Avast WEBforum
Other => General Topics => Topic started by: bexar656 on January 19, 2010, 09:00:10 PM
-
I ran avast standard last night and it said "no virus found." Then this morning I get three warnings that I have a Trojan Horse. Shouldn't running avast have picked them up. Did they just come up last night. Also I now am getting repeated messages when on the internet, "this program has been shut down to protest your computer." Any advise as to what's going on. Do I have a virus that's messing things up?
-
hey and welcome to the forum.
suggestion 1: is the avast running at all on your computer? if not try to repair avast by clicking on the controlpanal> add and remove programs> scroll down to avast and hit uninstall and select the option to repair and hit ok. what was the files that was detected as trojans and what did you do with them?.
suggestion 2: only if you get the avast running do a boot scan. http://www.schmahl.net/avastbootscan.php ,otherwise move on with step 3
suggestion 3: sound like you can have that i suggest you run a scan with MBAB and/or SAS
http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/
good luck and write back if you need help or getting problems
-
"this program has been shut down to protest your computer."
What program was the message referring to?
-
I followed your first suggestion and did remove, repair. It then ran and said, "The product was successfully updated." I then ran a boot scan. When it finished it said something about Trojan Horse but was off the screen before I could read it. It gave me ten keys to select from and I choose Repair all and it says. "File was not repaired." So I did, "Move all to chest." and it said, "Error, Status-Device-Data-Error." I tried both several times with the same results. My next step is to run the other two scans you suggested, MBAB and SAS. Here are the virus I now have in my Chest.
SSHNAS21.DLL C:\Windows\System2 Win32:Trojan-gen
WCX.exe C:\NOCUME\User " " "
WCX.exe Locals~\Temp Win32:Fake V-A...
Kernel32.dll C:\Windows\System32
Winst ock.dll " " "
Winstock32dll " " "
The message "This program will close is all in the Internet, e-mail and other things I'm opening. Only Internet.
-
Do you have Word Converter (http://www.softinterface.com/WCE/WCE.htm) installed?
The posted information about what is in your chest:
Is that copied and pasted by the computer, or did you type it in? It doesn't look quite right. Could "Winst ock.dll" actually be "winsock.dll"?
Are you looking in the "infected files" area of the chest, or the "all files" section? You should only be looking in the infected files section.
The message "This program will close is all in the Internet, e-mail and other things I'm opening. Only Internet.
I still do not understand this.
In the top of the dialogue window indicating the program has been closed will be an actual process name. I would like that name, please. (It will be something like "IE8.exe", or "explorer.exe".)
Can we also see the MBAM and SAS logs, please?
Post them as a text attachment in your reply. (To attach, see "Additional Options" at the lower left of the forum reply window.
-
No I don't have Word Converter installed. Yes I typed it in. Winst ock.dll is Winstock.dll, my error. Yes I"m only looking in the infected area. But now all but one that I listed before are gone and they have been replaced by seven different ones. I got warnings last night and kept moving them to the chest. I'll have to wait untill I get another "Program will close" to let you know what name it says. It hasn't done it today at all. I'll have to get back to you on the logs later today. Thanks
-
I just tried to attach MBAB and SAS logs but it said that the attachments are to large. I don't know what to do about it. But here is the log from MBAB.
Trojan.Agent File C:\Windows\msa.exe
Trojan.FakeAlert Hkey_Current_User\SoftWare\xml
The SAS has a ton of items listed as Prosessing or Remove. I am still getting Warnings and now have 15 virus in the avast chest.
-
With the MBAM log, if it is too large to attach (unusual), copy and paste the log into two or more forum posts. Same with the SAS log.
What you've posted above isn't a log, it's a couple of entries, which of themselves only offer limited information.
So just in case you don't know how to, open MBAM, select the "logs" tab near the top middle of the interface, select the appropriate (normally most recent) log, double click it. It will open. And look a bit like what I've attached, an edited version just for demonstration as to how it should look.
-
Here is from MBAM:
Malwarebytes' Anti-Malware 1.41
Database version: 2987
Windows 5.1.2600 Service Pack 3
1/8/2010 8:08:07 PM
mbam-log-2010-01-08 (20-08-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 336821
Time elapsed: 1 hour(s), 33 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
As for SAS all that opens is Run a scan, Schedule a scan, Update, etc. No log shows anywhere.
