Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PDFCreator toolbar a malware with HitmanPro?


  • This topic is locked This topic is locked
12 replies to this topic

#1 voltronDefender

voltronDefender

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 October 2009 - 04:02 PM

PDFCreator toolbar a malware with HitmanPro?

Hi;

I have HitmanPro 3.5 as an additional on-demand scanner and it detected "PDFCreator_Toolbar.dll" as malware while "hitmanpro35.sys" was detected as a suspicious file. I have Avira 2009 Premium and updated scans do not show any signs of infections. I believe HitmanPro also uses Avira AntiVir in it's cloud.


Can someone check my HJT log if it is clean? My HJT and Malwarebytes files are below.

Thank you very much.

voltronDefender

-------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:26 PM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: SaveAs Plus (Selection)... - C:\Program Files\WizBrother\SaveAs Plus\SaveSel.htm
O8 - Extra context menu item: SaveAs Plus... - C:\Program Files\WizBrother\SaveAs Plus\Save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SaveAs Plus (Selection)... - {A99C7764-5DE9-4132-BACA-777D7AAEFB47} - C:\Program Files\WizBrother\SaveAs Plus\SaveSel.htm (HKCU)
O9 - Extra button: SaveAs Plus... - {C65E3344-C684-4427-AFD1-0675958B0114} - C:\Program Files\WizBrother\SaveAs Plus\Save.htm (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 6046 bytes

-------

Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 5.1.2600 Service Pack 3

10/7/2009 3:19:10 PM
mbam-log-2009-10-07 (15-19-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128969
Time elapsed: 33 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:57 AM

Posted 27 October 2009 - 11:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 voltronDefender

voltronDefender
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 29 October 2009 - 01:57 PM

Hi Blade Zephon :( :

Thanks for the reply. I had an email with HitmanPro support and they have acknowledged it as a false positive. But, I will also try your suggestion and will be back to you after I do the instructions here. I'll try the scan and be back to you.

By the way, how is my HJT? Is it clean?

The delay is okay. Even HitmanPro support was delayed. On the other hand Malwarebytes forum still haven't replied. Too busy perhaps!

Regards,

voltronDefender :(

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:57 AM

Posted 06 November 2009 - 09:00 PM

Hello,

Sorry for the delay in response. We really need to see updated logs as requested in the previous post.

Malwarebytes forum still haven't replied.


Are you receiving assistance there? You should only have ONE topic concerning this issue. Too many fingers in the pie can create disaster.

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 voltronDefender

voltronDefender
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 07 November 2009 - 01:59 PM

Hi Orange Blossom;

Avira is detecting dds.pif as HIDDENEXT/Crypted and is blocking my download.

Please see attached file.

Regards,

voltronDefender

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:57 AM

Posted 07 November 2009 - 03:03 PM

Please respond to my other question:

Are you receiving assistance at the MalwareBytes forum?

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 voltronDefender

voltronDefender
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 09 November 2009 - 04:05 PM

Hi Orange Blossom;

I posted once there about this topic but ain't got any help up to now. It was only you and HitmanPro support. Admittedly HitmanPro support said it was a false positive via the "Early Warning System" they have in their settings.

As of now there was no support from mbam forum at the moment...maybe they are busy busy busy..(with the Iobit fiasco probably and the increase of signature base)

I manually deleted the PDF Creator toolbar.dll and my pc seems to have not been affected by the deletion.

Regards,

voltronDefender

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:57 AM

Posted 09 November 2009 - 04:20 PM

Thank you for responding. Please post to your topic at the MBAM forums, and tell them you are receiving assistance here and request that the topic there be closed.

A HiJack This team member should be with you soon.

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:57 AM

Posted 09 November 2009 - 07:03 PM

Hi,

We see a lot of false positives regarding our tools. DDS is safe to use even if it may get detected by some anti virus programs as potentially harmful. Also you have already run the tool once before for your inital post, we only need an updated log from the same tool.

If you feel uncomfortable running this tool please try to run the following tool instead:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 voltronDefender

voltronDefender
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 November 2009 - 03:44 PM

Hi;

Sorry for the late reply. I am currently having problems with my hdd. I thought it isconnected with a virus or something. I tested my hdd via the Seagate supplied SeaTools for windows and SeaTools for DOS and it failed bigtime. I will be doing an RMA for a replacement this week so I may not be able to try the remedy you are proposing.

As of now, my pc "hangs" and cannot finish a defrag afterwhich the BSOD appears. It cannot even finish a complete scan without having a BSOD or a "freeze" what a drag. I am now renting from an internet cafe to check my messages.

I will post at Malwarebytes forum as guided and will be having assistance here when I have received the new RMA hdd. I will be setting up my pc the same way it is so I am sure this will re-occur.

Can I download the tool and install it later?

Thank you.

Kind regards,

voltronDefender

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:57 AM

Posted 13 November 2009 - 07:34 PM

Hi,

if your hard disk is dying, that probably means, that you will need to replace it and in the process you will have to reinstall your operating system. If you do a fresh install, then I believe unnecessary to check your PC for malware now, since you won't have it much longer.

I will be happy to check out your new system with you.

The tool OTL can be downloaded at one place and run at another without problems. :(

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 voltronDefender

voltronDefender
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 17 November 2009 - 01:35 PM

Hi myrti;

Thanks dude! I will have it check here when the replacement arrives!

More power to you guys!

voltronDefender :(

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:57 AM

Posted 29 November 2009 - 04:08 PM

Since this topic appears to be resolved for now, I will close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users