Vista Internet Security Spyware

Hyper · Mar 6, 2010

I never clicked on any "free antivirus" ads on the internet but my computer is now infected with an executable that loads up when I try to do anything. Luckily it doesn't restrict me from accessing my processes and registry. I am now in Safe Mode, running Malwarebyte's Anti-Malware and AVG 8.5. This "Vista Internet Security" is a fake antivirus hoax/spyware that is trying to get me to purchase it to get rid of all of the horrible spyware/viruses that actually aren't on my computer like it is saying.

This is very annoying because I know that the executable is hiding and where it's hiding. It's just not showing up in anything and something else other than this exe file has to be a part of a bigger picture. Can anyone please help me with this?

I also have a log of Hijackthis. [Although the executable is hiding from the scan in running processes.]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:17 PM, on 3/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Users\Tim\Desktop\Tools\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1200
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1200
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1200
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\MasterWriter 2.0\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\registrybooster\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

Please help me out!

Hybrid_theory · Mar 6, 2010

Try this: http://www.2-spyware.com/remove-vista-internet-security-2010.html

i just googled, cant say whether or not it will work.

Batou1986 · Mar 6, 2010

Sounds like you could use some combofix and malwarebytes action make sure avg is updated to v9 and running when you run malwarebytes and disable the resident shield when you run combo fix
they can be found here
Combofix - www.bleepingcomputer.com/combofix click no on the recovery console prompt
Malwarebytes - http://www.malwarebytes.org/ free version works fine run combofix first

a_ump · Mar 6, 2010

AVG, at least last time i used it, blowed compared to Avira personal, which is also free. just sayin

newtekie1 · Mar 6, 2010

First of all, why are you using AVG 8.5 and not 9.0?

Second of all, malwarebytes will probably take care of it. However, I've come across a few recently, usually av.exe, that will replace how exe files are executed. So that they are all run through av.exe instead. This requires some registry editting to fix.

95Viper · Mar 7, 2010

If you are still having the problem, try this on-line scan or download and try the freeware version.

This is good, too, but you have to use MS IE and, if you select the total scan, it will take a while.

Also, did you place or allow this to be placed in your internet trusted zone: O15 - Trusted Zone: *.line6.net

Marineborn · Mar 7, 2010

get kaspery and install it and update, start up in safe mode, open kaspery main folder in program files execute its safe mode sweeper, and itll annhiliate that peice of shit

95Viper · Mar 7, 2010

Marineborn said:
get kaspery and install it and update, start up in safe mode, open kaspery main folder in program files execute its safe mode sweeper, and itll annhiliate that peice of shit

Did you sorta mean...Kaspersky; as kaspery is a known baddie (Variant of Rbot worm)?

Hyper · Mar 8, 2010

Well I got Kaspersky and I'm trying to install it and the av.exe keeps opening up and blocking it from installing. Kaspersky just keeps asking to restart my computer.

This spyware went away for about a day and now just started coming back. It keeps lying dormant. This is annoying. I've tried several methods of scanning in Safe Mode and it is still present.

Hybrid_theory · Mar 8, 2010

rename kapersky to explorer.exe. one virus remove guide i saw suggested that for malware bytes.

DirectorC · Mar 8, 2010

Select the 'TuneUp' ones, and click on Fix then reboot.

Steevo · Mar 8, 2010

O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\registrybooster\StartRegistryBooster.exe
O15 - Trusted Zone: *.line6.net
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

Check these. Click clean.

follow the onscreen instructions.

warup89 · Mar 8, 2010

Last option would be to take the HDD out of the PC and connect to another PC and scan it there.

DirectorC · Mar 8, 2010

Steevo said:
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\registrybooster\StartRegistryBooster.exe
O15 - Trusted Zone: *.line6.net
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

Check these. Click clean.

follow the onscreen instructions.

rpcapd.exe is used for legit purposes. Nice catch on the registrybooster one. That's the virus. I saw Unibue so I figured it was legit but you might be right considering no capitalization in the path.

InnocentCriminal · Mar 8, 2010

I deal with this sort of issue on a daily basis. As Batou1986 and newtekie have stated. ComboFix and Malwarebytes will remove this for you.

I recommend booting into Safe Mode (with Networking), install Malwarebytes if you can, if not rename mbam.exe to something else tpu.exe for example and install it. If you're unable to update it (once installed) run a full scan, remove that you can.

See if you can update Malwarebytes after it removing files for you, do another scan and run ComboFix as it may have pulled down some other nasties.

