Avast WEBforum

Other => Viruses and worms => Topic started by: BJS on August 13, 2007, 06:31:19 AM

Title: Avast stopped working, virus?
Post by: BJS on August 13, 2007, 06:31:19 AM

Hello,
I have been using the lastest updates of Avast for a year now with no problems. Yesterday I was downloading some files and had several virus alerts which I moved to the chest.  All of a sudden, the avast icoin in my taskbar dissapeared. I tried to turn it back on but it said the shortcut had been moved or changed. I tried to download Avast again and it did not work. I also tried several other free antivirus programs and they also would not work. I also had a message stating something about "Dr Watson postmortem debugger"  I am 99% sure I have a virus. Can anyone tell me what to do? All of my word documents won't work either.

Any info would help..

Here is the log..

Logfile of HijackThis v1.99.1
Scan saved at 10:45:39 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\015DWVTF\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Avast stopped working, virus?
Post by: CharleyO on August 13, 2007, 07:19:22 AM

***

Welcome to the forums, BJS.    :)

Do you have or have you had McAfee anti-virus on this computer?

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

Having 2 active av services can cause the problem you are experiencing. The above entries indicate that some McAfee service has been on your computer at some time in the past or is present now. These could also be remnants of a past McAfee program which could be causing interference with avast or any other av service.


***

Title: Re: Avast stopped working, virus?
Post by: BJS on August 13, 2007, 07:28:08 AM

Thank you,

McAfee might have been installed at one point (it is my wifes PC) but to my knowledge, Avast was the only active antivirus program working. Whenever there was a virus alert in the last year, Avast was the only one to pick it up. What worried me the most is that it said some files had been moved. Moved where?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 13, 2007, 07:37:36 AM

There are removal tools for mcafee available, if you can find out if and what version was installed.

Moved is either to the chest or the moved folder. Moved folder can be found in program files\alwil software\avast4\data.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 13, 2007, 07:44:05 AM

I opened the "moved" folder under data but it was empty. I am just trying to get Avast active again. It is still under alwilsoftware but when I try to activate from startup, it says that the shortcut has been changed or moved.

Also, I did a search and there are no remnents of McAfee that I can see. No files anyway.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 13, 2007, 07:56:20 AM

What happens when you open ashsimp.exe or ashsimp2.exe from the avast4 folder?

Title: Re: Avast stopped working, virus?
Post by: CharleyO on August 13, 2007, 10:27:47 AM

***

Those 2 entries I mentioned above should be fixed with HijackThis so that these will no longer be a problem.

You might also try a repair of avast through Add/Remove programs. You need to be on-line to do this.

MyComputer > Control Panel > Add/Remove programs > scroll down to avast! antivirus & click to select > Change/Remove button > Scroll down to Repair & click Repair > click Next button and follow instructions


***

Title: Re: Avast stopped working, virus?
Post by: Maxx_original on August 13, 2007, 10:38:27 AM

a good way is to run ProcessExplorer and look for the two processes running under drwatson... i don't like this "debugger", but the informations about the two crashing processes are useful to decide what to do :)

Title: Re: Avast stopped working, virus?
Post by: BJS on August 13, 2007, 07:20:26 PM

Hello,
I ran ProcessExplorer and this is the results.. I also tried to repair Avast and I followed CharleyO directions but I could only get to "change and remove" it did not give me the "repair option"




Process   PID   CPU   Description   Company Name
System Idle Process   0   98.46      
 Interrupts   n/a      Hardware Interrupts   
 DPCs   n/a      Deferred Procedure Calls   
 System   4         
  smss.exe   292      Windows NT Session Manager   Microsoft Corporation
   csrss.exe   340      Client Server Runtime Process   Microsoft Corporation
   winlogon.exe   364      Windows NT Logon Application   Microsoft Corporation
    services.exe   408      Services and Controller app   Microsoft Corporation
     svchost.exe   572      Generic Host Process for Win32 Services   Microsoft Corporation
      iexplore.exe   180      Internet Explorer   Microsoft Corporation
       ctfmon.exe   3544      CTF Loader   Microsoft Corporation
     svchost.exe   620      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   656      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   704      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   724      Generic Host Process for Win32 Services   Microsoft Corporation
     spoolsv.exe   792      Spooler SubSystem App   Microsoft Corporation
     svchost.exe   1052      Generic Host Process for Win32 Services   Microsoft Corporation
     iPodService.exe   152      iPodService Module   Apple Computer, Inc.
     svchost.exe   1500      Generic Host Process for Win32 Services   Microsoft Corporation
     HPZipm12.exe   920      PML Driver   HP
    lsass.exe   420      LSA Shell (Export Version)   Microsoft Corporation
explorer.exe   3868      Windows Explorer   Microsoft Corporation
 jusched.exe   1236      Java(TM) Platform SE binary   Sun Microsystems, Inc.
 vsnpstd2.exe   3032      CameraMonitor MFC Application   
 khooker.exe   2320      SiS Compatible Super VGA Keyboard Daemon   Silicon Integrated Systems Corporation
 hpwuSchd2.exe   2656      Hewlett-Packard Product Assistant   Hewlett-Packard Development Company, L.P.
 rundll32.exe   2700      Run a DLL as an App   Microsoft Corporation
 iTunesHelper.exe   320      iTunesHelper Module   Apple Computer, Inc.
 GoogleToolbarNotifier.exe   3220      GoogleToolbarNotifier   Google Inc.
 msmsgs.exe   2844      Windows Messenger   Microsoft Corporation
 hpqtra08.exe   1444      HP Digital Imaging Monitor   Hewlett-Packard Development Company, L.P.
  hpqste08.exe   200      HP CUE Status   Hewlett-Packard Development Company, L.P.
 LastFMHelper.exe   1012         
 iexplore.exe   1296      Internet Explorer   Microsoft Corporation
procexp.exe   2092   1.54   Sysinternals Process Explorer   Sysinternals

Title: Re: Avast stopped working, virus?
Post by: CharleyO on August 13, 2007, 07:46:23 PM

***

BJS,

What OS is on this computer?


***

Title: Re: Avast stopped working, virus?
Post by: Maxx_original on August 13, 2007, 08:02:31 PM

i can't see the drwatson instances in your ProcessExplorer log... are you still getting some errors?

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 13, 2007, 11:38:54 PM

Those McAfee  016's are ActiveX controls - more like an online scan that anything that would interfere with a resident scanner.

Under the circumstances described in the initial post I would run F-Secure Blacklight to check the possibility of a rootkit

http://www.f-secure.com/blacklight/try_blacklight.html

and also scan this file at  Virus Total (http://www.virustotal.com/)

C:\WINDOWS\ratmn.exe


EDIT:  BTW, you are running HJT from a temporary file.  This should be moved to its own folder as backups will be made of anything you fix with this program.  Running from a temp folder risks losing the backups.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 03:36:33 AM

CharleyO,
I am running in Windows XP.  I am going run the programs that mauserme suggested.

Thanks...

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 04:36:43 AM

Mauserme,
I ran f-secure backlight. It showed about 250 hidden files.
I could not find the file you wanted me to check at virus total. It was not under c:windows. Could it be under a subfolder?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 14, 2007, 04:45:39 AM

According to the hjt log it is in the c:\windows folder. It's the 6th 04 entery. Do you have show all files turned on in folder options?

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 14, 2007, 04:52:11 AM

In addition to what Oldman suggested about showing hidden files and folders you could un-hide Protected Operating System Files as well.  Both options are in Start>Control Panel>Folder Options>View.

Then see if you can post the Blacklight log.

Title: Re: Avast stopped working, virus?
Post by: CharleyO on August 14, 2007, 06:22:46 AM

***

Quote from: BJS on August 14, 2007, 03:36:33 AM

CharleyO,
I am running in Windows XP.  I am going run the programs that mauserme suggested.

Thanks...

No problem, BJS ... mauserme certainly knows more about this than I do.    :)

I asked about the OS because with XP, you should have that repair option of avast available.    :(


***

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 05:43:11 PM

Yes, I have show hidden files under folder options but I still can't view c-windows-ratmn.exe  the closest is the regisisty editor file.

I also checked to see if I could manually open the ashsimp.exe or ashsimp2.exe but they were not listed under the alwil folder.

The funny thing is when I tried to reinstall Avast, the ashsimp.exe and the ashsimp2.exe  showed up for about 4 seconds but dissappered while I was looking at it. It loos as though they were renamed. I could see that at first they were exe files.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 14, 2007, 07:42:21 PM

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)  by OldTimer.  Save it to your desktop but don't use it yet.


Now download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished post the log it produces.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Next, move HijackThis to it own folder (c:\hjt\   would be fine) scan and save a log, and post the new log after running the ComboFix scan.


Also attach (or post) the BlackLight log that should be saved in the same folder with the blacklight executable as fslb<date&time>.log.

When you ran BlackLight did you possibly use the expert parameter from the command line version or click "Show All Processes" in the Graphical Internface version?  Or was it a standard scan?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 08:32:05 PM

Here is the combofix results. I need to split it because the post is too long. I will put the HIjackthis in a new folder now and run it and post the results.




ComboFix 07-08-14.4 - "Ben" 2007-08-14 12:04:49.1 - NTFS  x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.68 [GMT -6:00]
C:\WINDOWS\system32\chkdsk.exe not present

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: The system cannot find the file specified.  

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Ben\APPLIC~1.\hidires\rosa.sys
C:\DOCUME~1\Ben\Desktop.\internet explorer.lnk
C:\Program Files\ql
C:\Program Files\ql\~ql_log.txt
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ROSA
-------\rosa


(((((((((((((((((((((((((   Files Created from 2007-07-14 to 2007-08-14  )))))))))))))))))))))))))))))))


2007-08-14 12:00   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-13 20:13   54,452   --a------   C:\WINDOWS\system32\drivers\pci32.sys
2007-08-11 20:59   <DIR>   d--h-----   C:\WINDOWS\PIF
2007-08-11 20:33   99,713   --a------   C:\WINDOWS\system32\trusted.exe
2007-08-11 20:33   <DIR>   d--------   C:\WINDOWS\exefnd
2007-08-11 20:12   <DIR>   d--------   C:\Program Files\SCRABBLE
2007-08-11 13:54   <DIR>   d--------   C:\Program Files\Kyodai
2007-08-11 13:02   <DIR>   d--------   C:\DOCUME~1\Ben\APPLIC~1\GameHouse
2007-08-11 13:02   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-08-10 22:15   <DIR>   d-a------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-10 22:15   <DIR>   d--------   C:\DOCUME~1\Ben\APPLIC~1\SpinTop
2007-08-08 15:01   <DIR>   d--------   C:\DOCUME~1\Ben\APPLIC~1\OpenOffice.org2
2007-08-08 14:57   <DIR>   d--------   C:\Program Files\OpenOffice.org 2.2
2007-07-14 12:29   <DIR>   d--------   C:\hindsight
2007-07-14 12:26   <DIR>   d--------   C:\DOCUME~1\Ben\.SunDownloadManager
2007-07-14 11:26   <DIR>   d--------   C:\dmbenc9
2007-07-14 11:25   450,560   --a------   C:\WINDOWS\system32\HHActiveX.dll
2007-07-14 11:25   32,768   --a------   C:\WINDOWS\system32\DZPROG32.exe
2007-07-14 11:25   131,072   --a------   C:\WINDOWS\system32\DZIP32.dll
2007-07-14 11:25   110,592   --a------   C:\WINDOWS\system32\DUNZIP32.dll
2007-07-14 11:25   <DIR>   d--------   C:\dmb9


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 21:32   ---------   d--------   C:\Program Files\eMule
2007-08-10 11:03   ---------   d--------   C:\Program Files\SP2 Connection Patcher
2007-07-27 16:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02   94416   --a--c---   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02   92848   --a--c---   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00   23152   --a--c---   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59   42912   --a--c---   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58   26624   --a--c---   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57   95608   --a--c---   C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51   ---------   d--------   C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30   ---------   d--------   C:\Program Files\Picasa2
2007-07-15 23:41   73216   --a------   C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41   249856   ---------   C:\WINDOWS\Setup1.exe
2007-07-14 08:53   ---------   d--------   C:\Program Files\Last.fm
2007-06-24 16:35   ---------   d--------   C:\Program Files\RL-Software
2007-05-16 09:12   86528   --a--c---   C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12   85504   --a--c---   C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12   683520   --a--c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12   683520   -----c---   C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12   510976   --a--c---   C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12   1314816   --a--c---   C:\WINDOWS\system32\dllcache\msoe.dll
2006-12-02 12:05   774144   --a--c---   C:\Program Files\RngInterstitial.dll
2001-11-23 06:08   712704   --a--c---   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00   217,073   -csha-r   C:\WINDOWS\meta4.exe
2005-10-24 17:13:58   66,560   -csha-r   C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20   27,648   -csha-r   C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28   616,448   -csha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42   45,568   -csha-r   C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54   163,328   -csh--r   C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16   31,232   -csh--r   C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22   240,128   -csha-r   C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\yv12vfw.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 08:33:04 PM

part two of the combofix file




*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 18:06]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2002-01-25 03:30]
"ratmn"="C:\WINDOWS\ratmn.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"Cmaudio"="cmicnfg.cpl" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 17:15]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 03:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:39]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

C:\Documents and Settings\Ben\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-05-11 03:06:32]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 00:29:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-01 22:17:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\miftufo.exe

R1 pci32;Derkz864;\??\C:\WINDOWS\system32\drivers\pci32.sys
R1 srosa;Megadrv3;\??\C:\WINDOWS\system32\drivers\srosa.sys
S3 JL2001;Telemax WebCam WC-50;C:\WINDOWS\system32\Drivers\videocap.sys
S3 snpstd2;GE 98067 MiniCam Pro;C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S4 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys


Contents of the 'Scheduled Tasks' folder
2007-08-09 04:40:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-14 15:07:36 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D432F9D3-12B8-43E7-97CB-0D48E3DE9774}.job - C:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 12:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\hidr.exe

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"="C:\\WINDOWS\\system32\\wintems.exe"

Completion time: 2007-08-14 12:22:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-14 12:21

   --- E O F ---

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 08:43:21 PM

Here is the hijackthis file run after the combofix





Logfile of HijackThis v1.99.1
Scan saved at 12:42:10 PM, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:35:45 PM

Here is the Blacklight log. I didn't use the command line version. I just clicked on scan. Also, I pretty much opened all the files under folder options.  I still can't view the c:windows ratmn.exe  file.

