Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: sevenblu on August 03, 2004, 06:04:44 AM

Title: can't fix... please help
Post by: sevenblu on August 03, 2004, 06:04:44 AM

No matter how many times I run Avast, I keep getting the same files infected...  I tried to "fic" the problam, but Avast does not fix...  I tried to delete the files, but avast won't do that either...  Here is my log file from avast.  Please help me fix my problems.   :-X

6/18/2004 10:54:51 PM   SHAKESPEARE\Russo   2188   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\MDOS.EXE\gamma.exe" file.  
6/18/2004 11:19:30 PM   SHAKESPEARE\Russo   2188   Sign of "Win32:Hidewnd [Trj]" has been found in "C:\MDOS.EXE\calc32.exe\[UPX]" file.  
6/18/2004 11:21:04 PM   SHAKESPEARE\Russo   2188   Sign of "Win32:Ataka" has been found in "C:\MDOS.EXE" file.  
6/18/2004 11:39:24 PM   SHAKESPEARE\Russo   2188   Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINDOWS\alchem.exe" file.  
6/18/2004 11:54:30 PM   SHAKESPEARE\Russo   2188   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINDOWS\system32\a.exe" file.  
6/19/2004 12:03:35 AM   SHAKESPEARE\Russo   2188   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\twaintec.dll" file.  
6/19/2004 1:03:00 AM   NT AUTHORITY\SYSTEM   1052   Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINDOWS\alchem.exe" file.  
6/19/2004 1:20:20 AM   NT AUTHORITY\SYSTEM   1052   Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINDOWS\alchem.exe" file.  
6/19/2004 1:29:04 AM   NT AUTHORITY\SYSTEM   1052   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\twaintec.dll" file.  
6/19/2004 1:53:06 AM   SHAKESPEARE\Russo   3672   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\MDOS.EXE\gamma.exe" file.  
6/19/2004 1:59:22 AM   SHAKESPEARE\Russo   3616   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\MDOS.EXE\gamma.exe" file.  
6/19/2004 1:59:55 AM   SHAKESPEARE\Russo   3864   Sign of "Win32:Hidewnd [Trj]" has been found in "C:\MDOS.EXE\calc32.exe\[UPX]" file.  
6/19/2004 2:05:58 AM   SHAKESPEARE\Russo   2252   Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINDOWS\alchem.exe" file.  
7/13/2004 1:34:25 PM   NT AUTHORITY\SYSTEM   2032   Sign of "JS:ClassLoader-1" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\a.class" file.  
7/13/2004 2:33:28 PM   NT AUTHORITY\SYSTEM   2032   Sign of "JS:VerifierBug" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
7/13/2004 3:28:24 PM   SHAKESPEARE\Russo   3892   Sign of "JS:ClassLoader-1" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-12bbd6a1-25ef1266.zip\a.class" file.  
8/1/2004 5:09:24 PM   NT AUTHORITY\SYSTEM   2044   Sign of "Win32:Startpage-006 [Trj]" has been found in "C:\WINDOWS\System32\cdgp.dll" file.  
8/1/2004 5:09:37 PM   NT AUTHORITY\SYSTEM   2044   Sign of "Win32:Startpage-006 [Trj]" has been found in "C:\WINDOWS\System32\cdgp.dll" file.  
8/2/2004 10:55:27 AM   NT AUTHORITY\SYSTEM   2044   Sign of "Win32:Startpage-006 [Trj]" has been found in "C:\WINDOWS\System32\cdgp.dll" file.  
8/2/2004 11:03:35 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:VerifierBug" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
8/2/2004 11:13:33 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:Gummy [Trj]" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\Gummy.class" file.  
8/2/2004 11:13:44 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:Exploit-Bytverify-8" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\Counter.class" file.  
8/2/2004 11:14:00 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:Exploit-Bytverify-7" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
8/2/2004 11:14:13 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:ClassLoader-7" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\GetAccess.class" file.  
8/2/2004 11:14:23 AM   NT AUTHORITY\SYSTEM   2044   Sign of "JS:Exploit-Bytverify-11" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\InsecureClassLoader.class" file.  
8/2/2004 1:40:16 PM   SHAKESPEARE\Russo   2272   Sign of "JS:VerifierBug" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-12bbd6a1-25ef1266.zip\VerifierBug.class" file.  
8/2/2004 1:40:29 PM   SHAKESPEARE\Russo   2272   Sign of "JS:Gummy [Trj]" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-599e132b.zip\Gummy.class" file.  
8/2/2004 1:40:34 PM   SHAKESPEARE\Russo   2272   Sign of "JS:ClassLoader-7" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76ba5970-5632dc7d.zip\GetAccess.class" file.  
8/2/2004 2:20:35 PM   SHAKESPEARE\Russo   2272   Sign of "Win32:Startpage-006 [Trj]" has been found in "C:\WINDOWS\Temp\trzA7.tmp" file.  
8/2/2004 4:16:48 PM   NT AUTHORITY\SYSTEM   1760   Sign of "JS:Exploit-Bytverify-8" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\Counter.class" file.  
8/2/2004 4:17:37 PM   NT AUTHORITY\SYSTEM   1760   Sign of "JS:Exploit-Bytverify-7" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
8/2/2004 4:17:43 PM   NT AUTHORITY\SYSTEM   1760   Sign of "JS:Exploit-Bytverify-11" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\InsecureClassLoader.class" file.  
8/2/2004 4:32:22 PM   NT AUTHORITY\SYSTEM   1760   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINDOWS\system32\netsvcs.exe" file.  
8/2/2004 4:54:39 PM   SHAKESPEARE\Russo   3664   Sign of "JS:ClassLoader-1" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-12bbd6a1-25ef1266.zip" file.  
8/2/2004 4:55:03 PM   SHAKESPEARE\Russo   3664   Sign of "JS:Exploit-Bytverify-8" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-599e132b.zip\Counter.class" file.  
8/2/2004 4:55:16 PM   SHAKESPEARE\Russo   3664   Sign of "JS:Exploit-Bytverify-11" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76ba5970-5632dc7d.zip\InsecureClassLoader.class" file.  
8/2/2004 4:55:43 PM   SHAKESPEARE\Russo   3664   Sign of "VBS:Malware [Script]" has been found in "C:\Documents and Settings\Russo\Local Settings\Temp\sp.html" file.  
8/2/2004 5:47:34 PM   SHAKESPEARE\Russo   3664   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINDOWS\system32\netsvcs.exe" file.  
8/2/2004 6:00:02 PM   NT AUTHORITY\SYSTEM   2032   Sign of "JS:Exploit-Bytverify-7" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
8/2/2004 7:17:59 PM   NT AUTHORITY\SYSTEM   148   Sign of "JS:Exploit-Bytverify-7" has been found in "C:\Program Files\Lavasoft\Ad-aware 6\Cache\VerifierBug.class" file.  
8/2/2004 9:09:18 PM   NT AUTHORITY\SYSTEM   148   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINDOWS\system32\netsvcs.exe" file.  
8/2/2004 10:51:43 PM   SHAKESPEARE\Russo   520   Sign of "JS:Exploit-Bytverify-7" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-599e132b.zip\VerifierBug.class" file.  
8/2/2004 10:58:31 PM   SHAKESPEARE\Russo   520   Sign of "JS:ClassLoader-7" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76ba5970-5632dc7d.zip" file.  
8/2/2004 11:34:46 PM   SHAKESPEARE\Russo   520   Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINDOWS\system32\netsvcs.exe" file.  
8/2/2004 11:53:50 PM   SHAKESPEARE\Russo   3640   Sign of "JS:Gummy [Trj]" has been found in "C:\Documents and Settings\Russo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-599e132b.zip" file.  