System Name	The Machine
Processor	AMD Athlon 64 X2 4850e
Motherboard	nForce 720a Chipset
Cooling	Fans /w Heatsink on CPU
Memory	3GB DDR2 800
Video Card(s)	ATI Radeon HD 5770
Storage	300GB HDD + 250 GB External WDHDD
Display(s)	Samsung 713n LCD
Case	Thermaltake SopranoRS Mid-Tower
Audio Device(s)	Creative X-Fi Fatal1ty
Power Supply	Prudent Way 550W PSU
Software	Microsoft Windows Vista

System Name	home brew
Processor	Intel Corei7 3770K OC @ 4.5Ghz
Motherboard	ASUS P8Z77-V
Cooling	Corsair H100
Memory	16GB DDR3 1600 GSKILL
Video Card(s)	Powercolor Radeon 7970, MSI Radeon 7970
Storage	Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s)	3x24inch Dell Ultra IPS
Case	CM storm trooper
Power Supply	Antec Quattro OC ed. 1200w
Software	Windows 7 Business x64
Benchmark Scores	vantage: P43089

Processor	Ryzen 5900X
Motherboard	ASUS Prime X470 Pro
Cooling	Arctic liquid freezer II 240
Memory	2 x 16 Gb Gskill Trident Z 3600 Mhz
Video Card(s)	MSI Ventus 3060 Ti OC
Storage	Samsung 960 EVO 500 Gb / 860 EVO 1 Tb
Display(s)	Dell S2719DGF
Case	Lian Li Lancool II Mesh
Audio Device(s)	Soundblaster Z
Power Supply	Corsair RM850x
Mouse	Logitech G703
Keyboard	Logitech G513
Software	Win 11

System Name	Felix777
Processor	Core i5-3570k@stock
Motherboard	Biostar H61
Memory	8gb
Video Card(s)	XFX RX 470
Storage	WD 500GB BLK
Display(s)	Acer p236h bd
Case	Haf 912
Audio Device(s)	onboard
Power Supply	Rosewill CAPSTONE 450watt
Software	Win 10 x64

Processor	Intel Core i7 10850K@5.2GHz
Motherboard	AsRock Z470 Taichi
Cooling	Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory	32GB DDR4-3600
Video Card(s)	RTX 2070 Super
Storage	500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s)	Acer Nitro VG280K 4K 28"
Case	Fractal Design Define S
Audio Device(s)	Onboard is good enough for me
Power Supply	eVGA SuperNOVA 1000w G3
Software	Windows 10 Pro x64

Vista Internet Security Spyware

Hyper

New Member

Hybrid_theory

Batou1986

a_ump

newtekie1

Semi-Retired Folder

95Viper

Super Moderator

Marineborn

95Viper

Super Moderator

Hyper

New Member

Hybrid_theory

DirectorC

New Member

Steevo

warup89

DirectorC

New Member

InnocentCriminal

Resident Grammar Amender

System Name	THE MAD BEAST!!!
Processor	Tinfoil rapper with some coathangers
Motherboard	Graham cracker with with frosting
Cooling	A shovel full of snow
Memory	Grey matter out of a corpse
Video Card(s)	Cat eyes
Storage	A whales brain
Display(s)	Cyclops eyeball
Case	Inside a yetis hollowed out corpse
Audio Device(s)	howling banchee
Power Supply	32 hamster on a massive wheel
Software	WHo needs software when you have a box of kittens
Benchmark Scores	IS gatrillions a number?

System Name	-= Son of a Whore =-
Processor	E8400 @ 4.0GHz (445 x 9)
Motherboard	Gigabyte GA-EP45-UD3R
Cooling	Cooler Master Hyper 212+
Memory	3GB Corsair XMS2
Video Card(s)	EVGA 8800 GT 512
Storage	74GB Raptor + Caviars in RAID0
Display(s)	I-Inc 19" LCD 1440x900
Audio Device(s)	Audigy SE & Logitech X-540
Power Supply	Corsair 750TX
Software	Win32 v6.1.7600
Benchmark Scores	Logitech KB & Sidewinder X3

System Name	Compy 386
Processor	7800X3D
Motherboard	Asus
Cooling	Air for now.....
Memory	64 GB DDR5 6400Mhz
Video Card(s)	7900XTX 310 Merc
Storage	Samsung 990 2TB, 2 SP 2TB SSDs and over 10TB spinning
Display(s)	56" Samsung 4K HDR
Audio Device(s)	ATI HDMI
Mouse	Logitech MX518
Keyboard	Razer
Software	A lot.
Benchmark Scores	Its fast. Enough.

System Name	Iam-a-computah
Processor	i9 9900k @5 Ghz
Motherboard	Gigabyte Auros z390x
Cooling	Custom water loop, x2 280 radiators
Memory	16gb Corsair Dominator
Video Card(s)	MSI 1080 TI FE 11gb WC
Storage	SSD: 256gb Samsung 840pro & HHD: WD black 2T
Display(s)	LG 34" UW screen
Case	EVGA DG-86
Audio Device(s)	Creative x-FI
Power Supply	EVGA super NOVA 1300wtt
Keyboard	G710
Software	W 10

System Name	BeeR 6
Processor	Intel Core i7 3770K*
Motherboard	ASUS Maximus V Gene (1155/Z77)
Cooling	Corsair H100i
Memory	16GB Samsung Green 1600MHz DDR3**
Video Card(s)	4GB MSI Gaming X RX480
Storage	256GB Samsung 840 Pro SSD
Display(s)	27" Samsung C27F591FDU
Case	Fractal Design Arc Mini
Power Supply	Corsair HX750W
Software	64bit Microsoft Windows 10 Pro
Benchmark Scores	@ 4.6GHz *@ 2133MHz