There is something new to report though. Once I ran the combofix, the red shield icon of windows security alert gave me a warning that the antivirus program I use (Avast) was out of date. I still cannot run Avast though because it is still telling me that the exe file has been moved or changed.


08/14/07 13:09:55 [Info]: BlackLight Engine 1.0.64 initialized
08/14/07 13:09:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/14/07 13:09:55 [Note]: 7019 4
08/14/07 13:09:55 [Note]: 7005 0
08/14/07 13:09:56 [Note]: 7006 0
08/14/07 13:09:56 [Note]: 7011 1868
08/14/07 13:09:57 [Note]: 7026 0
08/14/07 13:09:57 [Note]: 7026 0
08/14/07 13:10:00 [Note]: FSRAW library version 1.7.1022
08/14/07 13:10:05 [Note]: 10002 2
08/14/07 13:10:05 [Note]: 10002 2
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\empty.txt
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\filters.xml
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\news.png
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\paint.png
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\profiles\blank.txt
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\sample1.jpg
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Info]: Hidden file: c:\Program Files\Movie Maker\shared\sample2.jpg
08/14/07 13:12:51 [Note]: 10002 3
08/14/07 13:12:51 [Note]: 10002 2
08/14/07 13:12:51 [Note]: 10002 2
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\activity_speaker_states.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_bot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_bot.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_left.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_right.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_top.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\border_top.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\button_chevron_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\button_chevron_up.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\capbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\columnheads.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\combo.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\combo_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\connect_chunkyanim.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\dark_connect_chunkyanim.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\dialbtn_pad.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\donotdisturb.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\games_close.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\grabbie.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\grabbie.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\groupboxedge.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\headerbg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\icons_tbar_disabled.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\icons_tbar_hot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\icons_tbar_normal.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\indigo.xml
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\itabs.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menubar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menubar_states.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menuitem.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menusearchbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menu_bg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menu_scroll.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\menu_sep.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\mute_states.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pab_abook_off.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pab_abook_on.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pab_add1.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pab_mlist1_off.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pab_mlist1_on.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\photoshare_slider.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\photoshare_slider_tray.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_vbg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_vhandle.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_buttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_griph.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_gripv.bmp
08/14/07 13:13:37 [Note]: 10002 3

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:37:49 PM

blacklight part 2


08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_hbg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\search_bang.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\silver_bg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\slotborder.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\slotborder_we.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\slot_empty_bg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\statusbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_bot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_bot.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_left.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_right.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_top.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_border_top.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tool_capbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_vert.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_up.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_h.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_horz.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_thumb_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\trackbar_v.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\triangletray.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\checkbox.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\scroll_hhandle.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\statusgrabber.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\toolbarbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\typedown.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_10.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\up_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\up_down_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\up_down_h.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\up_down_h_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_3.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_7.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_4.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_8.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_5.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_9.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_2.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_6.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_tbar_hold.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_tbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_tbar_incoming.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\Voice_Circle.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_callbtn.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_ctrls.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_0.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_1.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\preview_indigo.jpg
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\preview_indigo_intl.jpg
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\progressbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\pushbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\radio.bmp

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:40:32 PM

blacklight log  part 3


08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\subhdrbg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\subhdrbg_cls.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\subhdrbg_cls_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\subhdrbg_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\sys_menu.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tabs.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tabs_standard.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tab_border.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\tbar_sep.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\title.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\title_down.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\title_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\title_up.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_dialpad_11.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_lights.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Indigo\voice_ringer.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_bot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_bot.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_left.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_right.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_top.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\border_top.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\button_chevron_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\button_chevron_up.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\capbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\columnheads.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\combo.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\combo_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\dialbtn_pad.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\donotdisturb.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\games_close.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\grabbie.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\grabbie.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\groupboxedge.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\headerbg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\icons_tbar_disabled.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\icons_tbar_hot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\icons_tbar_normal.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\itabs.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\maverick.xml
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menubar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menubar_states.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menuitem.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menusearchbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menu_bg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menu_scroll.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\menu_sep.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_abook_off.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_abook_on.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_add1.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_mlist1_off.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_mlist1_on.bmp

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:43:00 PM

Part 4


08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pab_mlist1_on.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\photoshare_slider.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\photoshare_slider_tray.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\preview_mavblue.jpg
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\preview_mavblue_intl.jpg
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\progressbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\pushbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\radio.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_vbg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_hhandle.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_vhandle.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_buttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_griph.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_gripv.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\scroll_hbg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\search_bang.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\silver_bg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\slotborder.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\slotborder_we.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\slot_empty_bg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\statusbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\statusgrabber.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\subhdrbg.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\subhdrbg_cls.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\subhdrbg_cls_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\subhdrbg_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\sys_menu.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tabs.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tabs_standard.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tab_border.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tbar_bg.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\title.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\title_down.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\title_hover.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\title_up.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\toolbarbuttons.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_bot.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_bot.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_left.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_right.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_top.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_border_top.rgn
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tool_capbuttons.bmp

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:44:01 PM

part 5



08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_vert.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_up.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_h.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_horz.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_left.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_thumb_right.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\trackbar_v.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\triangletray.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\checkbox.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\tbar_sep.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\typedown.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_11.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\up_down.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\up_down_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\up_down_h.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\up_down_h_arrow.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_3.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_7.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_4.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_8.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_5.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_9.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_2.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_6.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_tbar_hold.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_tbar.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_tbar_incoming.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_callbtn.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_ctrls.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_0.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_1.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_dialpad_10.png
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_lights.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:37 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\Maverick\voice_ringer.bmp
08/14/07 13:13:37 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\Graphics\preview_classic_msgr.jpg
08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\npYState.dll
08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\YAlertCenter.dll
08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\YbSkin2.dll
08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\YbSkinSelect.dll
08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Info]: Hidden file: c:\Program Files\Yahoo!\Shared\YbSkinSelectRes.dll

Title: Re: Avast stopped working, virus?
Post by: BJS on August 14, 2007, 09:46:15 PM

last blacklight log post


08/14/07 13:13:38 [Note]: 10002 3
08/14/07 13:13:38 [Note]: 10002 2
08/14/07 13:13:38 [Note]: 10002 2
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 3
08/14/07 13:13:43 [Note]: 10002 2
08/14/07 13:13:43 [Note]: 10002 2
08/14/07 13:21:10 [Info]: Hidden file: c:\WINDOWS\ime\shared\imlang.dll
08/14/07 13:21:10 [Note]: 10002 3
08/14/07 13:21:10 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\PADRS404.DLL
08/14/07 13:21:10 [Note]: 10002 3
08/14/07 13:21:10 [Info]: Hidden file: c:\WINDOWS\ime\shared\res\padrs804.dll
08/14/07 13:21:10 [Note]: 10002 3
08/14/07 13:21:10 [Note]: 10002 2
08/14/07 13:21:10 [Note]: 10002 2
08/14/07 13:22:26 [Info]: Hidden file: c:\WINDOWS\system32\drivers\srosa.sys
08/14/07 13:22:26 [Note]: 10002 2
08/14/07 13:22:26 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hidr.exe
08/14/07 13:22:26 [Note]: 10002 2
08/14/07 13:23:58 [Note]: 2000 1012
08/14/07 13:27:24 [Note]: 7007 0

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 14, 2007, 10:51:26 PM

ComboFix got rid of some of the root kits and their friends, but we still have a few things to take care of.

Double-click OTMoveIt.exe to run it.  Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\trusted.exe
c:\WINDOWS\system32\drivers\srosa.sys
c:\WINDOWS\system32\drivers\hidr.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button. 
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next response.  Its OK if some of the files are not found.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Now open HJT and click to Do a System Scan Only.  When the scan is complete place a check mark next to these lines

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe

O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Close all other windows, including your browser, and click Fix Checked.


After completing all of the above post fresh ComboFix and HJT logs, then see if you can reinstall avast! 

Some of this malware downloaded the evening of 11 August, about the same time as the Scrabble ActiveX that is in your HJT log.  Is Scrabble (and some other games) the program you referred to in your initial post when you first noticed the problems?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 12:33:16 AM

Here is the results when I ran the moveit program



C:\WINDOWS\system32\trusted.exe moved successfully.
c:\WINDOWS\system32\drivers\srosa.sys moved successfully.
c:\WINDOWS\system32\drivers\hidr.exe moved successfully.
 
Created on 08/14/2007 16:29:05


Now I will follow the directions for the hijack log.  I am pretty good at following directions but to tell you the truth all this is WAYYY beyond me!  ;)

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 01:31:55 AM

Yes, around the time I was downloading scrabble program is when I had the problem. That is what lead me to believe it was a virus. 

Now I have another problem (I am on my computer now, not my wifes PC who has the problem)

I followed your directions and placed the checkmarks next to the lines and clicked fix.

I rebooted the system and now Windows only loads halfway and then stops (the blue moving line just stops after 8 - 10 seconds.  I tried safemode but that didn't work.   We don't have the original XP program (it was a used PC)

I think we are close but now I can't get by the windows load up page!  ???

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 15, 2007, 04:43:02 AM

First a little explanation of what we've done, then some thoughts on what happened and what we can try to fix the boot problem.

ComboFix does many things:  First it very specifically targets certain malware and puts those files it identifies in quarantine.  It did this with the files listed in the "Other Deletions" section of the log you posted.

It also lists files recently created with the idea that it cannot have signatures for every new variant of the malware it targets.  This list must be manually analyzed which is what led me to have you delete trusted.exe. 

Another function is a rootkit check which led to deletion of srosa.sys and hidr.exe (I should have included another file in this list of deletions but neglected to include it in the list - we would have picked this up with the second ComboFix run).  The two we deleted here also appear at the very end of the BlackLight log.

All of the things we deleted are related to a rootkitted version of a bagle trojan that was responsible for killing avast! (rootkit is a term for a program that hides another program), a couple of backdoor trojans, and some spyware.



With one exception the lines we fixed in HijackThis were all registry entries referring to files that were were already gone.  I did this for tidiness - to make it easier to review subsequent logs and just to make things run better.  The single exception was this line

O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe

Removing this line by "fixing" it simply prevents ratmn.exe from loading when your computer starts.  We did not delete the file yet.  I have not been able to identify this file which in itself makes it suspicious.  It is most definitely not a Windows system file and, since you cannot find it when looking manually, appears to be one of the files the remaining rootkit may be hiding.  I would  still like to scan it at Virus Total before deletion.



I think the boot problem is caused by something, probably malware, corrupting your operating system.   This can be seen in the very first lines of the ComboFix log

Quote

C:\WINDOWS\system32\chkdsk.exe not present

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: The system cannot find the file specified. 

Although the computer can boot without chkdsk.exe it cannot boot without ntoskrnl.exe.  ComboFix did not remove these files - it reported their absence.  I am somewhat surprised the computer made it though the previous boot. 