-
Try updating MBAM and run a quick scan again, please post the scan report.
-
By post the scan report do you mean the Log. I don't see anything that says Report. I updated MBAM and am running a full scan again. Also should I leave all the viruses that I now have in the avast chest. I haven't had the message saying "this program will close" for a couple of days and haven't had any Warnings since yesterday.
-
Yes, I do mean the log. (The scan report will open at the conclusion of a scan. Once closed, it becomes part of the log. So, same same but different.)
A quick scan would probably have been adequate, but that's ok.
We'll have a look at the Avast chest after this.
-
Here is the latest log.
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/21/2010 8:45:43 PM
mbam-log-2010-01-21 (20-45-33).txt
Scan type: Full Scan (C:\|)
Objects scanned: 347151
Time elapsed: 2 hour(s), 50 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
The three items detected are reg keys, which means basically they are the settings for how a now cleaned up malware would have run, were it still installed.
Run a quick scan again, but this time at the conclusion, when those three entries appear again, select the entries, and in the diaplogue window select "remove selected" and allow MBAM to remove them. (They will go to the MBAM quarantine.)
They are best removed, but of themselves are no immediate threat. (Unless you encounter that particular malware again.)
Please do that, and post the report again.
How is the computer running?
-
OK I got the three in quarantine. I haven't been having a closing for a few days. Two days ago I got another warning but nothing since. The computer is running as good as it was before all this. Do you think this has taken care of everying. Now what about the stuff in the avast chest? Thanks
-
Each of the files in the "infected files" section of the chest should be re-scanned.
There is no hurry to delete these files.
Those that re-scan as still infected can be left there.
Please post the names of the files, and their original locations. You may have to enlarge the chest screen and move the column headers to see the data.
Can you take and post screenshots? That may be easier than copying the data.
-
Yes normally I can take screen shots but for some reason it will not do it in the chest. There are 15 files and I rescaned each one and they all come up infected. I'll have to type out each on for the info you want. It will take me a while so I'll have to get back later. Thanks
-
Here they are.
Orignal Location Virus
AOIO2659dll C:\System Volume Info\restore Win32: Trojan.gen
AO102746.exe " Win32: FakeAV-A
SHNAS21.DLL C:\Windows\System2 Win32: Trojan.gen
shnas.dll C:\Documents and Settings\user\Locals " "
WCO.exe " " "
WCI.exe " " "
WCI2 " Trojan-gen
WCI4 " Win32: FakeAV
WCI5 " Trojan-gen
WCI6 " Trojan-gen
wcv.exe "
wcw.exe " Win32:FakeAV-
wcx.exe C:\DOCUME~\User\Locals~\Temp Trojan-gen
wcy.exe C:\Documents and Settings\user\Locals "
wcz.exe C:\DOCUME~\User\Locals~\Temp Win32:FakeA .A
Whew I hope I copied all this right.
-
It looks like Avast and MBAM have done a good job stopping this malware. Sorry, I don't have a name for it; a Google search indicates several of the processes quarantined could belong to several trojans, although it could be just one trojan involved in creating those files.
What I'd do next is a good file clean.
There are tow main file cleaner utilities I use, Ccleaner slim (http://majorgeeks.com/download4191.html) or ATF cleaner. (http://majorgeeks.com/ATF_Cleaner_d4949.html) (Atf will run from the download location.)
Select all temporary files and temporary internet files and have the cleaner remove them.
If your computer appears to be running well, turn off system restore, reboot, turn it back on again. Caution: this will remove all prior restore points. (It will also remove any malware files in a restore point.)
Update MBAM and run another quick scan. Only need to report the result if anything was found.
Give it a week or so, then rescan those files in the Avast chest, then (if still infected) delete them.
It looks to me like you are probably in pretty good condition. I'm not a trained malware remover, though. If you would like a second opinion involving running another tool and posting another log (to be sure) please advise. (I'd be inclined to do this, especially if the computer is used for CC transactions or banking.)