Title: Re:can't fix... please help
Post by: MikeBCda on August 03, 2004, 07:31:24 AM

Hi,

Sorry you'll have to wait (maybe till morning) for full help, but in the meantime we can trim that list almost in half.

Don't worry about things in the Ad-Adware/Cache folder, that's stuff that Ad-Aware already caught and "quarantined".  You might want to think about adding that folder to avast's exclusion list.

And things in the Java Cache folder might or might not be false positives, because of the oddball way Java archives things that don't meet anyone else's "packing" conventions.  But you can easily get rid of them -- just open the Java Control Panel, select the Cache tab, and empty the cache.  You can leave "Enable caching" ticked or not, it's your choice -- if you want to keep caching active, it'll just have to reload fresh copies of the applets from scratch next time it comes to them.

Best,
Mike

Title: Re:can't fix... please help
Post by: neal62 on August 03, 2004, 08:01:12 AM

What version of Windows are you running? If using Wins Me, or WinsXP do you have the system restore function disabled? ::) If the restore function is not turned off you could have this type of problem.

Title: Re:can't fix... please help
Post by: bob3160 on August 03, 2004, 08:37:51 PM

neal62

Quote

If the restore function is not turned off you could have this type of problem.

What problem? Sorry but I don't understand.

Title: Re:can't fix... please help
Post by: Eddy on August 03, 2004, 08:52:03 PM

What version of Avast are you using?
What cps vresion?
What os?

Title: Re:can't fix... please help
Post by: bilemke on August 03, 2004, 09:30:28 PM

WOW  :o you got adware/spyware.. My favorite thing about Avast is it picks up some of this junk where other antivirus progrmas dont.. Almost everything on that list of files is spyware..  "C:\WINDOWS\twaintec.dll" is one I very commonly run in to in fact. I work for a company that does a lot of service work home computers (and businesses). We remove a lot of spyware from home machines when they think they have a virus, they dont. Just a whole mess of spyware.

If you can download then I would advise grabbing latest Ad-Aware and deffinitions, SpyBot Search and Destroy 1.3 and you might need About:Buster from the looks of it http://www.majorgeeks.com/download4289.html (http://www.majorgeeks.com/download4289.html)

By the way, it will be easier because you are using Avast too, it will pick up a lot of the junk on its own. Delete every one of them.
You will have the best luck if you run these from safe mode of windows with the latest versions of each. It should take care of most but you have a few nasty ones that are really good at "self healing" in there. If you need more help you may want to visir forum on http://www.computercops.biz/ (http://www.computercops.biz/)

You might need the help anyway, as I said, some of the ones listed can be a bare to remove if you have never dealt with them before.

Title: Re:can't fix... please help
Post by: Eddy on August 03, 2004, 09:40:56 PM

The list is long and I don't have the time right now to look at it, but I suggest to run HijackThis, save the log file and use my analyzer (click on the link in my signature) to see what comes up. In adition to this you also may want to follow the instructions on my page to clean your system. Good luck, and keep us informed.