currently it is Saturday, October 25, 2014 12:17 AM (GMT +3)
There are a total of 60,695 posts in 13,332 threads.
In the last 3 days there were 1 new threads and 27 reply posts. View Active Threads
Who's Online
This forum has 36551 registered members. Please welcome our newest member, 270bajigur.
6 Guest(s), 1 Registered Member(s) are currently online.  Details
Deb1957
5 Latest Threads
Errors, warnings, infections, trojans and junk (27)10/24/2014 9:12:38 PM (Deb1957)
Bullguard firewall blocks dns requests for virtual machine clients (3)10/24/2014 11:55:39 AM (leok)