Reply
Stone Esquire
Kriker
Posts: 1
Registered: ‎02-26-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

Typhoon is correct, try using antimalwarebytes, or goto http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010 for full info.  This one is a pain and I suggest that you verify that the registry settings have all been cleared.

Please use plain text.
Trend Micro Employee
CalvinM
Posts: 1
Registered: ‎02-27-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

I ran HJT on my machine that got XP Antispyware 2010. This is what I got:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:22 AM, on 2/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Calvin\Local Settings\Application Data\av.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\TEMP\AM8377.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Calvin\Local Settings\Application Data\av.exe
C:\Documents and Settings\Calvin\Local Settings\Application Data\av.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on HAL-9000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P47 "Auto EPSON Stylus Photo R200 Series on HAL-9000" /O18 "\\HAL-9000\Printer" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [WebEx Document Loader] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P21 "WebEx Document Loader" /O26 "WebEx Document Loader Port" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Standby] "c:\Program Files\Common Files\Corel\Standby\Standby.exe" -START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.2:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.2:4343/officescan/console/html/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.2:4343/officescan/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.2:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251436199468
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 11191 bytes


I am a Trend Micro employee.  My comments and advice come from my personal knowledge and experience.  I’m happy to volunteer what I can to help others have a great Trend Micro experience.

Please use plain text.
Trend Micro Employee
2Ez4Cy
Posts: 26
Registered: ‎02-11-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

Hello CalvinM,

 

Try to kill the process of this file and delete it afterwards:  C:\Documents and Settings\Calvin\Local Settings\Application Data\av.exe

 

I believe this file is responsible for the FAKE_AV notifications that you're getting.


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Esquire
badog
Posts: 1
Registered: ‎03-06-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

how do I "kill the process"? I am not a computer programer.  besides I call BS. it is a shame that ya'll don't have a fix.

why doesn't your virus protection do this job? I payed over $100.00 for it and I payed for your program to remove this kind of stuff. What's up?

 

 

Why do I have to remove the viruse manually when I payed good money for your program?

 

 

 

Thanks in advance

Please use plain text.
Stone Esquire
marketone
Posts: 1
Registered: ‎03-06-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

I, too, have paid 3 times for Trend Micro and have had to reformat a $2,200 VAIO laptop 3 times to get rid of this virus. Why isn't TREND MICRO able to stop this virus? I ran a complete scan after having scheduled regular scans, but TREND finds nothing. My daughter has been hung up because of this malicious virus as she's not able to complete her college homework online. I am really hacked off that TREND cannot solve this.  Does this virus have you beat or are you the ones responsible for it? Do something or I will go to NORTON or find a virus protection that works!

Please use plain text.
Stone Esquire
pedroOz
Posts: 1
Registered: ‎03-08-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

I'm an equally dissatisfied customer!

There's enough recognition of this thing on the web - why is my subscription inadequate to provide protection - or even RECOGNITION by Trend of the existence of an issue

 

Time for an effective update, Trend!!

Please use plain text.
Stone Esquire
modder5s4s
Posts: 1
Registered: ‎03-08-2010

Re: TMIS not able to cope with Antivirus Vista 2010 Trojan/virus/rootkit

TM, I have had your security software for 3 years now and my renewal is available now. If this Vista 2010 Trojan internet virus can not be fixed or addressed I will be moving on to a new security software! After seeing all the posts in this forum I can't understand why you have not responded in this forum.

Please use plain text.
Stone Esquire
mag00
Posts: 3
Registered: ‎03-09-2010

Re: TMIS not able to cope with Antivirus Vista 2010 Trojan/virus/rootkit

I support a network of 10 computers all running Trend Antivirus 2010

Since 3rd March 2010, 3 of these computers have been infected with XP Antivirus Pro 2010 a variant of the virus in this thread.

Trend obviously do not monitor this board or some comment or solution would be forthcoming.

 

During the next few hours, I will post the series of complicated steps necessary to completely remove XP Antivirus Pro 2010 from your system.

