Avast stopped working, virus?

[BJS]

Hello,
I have been using the lastest updates of Avast for a year now with no problems. Yesterday I was downloading some files and had several virus alerts which I moved to the chest.  All of a sudden, the avast icoin in my taskbar dissapeared. I tried to turn it back on but it said the shortcut had been moved or changed. I tried to download Avast again and it did not work. I also tried several other free antivirus programs and they also would not work. I also had a message stating something about "Dr Watson postmortem debugger"  I am 99% sure I have a virus. Can anyone tell me what to do? All of my word documents won't work either.

Any info would help..

Here is the log..

Logfile of HijackThis v1.99.1
Scan saved at 10:45:39 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\015DWVTF\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[CharleyO]

***

Welcome to the forums, BJS.   

Do you have or have you had McAfee anti-virus on this computer?

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

Having 2 active av services can cause the problem you are experiencing. The above entries indicate that some McAfee service has been on your computer at some time in the past or is present now. These could also be remnants of a past McAfee program which could be causing interference with avast or any other av service.


***

[BJS]

Thank you,

McAfee might have been installed at one point (it is my wifes PC) but to my knowledge, Avast was the only active antivirus program working. Whenever there was a virus alert in the last year, Avast was the only one to pick it up. What worried me the most is that it said some files had been moved. Moved where?

[oldman]

There are removal tools for mcafee available, if you can find out if and what version was installed.

Moved is either to the chest or the moved folder. Moved folder can be found in program files\alwil software\avast4\data.

[BJS]

I opened the "moved" folder under data but it was empty. I am just trying to get Avast active again. It is still under alwilsoftware but when I try to activate from startup, it says that the shortcut has been changed or moved.

Also, I did a search and there are no remnents of McAfee that I can see. No files anyway.

[oldman]

What happens when you open ashsimp.exe or ashsimp2.exe from the avast4 folder?

[CharleyO]

***

Those 2 entries I mentioned above should be fixed with HijackThis so that these will no longer be a problem.

You might also try a repair of avast through Add/Remove programs. You need to be on-line to do this.

MyComputer > Control Panel > Add/Remove programs > scroll down to avast! antivirus & click to select > Change/Remove button > Scroll down to Repair & click Repair > click Next button and follow instructions


***

[Maxx_original]

a good way is to run ProcessExplorer and look for the two processes running under drwatson... i don't like this "debugger", but the informations about the two crashing processes are useful to decide what to do

[BJS]

Hello,
I ran ProcessExplorer and this is the results.. I also tried to repair Avast and I followed CharleyO directions but I could only get to "change and remove" it did not give me the "repair option"




Process   PID   CPU   Description   Company Name
System Idle Process   0   98.46      
 Interrupts   n/a      Hardware Interrupts   
 DPCs   n/a      Deferred Procedure Calls   
 System   4         
  smss.exe   292      Windows NT Session Manager   Microsoft Corporation
   csrss.exe   340      Client Server Runtime Process   Microsoft Corporation
   winlogon.exe   364      Windows NT Logon Application   Microsoft Corporation
    services.exe   408      Services and Controller app   Microsoft Corporation
     svchost.exe   572      Generic Host Process for Win32 Services   Microsoft Corporation
      iexplore.exe   180      Internet Explorer   Microsoft Corporation
       ctfmon.exe   3544      CTF Loader   Microsoft Corporation
     svchost.exe   620      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   656      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   704      Generic Host Process for Win32 Services   Microsoft Corporation
     svchost.exe   724      Generic Host Process for Win32 Services   Microsoft Corporation
     spoolsv.exe   792      Spooler SubSystem App   Microsoft Corporation
     svchost.exe   1052      Generic Host Process for Win32 Services   Microsoft Corporation
     iPodService.exe   152      iPodService Module   Apple Computer, Inc.
     svchost.exe   1500      Generic Host Process for Win32 Services   Microsoft Corporation
     HPZipm12.exe   920      PML Driver   HP
    lsass.exe   420      LSA Shell (Export Version)   Microsoft Corporation
explorer.exe   3868      Windows Explorer   Microsoft Corporation
 jusched.exe   1236      Java(TM) Platform SE binary   Sun Microsystems, Inc.
 vsnpstd2.exe   3032      CameraMonitor MFC Application   
 khooker.exe   2320      SiS Compatible Super VGA Keyboard Daemon   Silicon Integrated Systems Corporation
 hpwuSchd2.exe   2656      Hewlett-Packard Product Assistant   Hewlett-Packard Development Company, L.P.
 rundll32.exe   2700      Run a DLL as an App   Microsoft Corporation
 iTunesHelper.exe   320      iTunesHelper Module   Apple Computer, Inc.
 GoogleToolbarNotifier.exe   3220      GoogleToolbarNotifier   Google Inc.
 msmsgs.exe   2844      Windows Messenger   Microsoft Corporation
 hpqtra08.exe   1444      HP Digital Imaging Monitor   Hewlett-Packard Development Company, L.P.
  hpqste08.exe   200      HP CUE Status   Hewlett-Packard Development Company, L.P.
 LastFMHelper.exe   1012         
 iexplore.exe   1296      Internet Explorer   Microsoft Corporation
procexp.exe   2092   1.54   Sysinternals Process Explorer   Sysinternals

[CharleyO]

***

BJS,

What OS is on this computer?


***

[Maxx_original]

i can't see the drwatson instances in your ProcessExplorer log... are you still getting some errors?

[mauserme]

Those McAfee  016's are ActiveX controls - more like an online scan that anything that would interfere with a resident scanner.

Under the circumstances described in the initial post I would run F-Secure Blacklight to check the possibility of a rootkit

http://www.f-secure.com/blacklight/try_blacklight.html

and also scan this file at Virus Total

C:\WINDOWS\ratmn.exe


EDIT:  BTW, you are running HJT from a temporary file.  This should be moved to its own folder as backups will be made of anything you fix with this program.  Running from a temp folder risks losing the backups.

[BJS]

CharleyO,
I am running in Windows XP.  I am going run the programs that mauserme suggested.

Thanks...

[BJS]

Mauserme,
I ran f-secure backlight. It showed about 250 hidden files.
I could not find the file you wanted me to check at virus total. It was not under c:windows. Could it be under a subfolder?

[oldman]

According to the hjt log it is in the c:\windows folder. It's the 6th 04 entery. Do you have show all files turned on in folder options?