Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ^Hawk^ on January 03, 2004, 02:43:40 AM
-
I just installed avast4, it wanted to scan my system after reboot so I said fine. It found what appeared to be a couple of worm's in an .exe or 2, so I told it to delte them, and to delete any future ones it found. Well now I can't run a single thing excent Internet Explorer. Windows explorer is gone, control panel gone, e-mail program gone, get the picture. How in the hell could this happen and how in the world do I fix it now?
Thanks,
^Hawk^
-
im assuming avast wont run either. so run an online scan here:
http://housecall.trendmicro.com (http://housecall.trendmicro.com)
see if it finds any more of those worms
-
OK, Housecall is scanning. How do I get my exe files back. I can't run a single program on my PC. I'm screwed if I have to reinstall everything.
-
do you know the names of the .exe files?
What did Housecall find
-
explore.exe swishmax.exe rundll32.exe qw.exe the list goes on and on
Housecall is still scanning....so far it's found another virus...JS NOCLOSE.E
-
Hawk, MacLover called me to help you. I'll say it won't be easy to recover your .exe files one by one. Anyway, there are a quite good application that you can run at a floppy: Restoration 2.5.14 (http://www.mywebattack.com/gnomedl.php?get=http://www.fxSearch.com/ldw_eng/setup.exe) or you can download here (http://hccweb1.bai.ne.jp/~hcj58401/REST2514.EXE).
Others have to be installed into a Windows envyronment: PC File Recovery (http://download.pcinspector.de/pci_filerecovery.exe).
I recommend you try avast! Virus Cleaner Tool (http://www.avast.com/files/eng/aswclnr.exe). You can run into 'Windows Safe Mode' to be sure of a complete cleaning and then, after, try to recover your exe files with Restoration. Note, Restoration does not need to be installed into the HDD and before the 'disaster' happenned.
If you can get some help from raman, he is a experienced avast user about viruses and cleaning. We will be here trying to help you ;)
-
Latest update. It seems that at least some of the files that I thought were deleted were not. The problem is windows has forgotten how to run an .exe file. I downloaded those 2 programs to my desktop and tried to run both and I got the same error message. "Windows cannot find the program, use search to find it. I've used to search to find some of these files, and when I try to run the files that search finds, I also get the error message. So is this hopeless, or do I just need to do a few specific things?
Thanks for all the help so far. If I ever meet a virus writer, even if he or she is 8 years old, I'm ripping out their spine and hanging it on a stake in front of my house.
-
Did some more searching, and it seem the PrettyPark virus causes these symptoms, but I can't find any traces of that virus on my system, so I'm still looking.....
-
IM back. Here is what i found on the trojan housecall found
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_NOCLOSE.E (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_NOCLOSE.E)
if you have java installed when this is over be sure to install the latest version of that platform and update IE as well.
-
what version of windows are you running? and post a hijack this log IF you can http://mjc1.com/mirror/hjt/ (http://mjc1.com/mirror/hjt/)
ill notify raman
-
Please start your PC in safe mode and start regedit.
check the Value of this Regkey:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
The value should be : "%1" %*
-
I'm running Win XP Pro. I'm attaching the hijackthis log.
Raman,
That is the registry entry I have for that setting.
My .exe files are back to working, now I need guidance to make sure my system is clean, and have nothing hiding in wait to pop up later on.
Thanks,
^Hawk^
-
Hui is there a virus you are not infected with? :(
You are highly infected! Optix, supernova, SDbot or gaobot(?) Adware
What do you want, cleaning your PC, or format and reinstall all?
The last choice is the better on.
-
I would surely prefer to clean vs. reformat and reinstall. To give you an example. Avast has been scanning for hours, over 500,000 files so far. I takes me weeks to reformat and reinstall everything, and since I have to back up so much data, am I not risking backing up a virus and introducing it when I start to reinstall anyways?
Here's what avast just found:
Win32: Trojan-Gen (Other)
ADinf-1646
-
The adinf should be a false alarm, and you should let avast scan in safe mode. It is(this time) faster then running it with all the viruses active and in safe mode avast should be able to clean/delete them.
-
Please remember an infected Backup is beter than none and do not blame me if something will not work after this.
Okay, start your pc in safe mode and let hijackthis fix these things:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [System Profile] c:\windows\system32\regsrv.exe
O4 - HKLM\..\Run: [Supernova] C:\WINDOWS\CHEESE~1.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRA~1\INTERN~2\sim\msbb.exe
O4 - HKLM\..\Run: [GMTDKQXEK] C:\WINDOWS\GMTDKQXEK.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AHKRXBO] C:\WINDOWS\AHKRXBO.exe
and everything under 016 exept the [update class] line.
restart and post a new log
-
OK here's the latest Hijack This log. I've scanned with Avast!, Spybot Search and Destroy and Hijack This. I've removed and cleaned everything that was identifed by all three as bad.
Thanks,
^Hawk^
-
Looks much better now, please test this file: C:\WINDOWS\AHKRXBO.exe here: http://www.kaspersky.com/remoteviruschk.html
and fix the following entries:
O4 - HKLM\..\Run: [AHKRXBO] C:\WINDOWS\AHKRXBO.exe
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
I like People using Plextor drives! :)
-
I Love my Plextor, they are a little bit more expensive, but worth it. I've been using Plextor since the quadplex, where you had to insert the CD in the special cartridge.