In order to fix this we need to replace ntoskrnl.exe and I think we may be able to use any XP installation disk to accomplish this.  Is your computer XP, and do you have the Windows disk for it?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 05:07:01 AM

I do follow what you are saying but unfortuntaly  :'(  my PC (which also has XP) was built by someone and they did load XP for me but not the software. I do not have any XP discs at all.  I did bring this up to my wife once (that we should get a copy of XP just in case).

Now we need it.......

So is there a way to circumvent by the load page? In safe mode it just keeps recycling over and over prompting me to choose a safe mode version or "last successful" something.

BTW, my computer also has Avast and (before the loading problem) I compared the folders.  I have the exe files for Avast but my wifes computer does not.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 15, 2007, 05:12:38 AM

Quote from: BJS on August 15, 2007, 05:07:01 AM

In safe mode it just keeps recycling over and over prompting me to choose a safe mode version or "last successful" something.

If one of the options is Last Known Good Configuration (or similar wording) you can try that.

Is it possible to get a Windows CD from the person who built you computer?  You should have been given one.

Quote from: BJS on August 15, 2007, 05:07:01 AM

BTW, my computer also has Avast and (before the loading problem) I compared the folders.  I have the exe files for Avast but my wifes computer does not.

This version of bagle kills avast! and other antivirus programs.  The files will continue to disappear until it is gone.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 05:26:20 AM

Yes, I tried Last Known Good Configuration but to no avail.  The person who built my PC is long gone, I am not sure why he did not at least give me a copy.  I might be able to get a copy but we are new to the area.  I will try though.....when I do I will post again. 

Thanks again, I know we are close!

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 15, 2007, 05:32:08 AM

Give me some time to think about this - there must be a way ...

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 06:48:19 AM

What do you think about this?  Can I download it to disc and use it?



http://www.softpedia.com/progDownload/Boot-Editor-Download-1721.html

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 07:10:58 AM

I downloaded the ntoskrnl.exe file from  driverguide.com.  Can I put that on disc?   ???

Title: Re: Avast stopped working, virus?
Post by: oldman on August 15, 2007, 08:00:45 AM

I spent the last hour or so reading up on this. It seems an xp disk is required so the recovery councel can be accessed. From there the neccessary repair can be made. It looks like any xp disk will work.

I don't think putting the file on a cd will help, 'cause windows will be looking for an xp disk. But I leave that for others to comment on.

If there was some way to get to the command promt, it may be posible to copy/replace the file.

These are just thoughts not suggestions. I'm sure others with more experience with xp will be along shortly.

The only real suggestion is try to find beg, borrow, steal an xp disk.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 08:21:35 AM

Yeah, that's kinda what I thought....I'll find one I'm sure.  My wife has freinds not too far away that might have a copy.  This will be my quest this week....I feel like Sir Galahad now....

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 15, 2007, 01:18:19 PM

I think oldman is right.  The only other possibility I see is to remvove the drive, install it as a data drive in a different computer, and copy the file to it.  But I don't know if this would work and there is a chance of infecting the other pc ...

Title: Re: Avast stopped working, virus?
Post by: denial44 on August 15, 2007, 03:15:14 PM

If they don't pricegrabber doesn't have bad prices for xp discs.  It depends on what you want.(although they're $100 discs just take really good care of them.)
xp pro
http://software.pricegrabber.com/windows-family-os/m/4197922/search=windows%20xp/qlty=o (http://software.pricegrabber.com/windows-family-os/m/4197922/search=windows%20xp/qlty=o)
xp home edition
http://software.pricegrabber.com/windows-family-os/m/477483/search=windows%20xp/qlty=o (http://software.pricegrabber.com/windows-family-os/m/477483/search=windows%20xp/qlty=o)
Just make sure you have a good case for it too because they're oems which means they come in a bubled sleeve with the cd key on a sticker stuck to the sleeve.

Stick with avast too it's the best antivirus i've seen(I've tried both norton and makafee(or however you spell it))Avast is the only one out of the three that stick out(in a good way) and it's free for non-commercial use.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 04:01:52 PM

Thanks,
I will either buy a copy or find a copy somehow.  And your right about Avast. It is an excellent prouduct (unless a dopey owner accidently downloads a bagle trojan that kills it)  :-\

Title: Re: Avast stopped working, virus?
Post by: oldman on August 15, 2007, 09:18:37 PM

A bit of good news. An uncorrupted backup copy of the file should be still be on your computer. This file would be compatible with your service pack and patches and would also be the file restored through the recovery councol.

Since you don't have an xp disk to access the concol there are couple of other ways this file might be restored. As mauserme suggested slaving the hard drive and restoring the file. But I share his concern about the possibily of spreading the infection. However the risk may be minimal if done from the command promt.

Another way would be be make a bootable cd that will allow you to view and edit a ntfs partion in dos. This would eliminate the possibility of something spreading. I haven't found a totally free program for this yet, but did find one for a contribution of $4

http://www.bootdisk.com/ntfs.htm

In any of the three cases the comands would dos commands. I or others here can help you with the commands.

Before you try this I'd appreciate mauserme's comments since he's been helping you with your main problem.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 15, 2007, 11:13:48 PM

This looks very promising to me - nice find.

This should open the door to several possibilities as there might even be two copies of ntoskrnl.exe on the computer - one in the dllcache and one on i386.  So a straight copy or a repair install could be possible if those copies are not infected or not also missing, and a copy from another computer might also work.

Oldman, do you feel comfortable working with BJS on this part?  Its a bit out of my normal area.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 15, 2007, 11:18:46 PM

Thank you for taking the time to find it but I think I might have found someone nearby that has a copy of XP. I am going over there tonight.
If they don't have it I will look into the bootdisc that you mentioned in your post. If I went that route, I would need some assistance as I am not that familar with DOS commands. I should know one way or the other by tonight...

Thanks again...

Title: Re: Avast stopped working, virus?
Post by: oldman on August 15, 2007, 11:38:53 PM

Good and good luck!

 Keep in mind the best file for you to use is the one (actually there's 2 copies) in backup on your hd. As mentioned it will be compatible with your sevice packs and patches.

Again good luck and please post back your results.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 03:09:35 AM

If you have an XP disk now, give this a try

from:  http://www.computerhope.com/issues/ch000646.htm

Quote

Missing or corrupt ntoskrnl.exe file

If the ntoskrnl.exe file is corrupt or missing this can also generate the error. To restore this file follow the below steps.

Insert the Microsoft Windows XP CD. Note: If you have a recovery CD or a restore CD and not a Microsoft Windows XP CD it is likely the below steps will not resolve your issue.

Reboot the computer, as the computer is starting you should see a message to press any key to boot from the CD. When you see this message press any key.

In the Microsoft Windows XP setup menu press the R key to enter the recovery console.

Select the operating system you wish to fix, and then enter the administrator password.

Type expand d:\i386\ntoskrnl.ex_ c:\windows\system32

You will then be prompted if you wish to overwrite the file type Y and press enter to overwrite the file.

Type exit to reboot the computer.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 03:58:17 AM

Oldman,
I did not aquire a copy of XP (he just had backup files for his hard drive) so I paid $4 for the website you suggested. Which file will I burn to CD?  According to what the owner of the website states, I have 24 hours to use these files and then they "will self destruct" ("mission impossible theme")

I will burn the file (files) that you tell me and then insert them in the "sick" PC

Thanks!

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 04:14:53 AM

It should be the last one on the page.

http://www.bootdisk.com/popfiles.htm

"NTFS Read/Write Bootdisk And Bootable CDs | Read, Write, Copy, Delete, And Edit files on NTFS drives or partitions from a DOS boot. No A: drive needed to create the bootable CD. Read ntfsboot.txt in the zippack for complete directions. "

@mauserme

sorry i missed your post. Yes. no problem.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 04:19:31 AM

OK, I download this file " NTFSboot Bootable 1.44 And CDs to read/write to NTFS drives. Includes special ISO w/cdrom drivers to add your own files to."

to my desktop. I will burn it to CD. After that I might need some step by step directions. My PC is on the other side of the house so I might have to run back and forth....(I need the exercise anyway) :P

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 04:28:28 AM

I have one question. There are 5 files in the folder...an MDOS application "Bootdisc", a winimage self extractor file "NTSF boot", a text document and 2 ISO files. I want to burn all of these on CD correct?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 04:30:05 AM

The text document should be the instructions for making the cd.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 04:35:39 AM

OK thanks, I will update when done...

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 04:49:00 AM

Ok, I burned the files on Cd using Nero. Should I insert the CD into the "sick" computer now?  ???

I also have the ntoskrnl file also that I can burn seperatley if need be.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 05:00:44 AM

Ok we'll try to use the backup on the hd first. The cd is ready to go? If so, make sure that the computer is able to boot from cd (most are). It's a bios setting. Some where on the startup screen it will tell you which key to push to enter setup. Once the compter is set to boot from cd shut the computer down and insert the cd. Turn on the computer.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 05:08:54 AM

So far so good. I  inserted the CD and now have the dos prompts.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 05:17:05 AM

Good

It looks something like this?

d:\

with a flashing cursor behind it

If so

Anything I put in() are instructions example (space) means a space (enter) means enter key.

Ok

type
c: (enter)
cd(space)windows(enter)
cd(space)driver cache(enter)
cd(space)i386(enter)

Go that far for now. you should have a line that looks like this
c>c:\windows\driver cache\i386

If you have that we''ll continue.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 05:51:40 AM

Well, I got as far as the windows prompt but when I  put in the command  "CD (space) driver cache"  it said "access denied" 

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 06:02:52 AM

That's strange?? Three steps away. I don't know why you would get that message. Hang on I'll come up with someting else shortly.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 06:07:06 AM

This is what was on my screen

[DR-DOS] c:\windows>cd (space) driver cache

access denied

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 06:13:53 AM

Here is the word document from the files I copied


www.bootdisk.com


NTFS4DOS Private is a free utility from http://www.datapol.de/dpe/freeware/

It's basically a driver which allows both reading and writing to NTFS
partitions/drives after booting from a dos 7.X bootdisk. To make better
use of the utility I've created both a bootdisk and bootable CDrom .iso
and included additional utils like Edit and Deltree.

This zippack contains 4 files. ntfsboot.txt, ntfsboot.exe, ntfsboot.iso,
and ntfswcdd.iso

ntfswcdd.iso is a another version of the bootable cd. It includes cdrom
drivers so before you burn it one can add files to the .iso that you
may want to copy to your ntfs drive. The files you add will be seen in
Drive R:

The 1.44 bootdisk in this pack is an Image of the bootdisk I created. To
construct the disk, put a brand new disk in your A: drive and click on
ntfsboot.exe If you are creating the 1.44 in XP, I'd format the floppy
first then click on ntfsboot.exe

To create a bootable CDrom disk, use UltraISO or other application that
can properly handle .isos. Note that converting an .iso to a bootable cd
is NOT as simple as copying the .iso to the cd. Your burning program HAS
to support the proper burning/creating of .iso images.

For example in Nero it's File | Burn Image. In UltraISO it's File | Open
| Tools | Burn CD Check the docs of your burning program for details.

The .iso you want to point to is called ntfsboot.iso

To add files to the ntfswcdd.iso file one can also use UltraISO.

How to:

File | Open | Select ntfswcdd.iso | Open | Image windows shows bootable |
Select your files in the lower window | Drag to the top window | File |
Save

Note that oddly, the file size of ntfswcdd.iso may not change.

To burn:

File | Open | Click on ntfswcdd.iso | Open | You'll see the files you added
on the right | Tools | Burn



Notes:

1. When using ntfs4dos or my disks, you'll be prompted as the driver runs,
type Y to agree, do NOT type YES.

2. The standard DIR and DEL commands will NOT work 100%. That's why I've
included deltree to use when you want to delete a single file. The command
would be:

deltree yourfile.txt

Deltree can also be used to delete entire folders, so be careful.

If you created the ntfswcdd CD and added files to the iso, you'll find
it's best to use xcopy to copy files instead of the plain copy command.

3. I've also included Edit so you can modify files if you wish, like the
boot.ini or win.ini file for example. Remember, if you open a file with
Edit that is NOT a text file, [yes, .inis are text files] and then SAVE
it you will DESTROY the file. However, one can safely view all types of
files with Edit.

4. A special version of chkdsk is included to fix any problems.

5. If you simply wish to copy standard 8+3 files to and fro from any
drive to the NTFS drive there's no problem.

6. ntfs4dos Private will NOT display long filenames.

