Trojan + virus chest failure PLEASE HELP

[vaeleik]

My mom's computer has a trojan - i m not sure what kind, but i couldn't move it to the virus chest.  now i cant move anything to the chest at all.  its RPC commuication failed.  what can i do to get the chest to work?  or are there any other steps i could take to get rid of the viruses on the computer?

thank you

[Lisandro]

Can you try to repair your installation?
Go to Control Panel > Add/Remove programs > avast! antivirus > Remove. Then choose Repair function in the popup window (Repair). You must be connected to the internet while repairing.

If this does not help, can you uninstall / boot / install / boot again?

Do you have any other antivirus installed in your computer?
Did you have in the past? Which one?
Do you use a firewall? Which one?

Also, take a look into Administrative Tools > Services
and see how the four avast services are set to start (automatically or manual).

[vaeleik]

you guys respond  quick.  awesome! 
ok, i repaired and its scanning now so i can see if it worked.

We did have norton, but its been uninstalled for a while - ever since we got the avast trial.  When the trail ran out, they didnt tell me so there was no protection on here for 3 days.  then i turned around and downloaded the full year version.

it is under a firewall - windows i think

ill reply as it gets done scanning and let you know if it worked.

thank you

[Lisandro]

you guys respond  quick.  awesome! 

Be used to avast forum speed

We did have norton, but its been uninstalled for a while

1) Remove NAV and other Symantec products through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista.
3) Boot.
4) Install avast! Boot.
5) See what you get.

it is under a firewall - windows i think

No problems.

[vaeleik]

Sorry it took me so long to get back, i had to go out of town. 

ok before the avast scanner said its was infected - now it says running.

ive used the norton removal tool
spybot says its clean - but keeps pooping up saying there was change made in the blacklist registry, and i keep dening it.

avast popped one thing abou the trojan the other day and i couldnt move to the chest.  now every time i scan it doesn't say anything about the trojan - how can know if its really gone or not?
Thanks

[Lisandro]

how can know if its really gone or not?

I suggest you follow the general cleaning procedures:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[vaeleik]

ok - i did all those except 7 and 8, b/c i figured there wasn't much point unitl i know its gone.  

there are no rootkits, and not one of those found the trojan.

any other ideas

oh here's the logfile
thanks

001 Running processes
---------------------
* c:\program files\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashwebsv.exe (ALWIL Software)
* c:\program files\google\google updater\googleupdater.exe (Google)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google)
c:\progra~1\mcafee.com\agent\mctskshd.exe (McAfee, Inc)
c:\program files\mcafee.com\agent\mcdetect.exe (McAfee, Inc)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
c:\program files\common files\new boundary\prismxl\prismxl.sys (New Boundary Technologies, Inc.)
* c:\documents and settings\owner\desktop\runscanner\runscanner.exe (Runscanner.net)
c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
c:\progra~1\mcafee.com\agent\mcupdate.exe (McAfee, Inc)
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)
c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
* c:\progra~1\google\google~1\google~1.exe (Google)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* c:\program files\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\program files\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program files\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program files\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
c:\progra~1\mcafee.com\agent\mcupdmgr.exe (McAfee SecurityCenter Update Manager)
c:\progra~1\mcafee.com\agent\mctskshd.exe (McAfee Task Scheduler)
c:\program files\mcafee.com\agent\mcdetect.exe (McAfee WSC Integration)
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
c:\program files\common files\new boundary\prismxl\prismxl.sys (PrismXL)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\sunkfilt.sys (Alcor Micro Corp Reader)
* C:\WINDOWS\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface DRIVER)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dp.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwbs2.sys (HSF_HWB2 WDM driver)
* C:\WINDOWS\system32\drivers\mxnic.sys (Macronix MX987xx Family Fast Ethernet NT Driver)
* C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Network Bus Enumerator)
* C:\WINDOWS\system32\drivers\nvenetfd.sys (NVIDIA nForce Networking Controller Driver)
c:\program files\superantispyware\sasdifsv.sys (SASDIFSV)
c:\program files\superantispyware\sasenum.sys (SASENUM)
c:\program files\superantispyware\saskutil.sys (SASKUTIL)
* C:\WINDOWS\system32\drivers\ql1280.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql12160.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sparrow.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc810.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc8xx.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_hi.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_u3.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc3550.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\mraid35x.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1080.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\dac2w2k.sys (SCSI Miniport)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM))
* C:\WINDOWS\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* C:\WINDOWS\system32\drivers\cmdide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)

[vaeleik]

* C:\WINDOWS\system32\drivers\wanatw4.sys (WAN Miniport (ATW))

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
c:\progra~1\blstoo~1\blstoo~1.dll {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}
c:\program files\canon\easy-webprint\toolband.dll {327C2873-E90D-4c37-AA9D-10AC9BABA46C}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
c:\progra~1\blstoo~1\blstoo~1.dll {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}

047 Trusted zones
-----------------
Zone: objects.aol.com : *.objects.aol.com

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
c:\program files\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
c:\progra~1\blstoo~1\blstoo~1.dll {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}
* c:\program files\java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
* c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}
c:\windows\system32\shellvrtf.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
c:\program files\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
* C:\WINDOWS\system32\cnmlm75.dll (CANON INC.)

100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://www.aol.com
Default_Search_URL HKLM : http://www.google.com/ie
Search Page HKCU : http://www.google.com
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://www.google.com/ie
SearchUrl HKCU : http://www.google.com/search?q=%s
ShellNext HKCU : iexplore
Start Page HKCU : http://securityresponse.symantec.com/avcenter/fix_homepage/
Start Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
* c:\windows\downlo~1\ewidoo~1.dll (Anti-Malware Development a.s.) {193C772A-87BE-4B19-A7BB-445B226FE9A1}
* c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
* c:\windows\system32\macromed\flash\flash9.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
&AOL Toolbar search : res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Easy-WebPrint Add To Print List : res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
Easy-WebPrint High Speed Print : res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
Easy-WebPrint Preview : res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
Easy-WebPrint Print : res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
{09826001-48e5-11da-bf8e-806d6172696f} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
{0992de21-e73c-11da-bfb3-0040ca8f2da5} : J:\setupSNK.exe
{1019e541-51ec-11da-9c61-806d6172696f} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
{815a0671-62bc-11da-b957-806d6172696f} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
J : J:\LaunchU3.exe -a

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu

[DavidR]

Well now you are clean as far as we can tell, prevention is much better than cure:
7. may help in the future to in blocking malicious sites,
8. will show programs that require update, this could close exploits leaving you less vulnerable.

So those steps could wel save you some grief in the future.