-
I ran Ccleaner and selected all temporary fines and temporary internet files and they were removed. I couldn't find how to shut off System Restore but I rebooted. I updated MBAM and ran a quick scan and it found three Trojans as follows:
Trojan Fake Alert Reqistry Key HKEY_Current_USER\Software\Bmi No Action Taken
" " " Registry Value " " " " \Micro...Value:bmimzmh
" " " Registry Key " " " " \W29 " " "
I'll take your advise and request a second opion. What is CC transactions. I do have my checking account in the computer and also I pay my bills online. Thanks
-
Run MBAM again, and this time have it remove anything it finds, then attach the log, please.
I spoke a bit soon, earlier. Looks like you are not out of the woods. I'm going to get you to run another diagnostic, and get someone else to look into this; I don't have the education to deal with it comprehensively, I'm afraid.
-
Here is the log after removing them.
Malwarebytes' Anti-Malware 1.44
Database version: 3638
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/25/2010 9:33:09 PM
mbam-log-2010-01-25 (21-33-09).txt
Scan type: Quick Scan
Objects scanned: 113637
Time elapsed: 4 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\BMIMZMHMFM (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WS9E3IQBKY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmimzmhmfm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Something is quite possibly hidden from MBAM (or not detected by it) that is causing this.
Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop, and see the instructions Here (http://forum.avast.com/index.php?topic=53253.msg451454#msg451454) on what to do with it.
I'll PM essexboy and see if he can look at your logs.
You may have to break the log up into several sections, as it might not all fit in one reply window.
-
Here is from a quick scan of Malwarebytes etc following the instructions. It finished and said "No malcious items detected. I down loaded OTL and will now run that.
Malwarebytes' Anti-Malware 1.44
Database version: 3641
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/26/2010 12:23:34 PM
mbam-log-2010-01-26 (12-23-34).txt
Scan type: Quick Scan
Objects scanned: 115655
Time elapsed: 1 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
I have subscribed to this topic - for when you post the log ;D
-
I don't know if this will work there are tons of info on the OTL logs but I'm trying to copy and paste bit by bit. As an attachement didn't work. I'll have to do several replys.
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 3055 3055 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 27.57 Gb Free Space | 37.00% Space Free | Partition Type: NTFS
Drive D: | 1.66 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SYSTEM
Current User Name: user
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/01/26 10:32:06 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2010/01/21 10:05:12 | 04,808,704 | ---- | M] () -- C:\Program Files\USIM Editor\iconcs209437.exe
PRC - [2010/01/21 10:05:12 | 00,065,536 | ---- | M] () -- C:\WINDOWS\system32\afasrv32.exe
PRC - [2010/01/05 07:56:02 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/10 23:08:18 | 00,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/10/26 16:53:15 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/10/23 09:33:50 | 01,236,712 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\SafeEyes.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/09/19 07:04:52 | 00,562,944 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
PRC - [2009/09/19 07:04:50 | 00,045,312 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
PRC - [2009/07/10 12:49:24 | 00,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/24 15:39:11 | 01,258,840 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/20 09:54:08 | 00,150,016 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\digital imaging\bin\HpqSRmon.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/25 00:51:40 | 00,245,760 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2007/05/25 00:51:37 | 00,131,072 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2007/05/25 00:51:36 | 00,155,648 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/05/25 00:51:27 | 16,132,608 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/01/17 11:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/11/22 21:10:06 | 00,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
PRC - [2006/09/28 19:18:00 | 00,266,343 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PRC - [2006/02/28 06:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
PRC - [2006/02/19 02:41:10 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/02/10 07:56:12 | 00,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\digital imaging\bin\hpqimzone.exe
PRC - [2004/06/06 22:42:30 | 00,659,456 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon06.exe
PRC - [2004/05/28 22:31:38 | 00,241,664 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
PRC - [2004/05/14 09:42:32 | 00,573,440 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KEM.exe
PRC - [2004/05/12 15:18:56 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2004/04/26 07:06:12 | 00,029,696 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
PRC - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/03/01 01:40:52 | 00,077,824 | R--- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\hpbpro.exe
PRC - [2004/03/01 01:40:52 | 00,073,728 | R--- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\hpboid.exe
-
2nd reply of OTL.