7. attrib is also included. Remember some files on your ntfs drive may
be hidden. To see them use dir /ah


If you want to print this use Wordpad, not Notepad

________________________________

Kindest regards,
Ed Jablonowski

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 06:21:56 AM

Oldman, what if you put the file directly in c:\windows\system32  ?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 06:23:22 AM

You read my mind. I was just about to get him to seeif he can acess the system32 folder.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 06:30:44 AM

At the c:windows>

type cd(space)system32(enter)


What I came up with so far is

http://support.microsoft.com/kb/810881

unfourtunatley, you have to beable to get windows to do the fix descibed there. Or a virus\trojan has locked the folder is another possibility by adding an attribute.

If he can access the system32 folder then we can try adding a copy to the folder. Maybe from his machine. If not, then we"ll have to find away around it.  ;D

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 06:42:37 AM

Quote from: oldman on August 16, 2007, 06:30:44 AM

If he can access the system32 folder then we can try adding a copy to the folder. Maybe from his machine.

I think this may be the appropriate next step. 

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 06:52:51 AM

Yes. But reading the instructions for making the bootable cd, he may have to make aother on with the file included. Is that how you read it?

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 06:59:38 AM

Yes, unless the file can be added to the cd he already has.  I would try that first.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 07:10:25 AM

 ;D Success!

This is what my screen shows now

[DR-DOS] c:\windows\system32>

is this good?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 07:16:37 AM

You bet!!!

Ok, try to add a file from your computer to the bootable cd. If you can't, then you may have to make another with the file on it.

The file you need is c:\windows\driver cache\i386\ntoskrnl.exe

Follow the instruction for the cd.

Toy may be able to add the file. Try putting it in your computer and opening it.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 07:44:56 AM

Ok, I do need to burn the CD again to add that file. On my computer the ntoskrnl.exe file is located in folder C:\WINDOWS\system32

I will burn the cd again and add the file.  Once that is done can I just put the CD back in the tray of the other computer or do I need to reboot?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 07:49:51 AM

That's one copy. It will do.

Make your disc and I will post the coping instructions. Is the cd recognized as d:\ or a different letter and is the sick computer still turned on?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 07:56:11 AM

OK, I burned a new Cd with the new file.  The sick computer is still on and it shows the last prompt as:

[DR-DOS] c:\windows\system32>

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 08:01:41 AM

Ok that was quick. i need to know the path of the file we are going to add.

type
x:(enter)      Where x is the letter that the cd was recognized as when you first bootted the lap top.

dir(space)\p(enter)

post back if the file ntoskrnl is shown or not

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 08:32:44 AM

this is odd.

Intially the drive that was being read was A:\>
 but when I went to drive A and typed dir \p  it said there were 0 KB
I went back to my PC and the CD still all the files??  Why would it say it had 0 KB when there is data on the CD?

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 08:51:47 AM

I don't know. But from the text file that came with the software "2. The standard DIR and DEL commands will NOT work 100%"

A&b are usually reserved for floppies, but if that what you saw then a:\ it is. If a:\ wasn't a valid or not ready drive you would have recieved a message stating so.

Since you are in the a: drive, we'll do the following

xcopy(space)a:\ntoskernl.exe(space)c:\windows\system32(enter)

You may get a message like do you want to over write existing file.If so type y and hit enter.

If there where instructions for exiting use them. If not remove the cd, give the computer the three finger salute(control,alt,del at the same time). Cross said fingers,say a prayer hopefully your computer will boot.

Post back with the results. It's late here and I've got an early morning. We can carry on tomorrow.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 08:54:07 AM

TYPO in post above

xcopy(space)a:\ntoskernl.exe(space)c:\windows\system32(enter)

should be

xcopy(space)a:\ntoskrnl.exe(space)c:\windows\system32(enter)

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 08:55:32 AM

Thanks, I will do it and post my results for you to read in the morning. Thanks for all the help...

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 09:00:49 AM

You're very welcome and good luck.

If you get a file can't be found error, put the cd back in your computer and copy down the exact path. Then try again. The drive letter will still be a:\ when you put it back in the sick one.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 09:15:14 AM

Well, we gave it a good try anyway.

I typed in the xcopy command, crossed my fingers and.....it said "this program cannot be run in DOS mode"

I guess it is back to finding a copy of XP eh? 

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 11:06:52 AM

"ntfswcdd.iso is a another version of the bootable cd. It includes cdrom
drivers so before you burn it one can add files to the .iso that you
may want to copy to your ntfs drive. The files you add will be seen in
Drive R: "

Looking at the documentation again I found the above. could you try again. Boot with cd and use the same path but substitute the a:\ with r:\

xcopy(space)r:\ntoskrnl.exe(space)c:\windows\system32(enter)

It's a strange error as xcopy is a dos command

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 01:26:21 PM

I wonder if the copy command would work better than xcopy.  Copy is an internal comand while xcopy is external, and that may make a difference under these circumstances.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 02:47:41 PM

He can try it. I was just going by the documentation. The author said xcopy worked better.

@BSL

try the dir command again after you boot with the cd. Maybe booting it loads some of the program.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 16, 2007, 04:55:19 PM

Ok, let's try this one more time.

Sorry but the brain was getting foggy last night. I had my morning coffee, better now.

I should have gotten you to reboot with the new cd. I think not doing so accounts for the 0 bytes with the dir \p command and the program cannot run.........error. The program that was trying to run was probably the program on the cd. It didn't even get to the xcopy command.

so restart the computer with the new boot disk, at the command prompt

type

copy(space)a:\ntoskrnl.exe(space)c:\windows\system32(enter)


If you get file not found error, try r:\ as the source drive as per documentation.The boot disk program may have created a r:\ partition on it.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 09:18:38 PM

Ok will do...

Title: Re: Avast stopped working, virus?
Post by: BJS on August 16, 2007, 09:50:01 PM

I tried you recommendations but it still won't work. I think the problem is bootcd. The original one (without the ntoskrnl.exe file) booted up fine with no problems. The second CD (with the ntoskrnl.exe. file) did not boot. I tried using the original bootdisc (so I could get into DOS) and then I replaced it with the second bootdisk to see if it would work. I ran dir but it still read 0 files. I doublechecked the file on the second bootdisk on my computer and all the files were listed on the CD (including the ntoskrnl.exe file)
I do not know why the dir command would not recognize the files.

I tried copy instead of xcopy and it said that 0 files copied (instead of cannot do this in DOS)
I tried the r drive and it did not recognize it.

I am fairly certain that I can borrow a copy of XP sometime next week. That might be the best route.
I just don't want to waste you or Mauserme's time. I do appricate all the help though.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 16, 2007, 10:36:23 PM

Quote from: BJS on August 16, 2007, 09:50:01 PM

I am fairly certain that I can borrow a copy of XP sometime next week. That might be the best route.
I just don't want to waste you or Mauserme's time. I do appricate all the help though.

You are not wasting anybody's time.  We're here because we want to help, and learn.  Right now its a learning experience.  We'll get back to helping in a while  :)

I'm inclined to recommend a repair install of the operating system at this point unless oldman has other ideas.  Besides ntoskrnl.exe we know chkdsk.exe was reported missing and you were getting errors prior to starting the malware removal.  If reinstalling ntoskrnl.exe could have been a quick fix that would be one thing, but apparently its not going to be that easy.

A repair install will require an XP disk and product key, but let's wait for oldman's input.

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 17, 2007, 12:58:11 AM

Quote from: mauserme on August 16, 2007, 10:36:23 PM

A repair install will require an XP disk and product key, but let's wait for oldman's input.

Overinstallation can solve the problem and you won't lose your programs, settings, data, files, etc.
Just choose 'Repair' installation of Windows and install 'over' the old installation.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://www.webtree.ca/windowsxp/repair_xp.htm

After that, visit Windows Update and install ALL security patches/updates.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 17, 2007, 02:12:03 AM

I echo mauserme's sentiments. It's a learning experience for everyone no matter if things seem to be going south. That happens sometimes. But even then something is learned. I thought perhaps we'd stumbled on to something here, how to get around some of windows security. The access denied error.

Anyway, an overinstall may be the route to go given the number of errors you had before and who knows how deep the problem goes. That's the nice thing about xp, you can over install without losing your data.

What about the nasty critters living on the hard drive now? Will they wreck havoc with an over install? I once had an experience with sasser that let you think you where running the restore discs.

I'm going to look at the documentation for the bootcd again. There should have been a version of check disk included.

Stay tuned, we're still ready to assist.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 17, 2007, 02:56:23 AM

Ok, I appreciate it!  I will post as soon as I do the overinstall, and thanks for the microsoft links Tech™

Title: Re: Avast stopped working, virus?
Post by: oldman on August 17, 2007, 03:30:18 AM

@ BJS

I looked at the documentation again and it looks as follows

ntfsboot.txt is the documentation

ntfsboot.exe is for making a bootable floppy (maybe accounts for the a:\ drive)

ntfsboot.iso is a boot disc

ntfswcdd.iso is also a boot disc if you want to add files you would use this one. It has cd drivers so you can copy files to your hd. The files have be added to the iso file itself, not just to the disc.

So you can make a bootdisc using either file.

I see the instruction for adding files to ntswcdd.iso using Ultraiso, but none for nero. The file, in this case,ntoskrnl.exe, should show up as being on R:\. So if you know how to add files in nero this the file to burn.

If you are still willing to continue, and your files are still usable, I suggest the following

Open nero and burn ntfsboot.iso We know either windows security or a critter is preventing access to the driver cache folder, but you could at least run checkdisk  chkdsk(space)c:   if mauserme thinks it worthwhile. there some switches that can be used to fix,report,etc

If you can figure out how to add a file to an .iso with nero, then ntfswcdd.iso would be the way to go.

I think the reason the author says xcopy may work better is that it is capable of copying a o byte file where copy is unable to do so. The author states that the iso file doesn't change size when files are added to it.

There is a free trial version of ultraiso available, the only limitation I see for it is file size. Can't seem to find what the sixe is.

As to why the second disk didn't work, I'd say if you put all the files on the cd, ntoskrnl may be trying to run.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 17, 2007, 03:43:59 AM

It looks like you are going the over install route. That's okay, it's probably is the best choice. What we where doing may or may not have worked. Once I get my xp machine going, I intent to try what you where doing. It's mostly curiosity to see if one can do quick patch jobs, just to get going again.

Any way for what's it's worth, the above post is my take on what the files are.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 17, 2007, 04:46:20 AM

Quote from: oldman on August 17, 2007, 03:43:59 AM

It looks like you are going the over install route. That's okay, it's probably is the best choice.

I think its going to come to this in the end, so we might as well make it the plan now.


@Tech™ - Since when did you get trademarked?  ;D

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 17, 2007, 03:42:20 PM

Quote from: mauserme on August 17, 2007, 04:46:20 AM

@Tech™ - Since when did you get trademarked?  ;D

I hate imitations ;D

Title: Re: Avast stopped working, virus?
Post by: BJS on August 17, 2007, 08:59:37 PM

Quote

Once I get my xp machine going, I intent to try what you where doing. It's mostly curiosity to see if one can do quick patch jobs, just to get going again.

Oldman, I could send you the files for the bootdisk if you want to try it out...

Title: Re: Avast stopped working, virus?
Post by: oldman on August 18, 2007, 06:45:22 AM

Thanks, I'd appreciate that. I'd like to try it out and see just how much you can do from dos. There might be a something there for people caught like you. I'm in the same boat, xp, but the disk(used) looks like it was used for a coaster or a frisby.

Can you just email them please? I'll pm my address. Thanks again and let us know when you get the disk.

Title: Re: Avast stopped working, virus?
Post by: Badr on August 18, 2007, 03:39:09 PM

I found this thread through a Google search whilst dealing with a terribly infected PC with this rootkit you are dealing with here. First of all, thanks all of you for the log files in this thread. They really helped me figure out what was going on. I was called out to fix a computer that crashed while booting (just like the system discussed here) and kept on rebooting automatically in safe boot (regardless of the do-not-automatically-reboot option being on or off).

I found all these bogus drivers like srosa.dll/sys and other files, just in the log files. I use this Utility CD by a guy called ASM51 as an emergency boot cd (the Utility CD can be found on the forums of sharevirus.com or generally on the edonkey network). With that I managed to remove those files and registry entries beloning to the rootkit. But all to no avail, the system kept on crashing.

Until it hit me, ntoskrnl.exe wasn't deleted in this case. I could find it in windows\system32 but when I went to check the dates on the file, I saw it was created/modified on august the 14th, the day the PC got infected. Bull's eye.

Luckily there were other copies of ntoskrnl.exe on the harddrive, because of service pack updates and corresponding backups done earlier. Using the Utility CD interface, I copied one of those ntoskrnl.exe to the windows\system32 folder after renaming the infected file et voila, the systeem started up like normal! Hope it may be of some help to others with similar problems!

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 18, 2007, 03:43:34 PM

Thank you Badr, and welcome to the forum.

