cvtres.exe

Viruses and worms
1

Dear reader
I wanted to watch the american serie “Family guy”.
But they said i had to install something first so i did that (it was rlly stupid i know)and then my Windows defender started to yell that i had a virus or two.
So i deleted them and it asked to restart my pc so i did that.
Then just to be sure my computer was virus free i started a scan with the program Iobit security 360 (pro).
I found over 50 virusses i deleted them all because it were hot bars…
but now i am still stuck with 1 as you see in the title: cvtres.exe
location: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
My avast is still scanning for it but it is 0:14 AM here and it is really important to go to work tomorrow so cant stay up all night, I tried like 10 times to delete the file with Iobit but it doesnt stop coming back ???
this is my hijack:
Logfile of IObit HijackScan v1.0.0.0
Scan saved at 0:15:23, on 2010-2-26

Running processes:
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\services.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\smss.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\VirtualDJ\virtualdj_trial.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run: [SmartRAM] “C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe” /m
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run: [BitComet] “C:\Program Files\BitComet\BitComet.exe” /tray
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run: [WeatherDPA] “C:\Program Files\Hotbar\bin\11.0.117.0\Weather.exe” -auto
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run: [Skytel] Skytel.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run: [avast!] “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run: [IObit Security 360] “C:\Program Files\IObit\IObit Security 360\IS360tray.exe” /autostart
O8 - Extra context menu item: &D&ownload &met BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload alle video met BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload alles met BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} -
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_18 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}Java Plug-in 1.6.0_18 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_18 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! Antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! Mail Scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! Web Scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown -
O23 - Service: Diagnostic Policy Service (DPS) - Unknown -
O23 - Service: FLEXnet Licensing Service (FLEXnet Licensing Service) - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Group Policy Client (gpsvc) - Unknown -
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Quality Windows Audio Video Experience (QWAVE) - Unknown - %windir%\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown -
O23 - Service: Security Accounts Manager (SamSs) - Unknown -
O23 - Service: Secondary Logon (seclogon) - Unknown - %windir%\system32\svchost.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown -
O23 - Service: Windows Modules Installer (TrustedInstaller) - Unknown -
O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown - %systemroot%\system32\wbengine.exe
O23 - Service: Diagnostic Service Host (WdiServiceHost) - Unknown -
O23 - Service: Diagnostic System Host (WdiSystemHost) - Unknown -

(Windows 7 homepremium)
anyways many thanks,
-Robin

2

Check your computer for Malware with

Have you tried Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

3

IOBit info
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

There is also a tool for removal of IOBit software. Bitremover 1.3
you will fiend it on the right side of the page
http://uninstallers.blogspot.com/

4

pondus that virus is 4th degree penetration the seed is growing now i mean virus imulator if he work tommorow no antivirus can restore the original files after scanning and deleting he supper a lot of malfunction. and i see that the computer is use for controlling something.
this is only hint take time to help him and not critisizing my word :-*

5

now its morning again I’ve checked and my avast didn’t found anything but i am downloading mallwarebytes now

6

Okay I’ve scanned with mallware bytes and this were the results:

Malwarebytes’ Anti-Malware 1.44
Database versie: 3795
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26-2-2010 9:56:12
mbam-log-2010-02-26 (09-56-12).txt

Scan type: Volledige Scan (C:|D:|E:|F:|G:|H:|I:|)
Objecten gescand: 296747
Verstreken tijd: 32 minute(s), 42 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 18
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 1
Mappen geïnfecteerd: 7
Bestanden geïnfecteerd: 14

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\hotbarweather.weathercontroller (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hotbarweather.weathercontroller.1 (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{2f9ad413-2e0b-4a85-bb2a-cf961238262a} (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{70880ce6-308c-4204-a89e-b266c3f7b7fa} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{8c788aa2-7530-43be-97b7-4d491f13bea3} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hotbarax.info (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hotbarax.info.1 (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hotbarax.userprofiles (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hotbarax.userprofiles.1 (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\hotbarsa (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cntntcntr.cntntdic (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cntntcntr.cntntdic.1 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cntntcntr.cntntdisp (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cntntcntr.cntntdisp.1 (Adware.Zango) → Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.

Mappen geïnfecteerd:
C:\Users---------\AppData\Roaming\Hotbar (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather\WeatherDPA (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather\Weather_XML (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\WeatherDPA (Adware.Hotbar) → Quarantined and deleted successfully.

Bestanden geïnfecteerd:
C:\Users---------\AppData\Local\Temp\nsd7C61.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Local\Temp\nsj3FCF.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Local\Temp\nso790.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Local\Temp\nso8C8.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Local\Temp\nst3B9.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Local\Temp\nst739B.tmp\Install.dll (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather\WeatherStartup.xml (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Users---------\AppData\Roaming\Hotbar\Weather\Weather_XML\General (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSA.dat (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSAAbout.mht (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSAau.dat (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSAEULA.mht (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSA_hpk.dat (Adware.Hotbar) → Quarantined and deleted successfully.
C:\ProgramData\HotbarSA\HotbarSA_kyf.dat (Adware.Hotbar) → Quarantined and deleted successfully.

i hope it isn’t a big problem that it is in dutch…

7
i hope it isn't a big problem that it is in dutch....
no....the infection name is in english.... ;) and it looks to be only AdWare..... continue with superantispyware....
8

okay super anti spyware is scanning now i always scan twice so i scanned with mallwarebyts again and it found nothing ;D

9

:wink: sometimes fruit is recognize when it is ripe. ;D good luck!

10

super anti spyware removed over 650 detected addware/spyware etc etc ;D
gotta reboot now

11

woooa… ;D…post the log…and if you rescan, is it clean?

Next time you download something from the net, save it somwhere and upload it to VirusTotal before you open it
Then it will be tested by 42 virus scanners so you know what it is before you open it www.virustotal.com
there is a upload limit…20mb i think ?

12

thanks for all your help
i re scanned and nothing is found anymore ;D
and i couldn’t find any log for super anti spyware…
maybe if you can explain where i can find the log i will post it :slight_smile:

13

There is a tab on top " Statistic / Log "

If you want to do more check you can also do

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/nl
Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How to Use It http://www.freedrweb.com/cureit/how_it_works/

14

haha the log is to big
i uploaded it:
http://www.filefactory.com/file/b05dg8g/n/SUPERAntiSpyware_Scan_Log_-_02-26-2010_-_11-05-18.log

but i can do after:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/26/2010 at 11:31 AM

Application Version : 4.34.1000

Core Rules Database Version : 4621
Trace Rules Database Version: 2433

Scan type : Quick Scan
Total Scan Time : 00:22:10

Memory items scanned : 710
Memory threats detected : 0
Registry items scanned : 580
Registry threats detected : 0
File items scanned : 69594
File threats detected : 0