My instructions are for XP Home Edition SP2 and SP3

I am not sure if they work on Vista.

 

TREND MUST help us on this.... We pay good money... And are now getting blown away by this rogue(the virus author).

Me and my baseball bat wish we knew where he lived.

 

I believe the source of this virus in all 3 cases was an email containing an attachment "UPS_invoice_715.zip", which when unzipped allows the virus to escape. The email is from UPS Support, advising of an undeliverable package which can be claimed by following the details given in the attached file.

My research has shown this is not the only source of the TROJAN/virus.

 

See next post

Live Long and Prosper
mag00

Please use plain text.
Stone Esquire
ngilbert
Posts: 2
Registered: ‎03-09-2010

Re: TMIS not able to cope with Antivirus Vista 2010 trojan/virus/rootkit

 


pgascoyne wrote:

I'm hoping that Trends Tech's see this and provide a quick fix as this problem seems to be running rampant around the net.

Seems to have many disguises .....

 

  • Antivirus Vista 2010
  • Vista Antispyware 2010
  • Vista Guardian
  • Vista Antivirus Pro
  • Vista Internet Security
  • Vista Internet Security 2010
  • XP Guardian
  • XP Antivirus Pro
  • XP AntiSpyware 2010
  • XP Internet Security
  • XP Internet Security 2010
  • Antivirus XP 2010
  • Antivirus Win 7 2010
  • Win7 Guardian
  • Win 7 Antivirus Pro
  • Win 7 Antispyware 2010
  • Win 7 Internet Security
  • Win 7 Internet Security 2010

I've seen a few references on the net about this problem, but as a paid customer I would expect TM to come to the rescue!

 

[Hyperlinks removed for the public's safety.]


 

I'm in total support of Mr Gascoyne, we both work for the same IT company and Install Trend Micro IS 2010 on a lot of our customers machines (well over 8 thousand machines in les than a year) and I like Mr Gascoyne,  are sick and tired of customers returning with this blasted Malware.  Yes we can remove it using various tools from the Web and check the system to ensure all traces have ben removed, but we shouldnt have to!

 

So come on Trend Micro Techies pull your fingers out and fix the detection engine to put a block on further infections or at least try and keep up with the mutation of the Rogue Anti Virus's.

 

I think your failure to react and update your customers is awful!  Can someone from your Tech department post on this forum that you are at least looking into this.  Any failure to do so would more than likely result in the company I work for not buying your anti virus ever again.  Do the maths 8,000 + licences!

 

Please use plain text.
Stone Esquire
mag00
Posts: 3
Registered: ‎03-09-2010

Re: TMIS not able to cope with Antivirus Vista 2010 Trojan/virus/rootkit

[ Edited ]

Instructions for Removal of XP AntiVirus Pro 2010 from Windows XP SP2 and SP3.

  1. Start your computer in Safe Mode with Networking.
  2. From your desktop icon Run Trend. A scan should commence which takes quite a while to complete.
  3. After scan go to the following link and download patch at item 12. **URL REMOVED AS IT WAS REPORTED AS UNSAFE** once downloaded run the patch.
  4. NOTE: If unable to complete steps 2 and 3 due to "Rundll32.exe file is missing" error, you while need to obtain the patch from another computer and copy to your computer running in SAFE MODE. Run the patch, or double click on it to repair the registry. You can now perform scan at step 2 and proceed to step 5.
  5. Restart computer normally. 
  6. Update Trend and run a virus scan.
  7. Check for any error messages at startup or while trying to open any programs
  8. If any computer problems still exist, follow the steps in the attached instructions.
  9. In some cases it has been necessary to Format the hard disk, reinstall windows and all associated Hardware and Software. Any recoverable data should be copied from the computer in safe Mode.

Good Luck... You will need it... Ring Trend Phone Support and let them know how much trouble you are in!
Live Long and Prosper

mag00

 

[Mod Note: URL was removed because it was flagged as unsafe]

Please use plain text.