Can you post direct links?

Title: Re: Avast stopped working, virus?
Post by: Badr on August 18, 2007, 04:39:09 PM

Thanks!

If you're referring to the Utility CD, I can post links, just don't know if it's allowed:
ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|/

I've been using it since the earlier versions, it always comes in handy. I do believe however the same can be accomplished with BartPE, WinPE or similar boot-of-the-cd solutions. The Utility CD uses Winternals ERD Commander 2005, which is no longer sold as such since being taken over by Microsoft.

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 18, 2007, 05:17:42 PM

Code: [Select]

ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|Is this edonkey link is infected or of a pirated file, better not posting it here...

Title: Re: Avast stopped working, virus?
Post by: oldman on August 18, 2007, 07:38:05 PM

Well that does look promising, though the permissions may still be an issue in BJS's case.

There are should two files in cab folders in the i386 folder. One in spx.cab (x=sevice pack installed) and one other.  These where the ones we where trying to get to but alas the access denied error.

Which file did you use?

I checked on an xp machine and found the following:

The two files are different in size, the one in the spx.cab was about 2300b and the other about 1900b. I think the smaller was the origninal ntkrnl.exe installed and the larger a reflection of the service pack installed.

BJS did say he downloaded a copy of ntoskrnl.exe. This would probably a xp no sevice pack version and would be the same that would be extracted from an xp disk.

I think using Ultraiso to add that file to ntfswcdd.iso and burning just that iso to a cd may produce similar results as Badr had.

If BJS send me the files, I'll try it. Or if he's willing to give it one more try....

Title: Re: Avast stopped working, virus?
Post by: BJS on August 19, 2007, 08:50:33 PM

OK, I found someone nearby that has a XP disc with an oem number.
I have never overinstalled XP.  We have ALL of our family pictures on my wifes PC and my wife is worried that the overinstall will erase all of them.  When I put the XP disc in the tray, will it automatically install? or will it give me some options? How can I make sure we keep all our documents and programs?
 I don't want to try anything yet before I am informed about the process.

Thanks

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 19, 2007, 10:13:14 PM

Quote from: BJS on August 19, 2007, 08:50:33 PM

When I put the XP disc in the tray, will it automatically install?

Choose repair or update options. Do not format your disk and you won't lose anything (just windows updates that you can download again later).

Quote from: BJS on August 19, 2007, 08:50:33 PM

How can I make sure we keep all our documents and programs?

Do NOT format the disk and your files will remain there.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 19, 2007, 11:53:50 PM

Hello, I chhose the repair option and after scanning some files, it took me to a dos command prompt.
It said "which windows installation would you like to log onto? (to cancel press enter)"

The option for repair was "r" but when we entered that in the DOS screen it said invalid.

When we pressed enter is just tried to boot but nothing was fixed.

What would I enter at the prompt? ???

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 12:13:32 AM

>Below is from another forum (in RED).  He had the same question as me. I guess I choosing "repair" to early.
Now I am at the screen in which I have 3 choices. Here they are.

1: To set up XP press enter

2: To create a partion an unpartioned space, press C

3: To delete selected partion press D


 




 I've never had a problem running "Repair" with XP installation disk on my
> old computer but on my month old Dell I'm running into a problem... On my
> old computer I would just type "R" and it would go into the repair mode..
> Now with my month old Dell 8400with XP Home SP2 included I run the repair
> as I previously did I press "R" I get a:
>
> "Microsoft Recovery Console "Typr Exit to quit Recovery Console.
> 1:C:\Windows
> Which Windows installation would you like to log onto
> (To cancel, Press ENTER)"
> I found typing 1 and enter brings me to:
> "Type Admin. Password"
> I have no password set so I just hit enter and I get:
> "C:\Windows>"
>
> Below is the procedure I usually used to repair on my old computer..
> ------------------------------------------------------------------------------------------------
> "Boot with the Windows XP CD and at the Setup Screen press the Enter Key
>
> You will be taken to the Windows XP Licensing Agreement. After reading the
> agreement press F8 to proceed
>
>
>
> The next screen gives you the option to do a fresh (clean) install or to
> "Repair the selected Windows XP installation." Press "R"
>
> Windows XP will copy the necessary files to your Hard Drive to begin the
> installation and will then reboot. You will see the message that informs
> you to "Press any key to boot the CD". Do not press any keys this time
> just
> wait a few seconds and the Windows Startup Screen will be displayed.
> Following this you will be greeted by the Windows XP Setup Screens.
>
>


You're selecting "Recovery Console - Repair" too early in the process. Be
patient and continue to press "enter/proceed" as if you planned to perform a
clean install.

You eventually reach a 4th or 5th menu which allows you the true "repair"
option w/o the recovery console.

I suspect this is what you're seeing.

hth


Stew


 
 
PaulT
2005-05-19, 4:46 pm
 
 SLewis your on the money,,,, my bad.. thank you....
    

Title: Re: Avast stopped working, virus?
Post by: oldman on August 20, 2007, 12:33:53 AM

Hi

Here's a lnk on how to run a repair install

You  have scroll down to find it. It's about 11th up from the bottom of the topics cointing from how to acces safe mode.

http://www.webtree.ca/windowsxp/repair_xp.htm#How%20to%20Repair%20Windows%20XP%20by%20Installing%20Over%20top%20of%20Existing%20Setup:

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 12:54:47 AM

Great site, just what I needed, thanks OM  ;D

(I will let you know when I am done)

Title: Re: Avast stopped working, virus?
Post by: oldman on August 20, 2007, 12:55:56 AM

Sounds good and good luck!!

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 20, 2007, 12:57:51 AM

Quote from: BJS on August 19, 2007, 11:53:50 PM

Hello, I chhose the repair option and after scanning some files, it took me to a dos command prompt.
It said "which windows installation would you like to log onto? (to cancel press enter)"

This is the Windows Repair Console... it won't be installed there.
Can you boot in XP and use the CD? If so, you can run install.exe from it and choose to update.
If you can't boot in your disk and use the CD, you must boot with the CD and choose a way to install Windows.
On the links I've posted before there are some info.

Quote from: BJS on August 19, 2007, 11:53:50 PM

The option for repair was "r" but when we entered that in the DOS screen it said invalid.

Choose the option to install (and not repair), after that you would receive an option to install in the same partition that you have installed before, you can go further. You just do not format the disk.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 05:06:29 AM

FINALLY ;D 
I needed to call my brother-in-law (who is a computer programmer) andI told him that I had a copy of XP but it would not let me do a repair. I had tried to copy the ntoskrnl.exe file from the XP CD to the c-drive but it didn't work.  That is because I did not copy it to the windows\system32 folder.  We had to use the expand command to find the file and I had to copy it using ntoskrnl.ex_   but in the end it worked!
Now that I can get into windows, I am going to do the repair as Tech advised from the XP CD. I will post my results (good or bad)

Thanks again

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 20, 2007, 05:25:34 AM

Quote from: BJS on August 20, 2007, 05:06:29 AM

Now that I can get into windows, I am going to do the repair ...

Is your wife's computer booting to Windows now? 

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 05:34:31 AM

Yes it is, I am now doing an overinstall from the CD

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 20, 2007, 05:41:25 AM

Well if you haven't started we may be able to get around that, but if it's already started don't interupt it.  If the product key is on a sticker on the computer case use that instead of the key on the CD, then install as any of the Windows updates as you can.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 06:48:30 AM

OK, I am back at my wifes (infected) PC. Right now I am updating the XP SP2 patch.
Once this is done, I think we can resume what we were working on last week which get rid of some rootkits and get Avast back in.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 20, 2007, 07:54:54 AM

Good. Sounds like you used the recovery console. You could have gotten the file from the i386 folder, but the one on the disk is known to be clean.

Good luck the rest of the way.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 08:03:40 AM

Thanks, that whole process wore me out....I'm hitting the sack now...I will check in tomorrow PM.. :P

(Once this PC is "healed" we will definitely be making recovery cd's as well as a copy of XP)

Title: Re: Avast stopped working, virus?
Post by: oldman on August 20, 2007, 08:24:21 AM

Quote from: BJS on August 20, 2007, 08:03:40 AM

(Once this PC is "healed" we will definitely be making recovery cd's as well as a copy of XP)

Good plan. Something else to look into is something like Acronis True Image, Go Back, etc. Well worth the bucks.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 20, 2007, 09:19:31 AM

Thanks Oldman, I'll remember that.

I thought I was going to bed but I figured I would check msconfig and see what startup programs were running on her computer.

Guess what? You know that "bagle trojan" that Mauserme saw I had? It was in my startup program.
It was named "wintems.exe". I looked it up. I don't have it in startup anymore but I am sure it is still on my hardrive somewhere.   I also found another startup program names vsnpstd2.exe.  I guess that is some sort of spyware.

Now I am going to bed....

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 20, 2007, 01:30:23 PM

Since the repair install leaves all the data, etc intact the malware that was remaining before we got sidetracked is also still there.  This was expected.

If you want to, back up the family pics to cd or dvd.  Then post fresh ComboFix and HJT logs (run i that order).


EDIT:  Looking at your first ComboFix log (way back on page 2  :o ) shows that C:\WINDOWS\system32\wintems.exe was deleted but the registry key that called it was one of the things I wanted to get.  If that key is gone now we're a little farther along than I expected, but for sure we'll double check.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 22, 2007, 10:02:40 PM

Sorry I have been MIA.  I reinstalled XP and installed XP SP2 on my wifes computer and now I cannot download the windows installer and therefore cannot install any security updates. That, combined with having no Avast has made me hesitant about going online with my wifes computer.

Those problem aside, here are my new Combo Fix and HJT logs...

Also, if I made restore discs for all of our files (pictures, documents, programs etc) and then formatted our computer clean and reinstalled XP (along with our restore discs) would that that take care of some problems? Or would we still be infected from the restore discs?


ComboFix Log

ComboFix 07-08-14.4 - "Ben" 2007-08-22 13:44:54.2 - NTFS  x86
C:\WINDOWS\system32\chkdsk.exe not present


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Ben\Desktop.\internet explorer.lnk


(((((((((((((((((((((((((   Files Created from 2007-07-22 to 2007-08-22  )))))))))))))))))))))))))))))))


2007-08-21 17:18   27,648   --a--c---   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-21 17:18   23,040   --a--c---   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 17:18   17,408   --a--c---   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 17:18   116,224   --a--c---   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 17:17   99,865   --a--c---   C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-21 17:17   8,832   --a--c---   C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-21 17:17   8,192   --a--c---   C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-21 17:17   4,608   --a--c---   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-21 17:17   19,455   --a--c---   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-21 17:17   16,970   --a--c---   C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-21 17:17   154,624   --a--c---   C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-21 17:17   12,063   --a--c---   C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-21 17:16   87,040   --a--c---   C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-21 17:16   771,581   --a--c---   C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-21 17:16   701,386   --a--c---   C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-21 17:16   53,760   --a--c---   C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-21 17:16   35,871   --a--c---   C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-21 17:16   34,890   --a--c---   C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-21 17:16   33,599   --a--c---   C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-21 17:16   31,744   --a--c---   C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-21 17:16   29,311   --a--c---   C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-21 17:16   23,615   --a--c---   C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-21 17:16   19,551   --a--c---   C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-21 17:16   19,016   --a--c---   C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-21 17:16   16,925   --a--c---   C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-21 17:16   12,415   --a--c---   C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-21 17:16   12,127   --a--c---   C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-21 17:16   11,775   --a--c---   C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-21 17:15   765,884   --a--c---   C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-21 17:15   7,556   --a--c---   C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-21 17:15   687,999   --a--c---   C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-21 17:15   64,605   --a--c---   C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-21 17:15   604,253   --a--c---   C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-21 17:15   5,376   --a--c---   C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-21 17:15   397,502   --a--c---   C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-21 17:15   249,402   --a--c---   C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-21 17:15   24,576   --a--c---   C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-21 17:15   19,528   --a--c---   C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-21 17:15   113,762   --a--c---   C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-21 17:14   94,720   --a--c---   C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-21 17:14   794,654   --a--c---   C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-21 17:14   794,399   --a--c---   C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-21 17:14   793,598   --a--c---   C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-21 17:14   69,632   --a--c---   C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-21 17:14   50,688   --a--c---   C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-21 17:14   50,176   --a--c---   C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-21 17:14   47,616   --a--c---   C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-21 17:14   32,384   --a--c---   C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-21 17:14   28,160   --a--c---   C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-21 17:14   26,624   --a--c---   C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-21 17:14   25,600   --a--c---   C:\WINDOWS\system32\dllcache\usbser.sys
2007-08-21 17:14   224,802   --a--c---   C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-21 17:14   22,912   --a--c---   C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-21 17:14   20,480   --a--c---   C:\WINDOWS\system32\dllcache\usbuhci.sys