OK, I've turned on all the settings to view all the files in my c:\windows folder and I don't find that file in there. I fixed the other two entries and run hijackthis again and that file you wanted me to upload still shows up. Wierd. I also now have all the computers in the house triple protected with Avast!, Spybot S&D and Hijackthis. No virus' found on other computer, just alot of spyware which was promptly removed.
-
Hawk, I think I was correct when I said...
I recommend you try avast! Virus Cleaner Tool (http://www.avast.com/files/eng/aswclnr.exe). You can run into 'Windows Safe Mode' to be sure of a complete cleaning and then, after, try to recover your exe files with Restoration. Note, Restoration does not need to be installed into the HDD and before the 'disaster' happenned.
And when I said you'll receive the best help from raman...
If you can get some help from raman, he is a experienced avast user about viruses and cleaning. We will be here trying to help you ;)
Are you clean now? ;)
-
Yes, I believe I'm clean now. Thanks to everyone who pitched in to help. I'll definately be spreading the news about avast! The theory of providing free virus protection to the home users is brilliant. I could never afford to pay for 5 copies plus the updates $$$ to protect all of my home computers. I have them all over the house for convienence to me. Thanks again to everyone.
^Hawk^
-
Please search the registry for AHKRXBO.exe and say where it was found. You may have to do that in safe mode
-
Registry says it's in C:\windows. What is this file? Should I be worried? :o
-
yes, a bit. In which regkeys was it found? You may try to let hijack fix the entry in safe mode
-
LocalMachine_Software_microsoft_windows_currentversion_run
-
If it is only there, let Hijack this fix it in safe mode and try to find the file
-
Ok Hijack fixed this, and now it no longer shows up in the hijack log. The file is nowhere to be found on my system.
-
Nice to here. Please post n actual HJT Log to see if everything is gone!
-
OK here's the latest
-
hello...if I post my hijack this log...do I need to delete anything first...personal information?
thanks,
cojo
-
i dont think hijackthis displays passwords or account info
-
ok...here goes...'course everyone is sleeping now ;D
Logfile of HijackThis v1.97.7
Scan saved at 8:38:31 PM, on 1/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashdisp.exe
C:\Program Files\Alwil Software\Avast4\ashmaisv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DONNA HOLT\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O1 - Hosts: 127.98.9.1 b9.127.0.0.1.b9
O1 - Hosts: 127.98.9.2 b9.127.0.0.1
O1 - Hosts: 127.98.9.3 www.bellsouth.net.b9
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Ad-watch.lnk = ?
O4 - Startup: BCMSMMSG.lnk = ?
O4 - Startup: diagent.lnk = ?
O4 - Startup: IntelliType.lnk = ?
O4 - Startup: nwiz.lnk = ?
O4 - Startup: UpdReg.lnk = C:\WINDOWS\Updreg.EXE
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O9 - Extra button: Look for Spybot-S&&D updates (HKLM)
O9 - Extra 'Tools' menuitem: Look for Spybot-S&&D updates (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O15 - Trusted Zone: http://www.avast.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://*.lighthouse.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: http://*.securityplace.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://www.support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1064673232437
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2678f4b3a8619fb4c522/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {86CEEAFA-AE5C-11D4-A4C8-00A0C9E79206} (ActiveXDemo Control) - http://www.finjan.com/mcrc/demos/ActiveXDemo.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37676.7180671296
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4307/mcfscan.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildtangent.com/bgn/partners/bellsouth/slyder/install.cab
cojo
-
I see no important info in there. raman will be along soon to tell you whats bad in it
-
ok, I shall wait for him to wake up ;D
cojo
-
There is nothing really dangerouse, but you maybe want to fix this:
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: UpdReg.lnk = C:\WINDOWS\Updreg.EXE
and if you do not know why, get this fixed too:
O1 - Hosts: 127.98.9.1 b9.127.0.0.1.b9
O1 - Hosts: 127.98.9.2 b9.127.0.0.1
O1 - Hosts: 127.98.9.3 www.bellsouth.net.b9
-
hello...if I post my hijack this log...do I need to delete anything first...personal information?
thanks,
cojo
Probably not... But you can send it first to a friend of you (or anybody you trust) by email to ask his/her opinion. ;D
After this, you'll be fine if you ask raman opinion about your hijack ;)
-
Raman,
thank you so much!!
I will fix these immediately...
My respect and affection for everyone of the experts here on the forum grows daily.
All of you have contributed to my learning in different ways...and your support has been incredible.
With all my heart, I thank you!
cojo
-
Raman, thank you so much!!
I will fix these immediately...
My respect and affection for everyone of the experts here on the forum grows daily.
All of you have contributed to my learning in different ways...and your support has been incredible.
With all my heart, I thank you!
cojo
Won't you thank me? :'(
-
yes, Technical, I do thank you very much!
so many have helped me...I am afraid to say individual names because I know that I will forget someone--and I don't want to forget anybody!
cojo
who thanks everyone on the forums for their wonderful help...and I really do mean everyone.