========== Modules (SafeList) ==========
MOD - [2010/01/26 10:32:06 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
MOD - [2009/11/24 17:50:32 | 00,139,264 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll
MOD - [2009/09/18 06:21:10 | 00,073,728 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll
MOD - [2008/05/13 09:13:36 | 00,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2008/04/13 18:12:05 | 00,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shimeng.dll
MOD - [2008/04/13 18:11:58 | 00,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msacm32.dll
MOD - [2008/04/13 18:11:56 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll
MOD - [2008/04/13 18:11:48 | 01,852,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\acgenral.dll
MOD - [2004/05/14 09:39:36 | 00,086,016 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus(R) Installer) getPlus(R)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus(R) Helper) getPlus(R)
SRV - [2010/01/21 10:05:12 | 00,065,536 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\afasrv32.exe -- (AfaService)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/09/19 07:04:50 | 00,045,312 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe -- (NTI BackupNowEZSvr)
SRV - [2009/07/01 08:58:55 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9fa5c7d36282a) Google Update Service (gupdate1c9fa5c7d36282a)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/06/03 12:17:39 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/12/19 22:42:59 | 00,138,168 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2007/01/17 11:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/09/28 19:18:00 | 00,266,343 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo) Cyberlink RichVideo Service(CRVS)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/03/01 01:40:52 | 00,077,824 | R--- | M] (Hewlett-Packard Company) [On_Demand | Running] -- C:\WINDOWS\system32\hpbpro.exe -- (HP Port Resolver)
SRV - [2004/03/01 01:40:52 | 00,073,728 | R--- | M] (Hewlett-Packard Company) [On_Demand | Running] -- C:\WINDOWS\system32\hpboid.exe -- (HP Status Server)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
-
Sorry but I can't get this done. It keeps saying that there are to many chartacters and then I go back and can't locate where I left off. I did also locate the Extras and that is a ton of items. I don't know how I can foward them all.
-
upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
http://www.mediafire.com/?f2tzjbtw4yj (http://www.mediafire.com/?f2tzjbtw4yj)
I don't think I did this right. I'm not to computer swift and I'm confused on mediafire as to getting the file here. Also in mediafire I don't see Extras.txt.
-
You need to upload the text file - not the otl.exe file. I will shot you my e-mail via PM and you can mail both text file to me
-
Let me know if there are any continuing problems after this run
Run OTL.exe
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O4 - HKLM..\Run: [FBSearch] C:\Program Files\Search Guard Plus\SearchGuardPlus.exe ()
:Files
C:\Program Files\Search Guard Plus
:Commands
[purity]
[emptytemp]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
I hope this what you want.
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\FBSearch deleted successfully.
C:\Program Files\Search Guard Plus\SearchGuardPlus.exe moved successfully.
========== FILES ==========
C:\Program Files\Search Guard Plus folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 193945214 bytes
User: user
->Temp folder emptied: 2103140 bytes
->Temporary Internet Files folder emptied: 71158792 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 3298831 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2176856 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2343561 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 26137158 bytes
RecycleBin emptied: 49284066 bytes
Total Files Cleaned = 334.00 mb
OTL by OldTimer - Version 3.1.27.0 log created on 01272010_164231
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_5a0.dat not found!
Registry entries deleted on Reboot...
-
Total Files Cleaned = 334.00 mb
Cleared a bit of space
What problems are you experiencing now ?
-
I'm no longer getting the warning alerts that I was getting in avast or the message saying that the program I was on was shuting down to protect the computer. All seems to be working ok except that when I turn the computer on I get the following message on a black screen. The first word is cut off so I'm not sure what it is. Quote: "lon-system disk or disk error. Click any key to continue." Then it starts up after clicking a key. But I've been getting that message for sometime and don't know if it has had anything to do with the virus problem. Also what should I now do with the fifteen virus I have in the avast chest. And there are six virus in Quarentine in Malware-Anti Malware. Thanks for your help.
-
The quarantine files can be safely deleted - lets check your disc file structure
Manual steps to run Chkdsk from My Computer or Windows Explorer
1. Double-click My Computer, and then right-click the hard disk that you want to check.
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Use one of the following procedures:
• To run Chkdsk in read-only mode, click Start.
• To repair errors without scanning the volume for bad sectors, select the Automatically fix file system errors check box, and then click Start.