Title: Re: Avast stopped working, virus?
Post by: BJS on August 22, 2007, 10:04:51 PM

Part 2


2007-08-21 17:13   82,432   --a--c---   C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-21 17:13   525,568   --a--c---   C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-21 17:13   440,576   --a--c---   C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-21 17:13   42,496   --a--c---   C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-21 17:13   36,736   --a--c---   C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-21 17:13   34,375   --a--c---   C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-21 17:13   315,520   --a--c---   C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-21 17:13   222,336   --a--c---   C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-21 17:13   216,064   --a--c---   C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-21 17:13   211,968   --a--c---   C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-21 17:13   166,784   --a--c---   C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-21 17:13   159,232   --a--c---   C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-21 17:13   11,520   --a--c---   C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-21 17:12   81,408   --a--c---   C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-21 17:12   4,992   --a--c---   C:\WINDOWS\system32\dllcache\toside.sys
2007-08-21 17:12   37,961   --a--c---   C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-21 17:12   31,744   --a--c---   C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-21 17:12   28,232   --a--c---   C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-21 17:12   241,664   --a--c---   C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-21 17:12   230,912   --a--c---   C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-21 17:12   17,129   --a--c---   C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-21 17:12   149,376   --a--c---   C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-21 17:12   138,528   --a--c---   C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-21 17:12   123,995   --a--c---   C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-21 17:11   94,293   --a--c---   C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-21 17:11   7,040   --a--c---   C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-21 17:11   53,760   --a--c---   C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-21 17:11   36,640   --a--c---   C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-21 17:11   32,640   --a--c---   C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-21 17:11   30,688   --a--c---   C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-21 17:11   30,464   --a--c---   C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-21 17:11   3,968   --a--c---   C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-21 17:11   28,384   --a--c---   C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-21 17:11   172,768   --a--c---   C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-21 17:11   16,256   --a--c---   C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-21 17:11   103,936   --a--c---   C:\WINDOWS\system32\dllcache\sx.sys
2007-08-21 17:11   10,240   --a--c---   C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-21 17:11   10,240   --a--c---   C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-21 17:10   99,328   --a--c---   C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-21 17:10   61,824   --a--c---   C:\WINDOWS\system32\dllcache\speed.sys
2007-08-21 17:10   53,248   --a--c---   C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-21 17:10   48,736   --a--c---   C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-21 17:10   41,472   --a--c---   C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-21 17:10   285,760   --a--c---   C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-21 17:10   24,660   --a--c---   C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-21 17:10   19,072   --a--c---   C:\WINDOWS\system32\dllcache\sparrow.sys


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 16:10   ---------   d--------   C:\Program Files\SP2 Connection Patcher
2007-08-20 21:27   16490   --a------   C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-08-20 21:26   8972   --a------   C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-08-20 00:24   ---------   d--------   C:\Program Files\eMule
2007-07-27 16:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02   94416   --a--c---   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02   92848   --a--c---   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00   23152   --a--c---   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59   42912   --a--c---   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58   26624   --a--c---   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57   95608   --a--c---   C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51   ---------   d--------   C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30   ---------   d--------   C:\Program Files\Picasa2
2007-07-15 23:41   73216   --a------   C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41   249856   --a------   C:\WINDOWS\Setup1.exe
2007-07-14 08:53   ---------   d--------   C:\Program Files\Last.fm
2007-06-24 16:35   ---------   d--------   C:\Program Files\RL-Software
2006-12-02 12:05   774144   --a--c---   C:\Program Files\RngInterstitial.dll
2001-11-23 06:08   712704   --a--c---   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00   217,073   -csha-r   C:\WINDOWS\meta4.exe
2005-10-24 17:13:58   66,560   -csha-r   C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20   27,648   -csha-r   C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28   616,448   -csha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42   45,568   -csha-r   C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54   163,328   -csha-r   C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16   31,232   -csha-r   C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22   240,128   -csha-r   C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\yv12vfw.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 18:06]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2002-01-25 03:30]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

Title: Re: Avast stopped working, virus?
Post by: BJS on August 22, 2007, 10:05:32 PM

part 3


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ben^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Ben\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe]
C:\WINDOWS\system32\wintems.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\miftufo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ShellHWDetection"=3 (0x3)



Contents of the 'Scheduled Tasks' folder
2007-08-09 04:40:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-22 19:42:16 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D432F9D3-12B8-43E7-97CB-0D48E3DE9774}.job - C:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 13:49:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 13:52:39
C:\ComboFix-quarantined-files.txt ... 2007-08-22 13:52
C:\ComboFix2.txt ... 2007-08-14 12:22

   --- E O F ---


HJT log


Logfile of HijackThis v1.99.1
Scan saved at 1:57:19 PM, on 22/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7

Title: Re: Avast stopped working, virus?
Post by: BJS on August 22, 2007, 10:06:34 PM

part 4


c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187584452218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187584827515
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
   

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 22, 2007, 10:41:25 PM

Quote from: BJS on August 22, 2007, 10:02:40 PM

Sorry I have been MIA.  I reinstalled XP and installed XP SP2 on my wifes computer and now I cannot download the windows installer and therefore cannot install any security updates. That, combined with having no Avast has made me hesitant about going online with my wifes computer.

When you installed the OS did you use the key on the computer case or on the CD?

Try installing avast! again - I think there's a good chance it will now.  I'm at work and will sort through logs later on.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 22, 2007, 11:31:47 PM

I tried to install Avast again and it seems that no files were moved or renamed this time, but when I tried to open up the ashsimp2.exe application nothing happened.

When I installed XP on the computer, I had to use the key on the CD. The XP sticker key on the computer would not work. I think that is because we went from XP Home to XP Professional.
(I could not find anyone with copy of XP Home)

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 23, 2007, 03:46:18 AM

Quote from: BJS on August 22, 2007, 11:31:47 PM

But when I tried to open up the ashsimp2.exe application nothing happened.

This is bad... but sorry, the thread has 9 pages now...
Did you have any other antivirus installed in this computer in the past?

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 23, 2007, 04:57:22 AM

Quote from: BJS on August 22, 2007, 11:31:47 PM

When I installed XP on the computer, I had to use the key on the CD. The XP sticker key on the computer would not work. I think that is because we went from XP Home to XP Professional.
(I could not find anyone with copy of XP Home)

I'm afraid that may be a bit of a problem.  Microsoft goes to some lengths to prevent this from happening successfully.

Let's continue cleaning for now - maybe oldman or Tech (sorry, no trademark) will give some thought to the Windows license problem while we're doing this.


First upload this file to  Virus Total   (http://www.virustotal.com/) and post the scan results

C:\WINDOWS\Setup1.exe


Now download ERUNT from here and back up your entire registry http://www.snapfiles.com/get/erunt.html

Having done that we will create a registry fix.  Copy and paste ALL of the information below in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\sharedtools\msconfig\startupreg\german.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
 L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe]
"C:\WINDOWS\miftufo.exe"=-

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.



Next open HJT and click to Do a System Scan Only.  When complete place a check next to these lines

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx

Close all other windows, including your browser, and click Fix Checked.

Sorry about removing Scrabble but, under the circumstances, I don't see how we can trust it.



Now open OTMoveIt and paste in the following paths:

Quote

C:\windows\system32\german.exe
C:\WINDOWS\ratmn.exe
C:\Program Files\SCRABBLE
C:\Program Files\Kyodai
C:\DOCUME~1\Ben\APPLIC~1\GameHouse
C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
C:\WINDOWS\PIF
C:\WINDOWS\miftufo.exe
C:\Program Files\ISTsvc

This will remove some of the other game soft that downloaded with Scrabble, ratmn.exe, and c:\windows\pif that was created in the same moments as Scrabble and seems related to a mass mailing worm (I think you guys are just going to have to stick with board games in the future).  BTW, some of these files will probably not be found - that's OK.


After completing all of the above please give me fresh ComboFix and HJT logs.


EDIT:  Take a look in c:\windows\system32\dllcache and see if there's a copy of chkdsk.exe

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:01:36 AM

Here is the Virus Total results

Now I will do the rest...(and yes, boardgames will be safer) :P





File Setup1.exe received on 08.23.2007 08:55:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.23 -
AntiVir 7.4.1.63 2007.08.22 -
Authentium 4.93.8 2007.08.22 -
Avast 4.7.1029.0 2007.08.22 -
AVG 7.5.0.484 2007.08.22 -
BitDefender 7.2 2007.08.23 -
CAT-QuickHeal 9.00 2007.08.22 -
ClamAV 0.91 2007.08.22 -
DrWeb 4.33 2007.08.23 -
eSafe 7.0.15.0 2007.08.22 -
eTrust-Vet 31.1.5081 2007.08.23 -
Ewido 4.0 2007.08.22 -
FileAdvisor 1 2007.08.23 -
Fortinet 2.91.0.0 2007.08.23 -
F-Prot 4.3.2.48 2007.08.22 -
F-Secure 6.70.13030.0 2007.08.23 -
Ikarus T3.1.1.12 2007.08.23 -
Kaspersky 4.0.2.24 2007.08.23 -
McAfee 5103 2007.08.22 -
Microsoft 1.2803 2007.08.23 -
NOD32v2 2477 2007.08.23 -
Norman 5.80.02 2007.08.22 -
Panda 9.0.0.4 2007.08.23 -
Prevx1 V2 2007.08.23 -
Rising 19.37.31.00 2007.08.23 -
Sophos 4.20.0 2007.08.23 -
Sunbelt 2.2.907.0 2007.08.23 -
Symantec 10 2007.08.23 -
TheHacker 6.1.8.171 2007.08.23 -
VBA32 3.12.2.2 2007.08.22 -
VirusBuster 4.3.26:9 2007.08.22 -
Webwasher-Gateway 6.0.1 2007.08.23 -
Additional information
File size: 249856 bytes
MD5: b9917fc4c836776765e311fff84dd534
SHA1: 63cf6b3992f2058f6a5995293e1017627569f8b5

Title: Re: Avast stopped working, virus?
Post by: oldman on August 23, 2007, 09:01:48 AM

Well, I'm afraid I'm not a bearer of good news. You assumption that the key on the computer wouldn't work is because the computer had home and the cd is pro is correct. The key doesn't match the product.

As to not being able update, I would say the product key is already registered on another computer that doesn't match the system you are trying to run it on now. Yeah, MS has tied the os to the system, you can make only gradual changes to the system over time before you have to call MS and have a new key issued. This applies to retail versions, oem's are a totally different story. This info is just basic, there is a bit more to it then that.

After you reinstalled, did the os version change to pro? I see that ie downgraded from 7 to 6.

One thing to remember is that your licence is the key on the computer not the cd itself. So if you can find a retail home version cd you can copy it and use your key. Assuming of course that a retail version was origonally installed.

Tech may have more thoughts on this. For now keep the cleaning process going. I find it strange that chkdsk wasn't replaced.

As for a format and reinstall, I think if you use the same cd and number that you already did, the results would be the same.

Hang in there, this isn't over.  ;D

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:28:48 AM

Oldman,
Thanks, I kinda thought the same after my wife told me she had the XP home edition.
It did change to pro and IE changed from 7 to 6 (I think that may be the default for Pro)
Awhile back we upgraded to IE 7

I don't think I will ever play scrabble again  :P

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:33:29 AM

EDIT:  Take a look in c:\windows\system32\dllcache and see if there's a copy of chkdsk.exe
[/quote]

Yes, there is a copy of chkdsk.exe in the  c:\windows\system32\dllcache folder

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:35:33 AM

Combo fix part 1


omboFix 07-08-14.4 - "Ben" 2007-08-23  1:26:15.3 - NTFS  x86
C:\WINDOWS\system32\chkdsk.exe not present


(((((((((((((((((((((((((   Files Created from 2007-07-23 to 2007-08-23  )))))))))))))))))))))))))))))))


2007-08-21 17:18   27,648   --a--c---   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-21 17:18   23,040   --a--c---   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 17:18   17,408   --a--c---   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 17:18   116,224   --a--c---   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 17:17   99,865   --a--c---   C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-21 17:17   8,832   --a--c---   C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-21 17:17   8,192   --a--c---   C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-21 17:17   4,608   --a--c---   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-21 17:17   19,455   --a--c---   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-21 17:17   16,970   --a--c---   C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-21 17:17   154,624   --a--c---   C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-21 17:17   12,063   --a--c---   C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-21 17:16   87,040   --a--c---   C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-21 17:16   771,581   --a--c---   C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-21 17:16   701,386   --a--c---   C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-21 17:16   53,760   --a--c---   C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-21 17:16   35,871   --a--c---   C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-21 17:16   34,890   --a--c---   C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-21 17:16   33,599   --a--c---   C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-21 17:16   31,744   --a--c---   C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-21 17:16   29,311   --a--c---   C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-21 17:16   23,615   --a--c---   C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-21 17:16   19,551   --a--c---   C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-21 17:16   19,016   --a--c---   C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-21 17:16   16,925   --a--c---   C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-21 17:16   12,415   --a--c---   C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-21 17:16   12,127   --a--c---   C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-21 17:16   11,775   --a--c---   C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-21 17:15   765,884   --a--c---   C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-21 17:15   7,556   --a--c---   C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-21 17:15   687,999   --a--c---   C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-21 17:15   64,605   --a--c---   C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-21 17:15   604,253   --a--c---   C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-21 17:15   5,376   --a--c---   C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-21 17:15   397,502   --a--c---   C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-21 17:15   249,402   --a--c---   C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-21 17:15   24,576   --a--c---   C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-21 17:15   19,528   --a--c---   C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-21 17:15   113,762   --a--c---   C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-21 17:14   94,720   --a--c---   C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-21 17:14   794,654   --a--c---   C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-21 17:14   794,399   --a--c---   C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-21 17:14   793,598   --a--c---   C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-21 17:14   69,632   --a--c---   C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-21 17:14   50,688   --a--c---   C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-21 17:14   50,176   --a--c---   C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-21 17:14   47,616   --a--c---   C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-21 17:14   32,384   --a--c---   C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-21 17:14   28,160   --a--c---   C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-21 17:14   26,624   --a--c---   C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-21 17:14   25,600   --a--c---   C:\WINDOWS\system32\dllcache\usbser.sys
2007-08-21 17:14   224,802   --a--c---   C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-21 17:14   22,912   --a--c---   C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-21 17:14   20,480   --a--c---   C:\WINDOWS\system32\dllcache\usbuhci.sys
2007-08-21 17:13   82,432   --a--c---   C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-21 17:13   525,568   --a--c---   C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-21 17:13   440,576   --a--c---   C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-21 17:13   42,496   --a--c---   C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-21 17:13   36,736   --a--c---   C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-21 17:13   34,375   --a--c---   C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-21 17:13   315,520   --a--c---   C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-21 17:13   222,336   --a--c---   C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-21 17:13   216,064   --a--c---   C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-21 17:13   211,968   --a--c---   C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-21 17:13   166,784   --a--c---   C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-21 17:13   159,232   --a--c---   C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-21 17:13   11,520   --a--c---   C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-21 17:12   81,408   --a--c---   C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-21 17:12   4,992   --a--c---   C:\WINDOWS\system32\dllcache\toside.sys
2007-08-21 17:12   37,961   --a--c---   C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-21 17:12   31,744   --a--c---   C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-21 17:12   28,232   --a--c---   C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-21 17:12   241,664   --a--c---   C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-21 17:12   230,912   --a--c---   C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-21 17:12   17,129   --a--c---   C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-21 17:12   149,376   --a--c---   C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-21 17:12   138,528   --a--c---   C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-21 17:12   123,995   --a--c---   C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-21 17:11   94,293   --a--c---   C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-21 17:11   7,040   --a--c---   C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-21 17:11   53,760   --a--c---   C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-21 17:11   36,640   --a--c---   C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-21 17:11   32,640   --a--c---   C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-21 17:11   30,688   --a--c---   C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-21 17:11   30,464   --a--c---   C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-21 17:11   3,968   --a--c---   C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-21 17:11   28,384   --a--c---   C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-21 17:11   172,768   --a--c---   C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-21 17:11   16,256   --a--c---   C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-21 17:11   103,936   --a--c---   C:\WINDOWS\system32\dllcache\sx.sys
2007-08-21 17:11   10,240   --a--c---   C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-21 17:11   10,240   --a--c---   C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-21 17:10   99,328   --a--c---   C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-21 17:10   61,824   --a--c---   C:\WINDOWS\system32\dllcache\speed.sys
2007-08-21 17:10   53,248   --a--c---   C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-21 17:10   48,736   --a--c---   C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-21 17:10   41,472   --a--c---   C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-21 17:10   285,760   --a--c---   C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-21 17:10   24,660   --a--c---   C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-21 17:10   19,072   --a--c---   C:\WINDOWS\system32\dllcache\sparrow.sys

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:37:13 AM

Combo fix part 2


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 16:10   ---------   d--------   C:\Program Files\SP2 Connection Patcher
2007-08-20 21:27   16490   --a------   C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-08-20 21:26   8972   --a------   C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-08-20 00:24   ---------   d--------   C:\Program Files\eMule
2007-07-27 16:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02   94416   --a--c---   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02   92848   --a--c---   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00   23152   --a--c---   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59   42912   --a--c---   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58   26624   --a--c---   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57   95608   --a--c---   C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51   ---------   d--------   C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30   ---------   d--------   C:\Program Files\Picasa2
2007-07-15 23:41   73216   --a------   C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41   249856   --a------   C:\WINDOWS\Setup1.exe
2007-07-14 08:53   ---------   d--------   C:\Program Files\Last.fm
2007-06-24 16:35   ---------   d--------   C:\Program Files\RL-Software
2006-12-02 12:05   774144   --a--c---   C:\Program Files\RngInterstitial.dll
2001-11-23 06:08   712704   --a--c---   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00   217,073   -csha-r   C:\WINDOWS\meta4.exe
2005-10-24 17:13:58   66,560   -csha-r   C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20   27,648   -csha-r   C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28   616,448   -csha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42   45,568   -csha-r   C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54   163,328   -csha-r   C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16   31,232   -csha-r   C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22   240,128   -csha-r   C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00   70,656   -csha-r   C:\WINDOWS\system32\yv12vfw.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 18:06]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2002-01-25 03:30]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 16:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\Documents and Settings\Ben\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ben^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Ben\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe]
C:\WINDOWS\system32\wintems.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\miftufo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ShellHWDetection"=3 (0x3)

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:38:12 AM

Last Combo fix


Contents of the 'Scheduled Tasks' folder
2007-08-23 04:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-23 02:48:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D432F9D3-12B8-43E7-97CB-0D48E3DE9774}.job - C:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 01:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23  1:34:29
C:\ComboFix-quarantined-files.txt ... 2007-08-23 01:34
C:\ComboFix2.txt ... 2007-08-22 13:52
C:\ComboFix3.txt ... 2007-08-14 12:22

   --- E O F ---

Title: Re: Avast stopped working, virus?
Post by: oldman on August 23, 2007, 09:39:27 AM

Quote from: BJS on August 23, 2007, 09:28:48 AM

It did change to pro and IE changed from 7 to 6 (I think that may be the default for Pro)

Yes ie6 was bundled with xp. Just confirming files where transfered. Still wonder about chkdsk.

So what we have is an unvalidated version of pro. Just thinking out loud and trying to puzzle out a solution.

Quote from: BJS on August 23, 2007, 09:28:48 AM

I don't think I will ever play scrabble again  :P  

 ;D  ;D  Keep up the sense of humor, it helps!

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 09:40:02 AM

HJT results


Logfile of HijackThis v1.99.1
Scan saved at 1:39:13 AM, on 23/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 23, 2007, 01:25:53 PM

You did everything?  The registry fix and OtMoveIt deletions included?

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 23, 2007, 02:23:39 PM

Maybe this is left behind...

O11 - Options group: [INTERNATIONAL] International: Currently only the 'CommonName' hijacker uses this Extra group in IE 'Advanced Options' window.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 02:37:58 PM

Quote from: mauserme on August 23, 2007, 01:25:53 PM

You did everything?  The registry fix and OtMoveIt deletions included?

Yes, I did everything the registry fix (and backed the original registry up), deleted the 2 files using HJT and used OTMoveIt succesfully.

I did find the chksdk in the c:\windows\system32\dllcache

Does it look like I missed something  ???

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 23, 2007, 02:49:07 PM

Quote from: BJS on August 23, 2007, 02:37:58 PM

I did find the chksdk in the c:\windows\system32\dllcache
Does it look like I missed something  ???

C:\WINDOWS\system32\chkdsk.exe (and not chksdk.exe as you've posted).

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 23, 2007, 07:32:28 PM

Quote from: Tech™ on August 23, 2007, 02:23:39 PM

Maybe this is left behind...

O11 - Options group: [INTERNATIONAL] International: Currently only the 'CommonName' hijacker uses this Extra group in IE 'Advanced Options' window.

That's OK I think - its International Domain Name Support for IE7.  BJS has IE6 now but used to have IE7.

Quote from: BJS on August 23, 2007, 02:37:58 PM

[Does it look like I missed something  ???

Well, no, I don't think you missed anything but my registry fix didn't do what I had hoped.

Open Add/Remove Programs in the Control Panel and see if you find ISTBar.  If its present, uninstall it.

Then upload c:\windows\system32\dllcache\chkdsk.exe to  Virus Total (http://www.virustotal.com/) so we can make sure its clean.  If it is clean and the spellling is correct we'll copy that to c:\windows\system32

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 07:36:19 PM

Quote from: oldman on August 23, 2007, 09:01:48 AM

As to not being able update, I would say the product key is already registered on another computer that doesn't match the system you are trying to run it on now. Yeah, MS has tied the os to the system, you can make only gradual changes to the system over time before you have to call MS and have a new key issued. This applies to retail versions, oem's are a totally different story. This info is just basic, there is a bit more to it then that.

I don't have to worry about the Windows Installer now. I have switched from IE to Firefox. I have been meaning to do this for awhile and not being able to get security updates from Microsoft was the last straw.
I actually like Firefox quite a bit. It may just be in my mind, but I think it is faster and from what I gather from the internet and people I know, it is actually more secure.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 07:38:24 PM

[/quote]

Open Add/Remove Programs in the Control Panel and see if you find ISTBar.  If its present, uninstall it.

Then upload c:\windows\system32\dllcache\chkdsk.exe to  Virus Total (http://www.virustotal.com/) so we can make sure its clean.  If it is clean and the spellling is correct we'll copy that to c:\windows\system32
[/quote]

OK will do...

Title: Re: Avast stopped working, virus?
Post by: BJS on August 23, 2007, 08:05:26 PM

Virus Total results for chkdsk.exe


File chkdsk.exe received on 08.23.2007 19:57:14 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.8.22.0   2007.08.23   -
AntiVir   7.4.1.63   2007.08.23   -
Authentium   4.93.8   2007.08.23   -
Avast   4.7.1029.0   2007.08.23   -
AVG   7.5.0.484   2007.08.23   -
BitDefender   7.2   2007.08.23   -
CAT-QuickHeal   9.00   2007.08.23   -
ClamAV   0.91   2007.08.23   -
DrWeb   4.33   2007.08.23   -
eSafe   7.0.15.0   2007.08.23   -
eTrust-Vet   31.1.5082   2007.08.23   -
Ewido   4.0   2007.08.23   -
FileAdvisor   1   2007.08.23   -
Fortinet   2.91.0.0   2007.08.23   -
F-Prot   4.3.2.48   2007.08.23   -
F-Secure   6.70.13030.0   2007.08.23   -
Ikarus   T3.1.1.12   2007.08.23   -
Kaspersky   4.0.2.24   2007.08.23   -
McAfee   5104   2007.08.23   -
Microsoft   1.2803   2007.08.23   -
NOD32v2   2480   2007.08.23   -
Norman   5.80.02   2007.08.23   -
Panda   9.0.0.4   2007.08.23   -
Prevx1   V2   2007.08.23   -
Rising   19.37.32.00   2007.08.23   -
Sophos   4.20.0   2007.08.23   -
Sunbelt   2.2.907.0   2007.08.23   -
Symantec   10   2007.08.23   -
TheHacker   6.1.8.171   2007.08.23   -
VBA32   3.12.2.3   2007.08.23   -
VirusBuster   4.3.26:9   2007.08.23   -
Webwasher-Gateway   6.0.1   2007.08.23   -
Additional information
File size: 11776 bytes
MD5: 5f7eaaf5d10e2a715d5e305ac992b2a7
SHA1: 4c30315b9c16106b542f088921888d83d3f185f7

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 23, 2007, 11:48:26 PM

Did you find ISTBar?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 24, 2007, 12:48:37 AM

I looked for the ISTBar in add/remove programs but could not find any. Could it be hidden?  ???

Title: Re: Avast stopped working, virus?
Post by: DavidR on August 24, 2007, 12:51:55 AM

I wouldn't have though it would be an add remove item as it is a browser toolbar add on.