• To repair errors, locate bad sectors, and recover readable information, select the Scan for and attempt recovery of bad sectors check box, and then click Start.
Note If one or more of the files on the hard disk are open, you will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, and then restart your computer to start the disk check.
Let me know what it reports
-
I ran the Chkdsk as you outlined. It ran all three checks but when it finished, after about 30 secs a bunch of writing appeared but was gone in a split second and the computer started up again. So I have no report.
-
No report is generated it jus displays it on the screen - do you still get the error at boot ?
-
No I haven't had it for a while. Am I suppose to do something with the fifteen viruses I have in avast Infected files or just leave them there?
-
A question. At the start of this I was advised to download and run Super Antispyware and I did. I also had Spybot search and destroy. I notice that when I right click on Spybot it opens a box that has Scan with Super Antispyware in it. Are both of these the same altho they both have a different setup.
-
Hi, me again,
See essexboy's reply 5 posts up regarding files in quarantine. (Safe to delete them.)
In your post above, what you are seeing is the context menu, or right-click menu. The item "scan with Superantispyware" will appear in that box when ever SAS is running - and it defaults to starting with Windows - in much the same way as any other item will appear in that menu. If you right click on any item, the same menu should appear.
Superantispyware is similar in function to Spybot S&D. Spybot has been around a bit longer.
-
Hello Tarq57 or essexboy. I just ran Super antispyware and this is what it came up with. "Potentially harmfull items have been detected on your computer. It is advised that you quarantine and remove these items to prevent further infection." Files detected 14. Total threats detected 14." Then it said "Adware tracking cookies" It said to check the item for removal or quarantine. I checked "Adware tracking cookies. I thought I was finished with getting rid of any infections. Any advise on what to do now? Thanks
-
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
I don't even bother having SAS check for them as I keep cookies under a tight reign.
-
Also on the subject of cookies - there are now flash cookies and some are used by redirect malware. When was the last time you cleared the flash cache ?
However, a neat tool has been made by Bobbi Fleckman that resolves this "Flush Flash"
Download details and instructions on this page http://www.xs4all.nl/~fstaal01/flushflash-us.html
Enjoy
-
I hope I did the right thing. I clicked on Clean Everything.
-
Same method I use ;D
-
How often should I run this Flush Flash? I hate to repeat myself but I'm still not clear as to what to do with the fifteen items that I have in Infected Files and the Chest in avast?
-
You can delete the quarantined files now
I run it every two weeks or so
-
Thanks, and thanks for all the help you gave me. Nice dealing with you but I hope I don't have to go to anyone again about a virus.
-
Nice.
You're welcome back anytime, of course.
-
Sorry, but I've got another question. Since I don't know what all the lengthly information is about after running a scan of OTL, should I run it sometime like I do with avast and the others? Thanks
-
No, only when directed to by a helper that knows how to interpret it. On a forum, such as this one, for example.
-
Thanks again.
-
Woops, another question. Looking in the chest again I see in System Files the following.
Kernel32.dll Last changed 3/21/09 Time of transfer 2/3/2010
Winsock.dll " " 2/28/06 " " 2/3/2010
Winsock.dll " " 4/13/08 " " 2/3/2010
Do these mean anything. Should I leave them there. Thanks
-
I really do wish Alwil would get rid of this All Chest Files collation of the three sections (in a way they have as it isn't in avast 5):
- The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
- The User Files section is where the user can add files they suspect of being malware but not detected by avast.
- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
- The All Chest Files is a collation of the three sections.
-
Those 3 system files are normal in 4.8 (and earlier). Note that you might occasionally see two versions of one or two of those, especially after a major Win update -- according to others here, it's quite OK to delete the older version of anything like that.
Slightly off-topic, but closely related ... I too noticed that they're not shown in the chest in v5. Does avast no longer "backup" these files this way, or are they still in the chest but no longer displayed, since many of us were confused to see them there?
(Edit) A second, related question -- is the single screen we now see for the chest the equivalent of the previous "all chest files" screen?
-
Sorry, but I've got another question. Since I don't know what all the lengthly information is about after running a scan of OTL, should I run it sometime like I do with avast and the others? Thanks
OTL is an analysis programme that will fix nothing until you tell it to - and it is regularly updated - so just delete it by using the cleanup button ;D