ToolbarCop http://www.snapfiles.com/get/toolbarcop.html (http://www.snapfiles.com/get/toolbarcop.html) is usually at finding bad browser toolbars .

Title: Re: Avast stopped working, virus?
Post by: BJS on August 24, 2007, 02:06:35 AM

Thanks, I will try it..

Title: Re: Avast stopped working, virus?
Post by: BJS on August 24, 2007, 02:12:26 AM

I ran toolbarcop and these were the results. I did not see ISTBar but maybe it is there...


----------------------------------------
n/a
Browser Extension
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users
----------------------------------------
Yahoo! Services
Browser Extension
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users
----------------------------------------
n/a
Browser Extension
{E2E2DD38-D088-4134-82B7-F2BA38496583}
%windir%\Network Diagnostic\xpnetdiag.exe
Enabled
All Users
----------------------------------------
Messenger
Browser Extension
{FB5F1910-F110-11D2-BB9E-00C04F795683}
C:\Program Files\Messenger\msmsgs.exe
Enabled
All Users
----------------------------------------
&Address
Toolbar
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
%SystemRoot%\system32\browseui.dll
Enabled
Current User
----------------------------------------
&Links
Toolbar
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
%SystemRoot%\system32\SHELL32.dll
Enabled
Current User
----------------------------------------
&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
Current User
----------------------------------------
(Empty)
Toolbar
{B7D3E479-CC68-42B5-A338-938ECE35F419}
(empty)
Enabled
Current User
----------------------------------------
&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
All Users
----------------------------------------
Adobe PDF Reader Link Helper
BHO
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
Enabled
All Users
----------------------------------------
Yahoo! IE Services Button
BHO
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users
----------------------------------------
SSVHelper Class
BHO
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users
----------------------------------------
Google Toolbar Helper
BHO
{AA58ED58-01DD-4D91-8333-CF10577473F7}
c:\program files\google\googletoolbar3.dll
Enabled
All Users
----------------------------------------
Google Toolbar Notifier BHO
BHO
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
Enabled
All Users
----------------------------------------
&D&ownload &with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
Enabled
Current User
----------------------------------------
&D&ownload all video with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
Enabled
Current User
----------------------------------------
&D&ownload all with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
Enabled
Current User
----------------------------------------
swg
Run - Startup

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Enabled
Current User
----------------------------------------
ctfmon.exe
Run - Startup

C:\WINDOWS\system32\ctfmon.exe
Enabled
Current User
----------------------------------------
SunJavaUpdateSched
Run - Startup

"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
Enabled
All Users
----------------------------------------
SiSUSBRG
Run - Startup

C:\WINDOWS\sisUSBrg.exe
Enabled
All Users
----------------------------------------
SiS KHooker
Run - Startup

C:\WINDOWS\System32\khooker.exe
Enabled
All Users
----------------------------------------
Cmaudio
Run - Startup

RunDll32 cmicnfg.cpl,CMICtrlWnd
Enabled
All Users
----------------------------------------
avast!
Run - Startup

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Enabled
All Users

Title: Re: Avast stopped working, virus?
Post by: DavidR on August 24, 2007, 02:39:31 AM

No sign of 1stbar, can't see anything else there.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 24, 2007, 03:17:48 AM

Mauserme, I am not sure if this means anything but the Bagle virus that I believe started it all is still in my startup (it is inactive though) 
I traced it to this folder    wintems.exe.vir C:\QooBox\Quarantine\C\Windows\System 32

Can I delete it from my computer all together??

Also, the vsnpstd2.exe is located in C:\Windows and also in

 C:\Program Files\GE\98067 MiniCam Pro

I am pretty sure this file is some sort of spyware.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 24, 2007, 01:57:30 PM

Quote from: DavidR on August 24, 2007, 02:39:31 AM

No sign of 1stbar, can't see anything else there.

Me neither.

At this point I'll go out on a limb and say the tool bar was actually gone before we started, but there are some left over registry entries that are pretty stubborn.

Quote from: BJS on August 24, 2007, 03:17:48 AM

Mauserme, I am not sure if this means anything but the Bagle virus that I believe started it all is still in my startup (it is inactive though) 
I traced it to this folder    wintems.exe.vir C:\QooBox\Quarantine\C\Windows\System 32

Can I delete it from my computer all together??

Also, the vsnpstd2.exe is located in C:\Windows and also in

 C:\Program Files\GE\98067 MiniCam Pro

I am pretty sure this file is some sort of spyware.

Qoobox is the ComboFix quarantine.  Everything in there is safe - we'll take care of it later when we clean things up.


Everything I find on vsnpstd2.exe relates it to a USB camera and many sites do seem to think its spyware.  But it does give you some configuration options so I wasn't rushing into removing it.  If you don't care about whatever options these might be we can take of it now.  Let me know.


For the time being download AVG Antispyware.  Install, update, scan and quarantine anything found.  Then post the log. 

http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0


How is the computer running?

Title: Re: Avast stopped working, virus?
Post by: BJS on August 24, 2007, 04:39:32 PM

OK, I will run the AVG antispyware when I get back.
As far as the vsnpstd2.exe file, we can get rid of it because we no longer have the camera.

The computer seems to be running fine (minus having no virus protection) now that I am using Firefox.
IE would not let me update security patches (because I could not install Windows Installer)
I am happy with Fierfox but a few things are of concern.

It takes about 2 minutes to get into my C drive folders and about the same amount of time to look at the add/remove programs. They do  come up but not instantly like before.

Also, for some reason I cannot shut the PC of via the start button. I either have to put it on standby via the taskbar or shut it of manually. 

I am not too concerned about those yet. I would just like to clean my system out and take care of those problems later.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 26, 2007, 02:05:57 AM

Mauserme,
I guess I was meant to take my wifes PC to the shop  :-\

Yesterday I was trying to post you a message stating that I could not download the AVG antivirus program (or Panda for that matter) when I was hit by the virus in the forum. It happened pretty quickly, something about spyware, then the screen went black and as I was rebooting, some new icon (it kinda looked like a knight or something) was on my desktop. After that, the computer just started to reboot over and over.
I tried safemode and it still would restart over and over.  I did use that bootdisc that Oldman had me make and I could get into some dos commands but that was it.

Everything seemed to be going good and then this happens....kind of discouraging.

Luckily my PC has Avast and caught it (I also run Firefox)....

Title: Re: Avast stopped working, virus?
Post by: Lisandro on August 26, 2007, 04:01:40 AM

Quote from: BJS on August 26, 2007, 02:05:57 AM

When I was hit by the virus in the forum.

The virus wasn't on avast forum but at on a redirect iframe. Luckily it was on avast virus database and was stopped. I wish an explanation of which risk have we run into yesterday. I'm not bashing avast, far from this, just trying to learn how to improve security. I also run Firefox like you.

Quote from: BJS on August 26, 2007, 02:05:57 AM

Everything seemed to be going good and then this happens....kind of discouraging.

For me it's encouraging to learn how to get even more protected.

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 26, 2007, 05:14:38 AM

Quote from: BJS on August 26, 2007, 02:05:57 AM

Mauserme,
I guess I was meant to take my wifes PC to the shop  :-\

Sorry to be so long responding.  Like many others I was unable to log in.  Avant (an IE shell), Opera, Firefox - nothing worked.  I could see that DavidR and Tech were logged in but I couldn't .  Maybe they will share their secrets with me.


Anyway, if you are able to boot the machine at all, we need to take a very deep look a things which we can do with a WinPfind log.

Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe)  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Non-Microsoft Only
       Reg - BotCheck
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.


I would also loke you to run SDFix:

Download  SDFIX  (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
Open the extracted folder and double click "RunThis.bat" to start the script.
Type Y to begin the script.
It may remove Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 26, 2007, 06:53:55 AM

I can boot to DOS (using the bootdisc) but I cannot get to my desktop in Windows   :-\

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 26, 2007, 03:28:54 PM

How would you like to proceed?

I mean, our patience with these things is virtually endless around here (even if our abilities have limits).  And from my point of view I want to know what's going on and solve this.  But we have to face another re-install of the OS, this time with an XP Home disc.  With or without the current problem we would have to do this to get you back to the correct OS.

I just want to make sure you're OK with this.

Title: Re: Avast stopped working, virus?
Post by: oldman on August 26, 2007, 04:59:16 PM

I agree with mauserme. Somewhere along the line you have to get back to xp home. Whether here or at a shop. And I too am interested in what is happening. But it's your call.

Title: Re: Avast stopped working, virus?
Post by: BJS on August 26, 2007, 08:53:29 PM

Ok, I will try to find a copy of XP (home edition) once I find it and upgrade I will post.

Thanks again

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 26, 2007, 09:46:26 PM

Quote from: BJS on August 26, 2007, 08:53:29 PM

Ok, I will try to find a copy of XP (home edition) once I find it and upgrade I will post.

8)


When you install use the key from the computer case.

After installation see if you find c:\windows\system32\chkdsk.exe     If it's missing copy it from c:\windows\system32\dllcache  to  c:\windows\system32


Download a fresh copy of ComboFix (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) and scan.   Also scan with WinPFind and save the log.  Then post those two logs plus a fresh HJT log.

Keep the computer off line as much as possible except to download the tools, post the logs, or get Windows updates.   

Title: Re: Avast stopped working, virus?
Post by: mauserme on August 28, 2007, 11:04:11 PM

Please don't run ComboFix yet.  I have been advised of a problem that I beleive is not common but we will avoid it all together.

The WinPFind3U log will be best for now.

Title: Re: Avast stopped working, virus?
Post by: BJS on September 20, 2007, 12:18:47 PM

Mauserme,
I did get a copy of XP Home and could get back into my desktop. But I did not want to risk getting a 3rd virus (having no virus protection at all)
 so I just made backup disks of my documents and files and then formatted my hard drive. I then did a scan on the disks to make sure they were clean and added them back.

Now that I have reinstalled XP and reformatted my drive, everything is great. Pretty much like a new PC and Avast! is working again.  I did learn quite a few things from you and Oldman (some tools such as Erunt, Combofix, F-secure blacklight and toolbar cop) along with a few handy websites (virus total) but hopefully I will not need them again.   

I also learned the hard way about the bagle virus.  No more downloading scrabble games for me!

Thanks again for all your help...

Title: Re: Avast stopped working, virus?
Post by: DavidR on September 20, 2007, 02:52:58 PM

That is what it is all about, learning and to do that mostly you have to make mistakes to truly learn ;D

All the tools for cleaning are great but what you should be trying for is prevention and a back-up and recovery strategy if the dark brown stuff hits the fan, much less painful all round. This topic is also quite long so I don't recall if these points have been mentioned:

1. Run applications that connect to the internet under DropMyRights to limit the potential for infection. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob's, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link. http://mysharedfiles.no-ip.org/dropmyrights (http://mysharedfiles.no-ip.org/dropmyrights)

2. A long time ago I purchased some hard disk imaging software and every now and then I got the later versions to work with my updated OS, etc. This software takes an exact copy of your Partitions or Hard Disk and saves the 'image' to another location, which could be a second HDD or DVD or to an external storage device. I do this bak-up image weekly as part of my system maintenance.

If you have a serious problem and this would certainly come under that heading (or a crash resulting serious corruption, etc.), then you restore the last back-up image and your problem is resolved. This type of software has hauled my a** out of the fire many times (not virus issues) as to more than compensate from what I paid for the software and I can be up and running in a little over 15 minutes.

Title: Re: Avast stopped working, virus?
Post by: oldman on September 20, 2007, 05:21:35 PM

Hello BJS

Glad you got it going again. Still haven't got that disk made, just no time.

Title: Re: Avast stopped working, virus?
Post by: mauserme on September 20, 2007, 07:59:55 PM

Quote from: BJS on September 20, 2007, 12:18:47 PM

...  so I just made backup disks of my documents and files and then formatted my hard drive.

Sorry it had to get to that but its probably the most efficient solution. 

As David said, learning is good and I certainly did while working on your thread.   :)

Title: Re: Avast stopped working, virus?
Post by: BJS on September 20, 2007, 10:34:22 PM

David,
I took your advice and now start my browser under "DropMyRights"
I just start my browser (either Firefox or IE) from the icon on my desktop, it flashes for a sec and then it starts.

Thanks for the tip... ;)

I might invest in the image device. A freind also has one and he swears by it.

Thanks again to Mauserme and Oldman and everyone else that chipped in.
The situation was bad, but I actually found I enjoyed some of the things we tried. I like to know how things tick and this was a crash course (sorry about the pun)  ;D

Title: Re: Avast stopped working, virus?
Post by: DavidR on September 20, 2007, 10:56:38 PM

Your welcome.

You should also consider the same DMR for your email program (or P2P and Instant Messaging if you use them) as that is still a major route of entry.