Author Topic: Cannot get rid of virus  (Read 12833 times)

0 Members and 1 Guest are viewing this topic.

wkenny

  • Guest
Cannot get rid of virus
« on: April 20, 2007, 05:41:27 AM »
Avast reports two trojan horses small blf and helatin. I've Moved to chest, scanned all local drives and rebooted but the viruses are found again. I've made sure to close all apps and not to launch other apps while scan is in progress. The scan finds the two bad files and they are moved to chest but after reboot they are back. I've also tried running the scan in Safe Mode - it does not find any problem files but when I reboot in normal mode, the system infected icon (red circle white cross) shows in the system tray..

I am running Win 2000k Professional, Zonealarm firewall. My Avast stuff is all up to date.

I have new problems with IE 6 - don't know if they are related. IE6 will not show images (Action cancelled message), will not load a page if I click on its link, and will not go into google.com or yahoo.com. Firefox works fine.

On booting up, when the Windows Logon prompt screen shows there is now a substantial delay before I can enter Password - this is new.

Any help or ideas appreciated. 


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Cannot get rid of virus
« Reply #1 on: April 20, 2007, 03:16:05 PM »
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Were there recreated in the same location and file name ?

If so you may have other elements to this infection restoring the malware.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Cannot get rid of virus
« Reply #2 on: April 20, 2007, 08:09:01 PM »
Besides using the programs recommended by David, I suggest:

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.

2) Clean your temporary files. You can use [ur=http://www.stevengould.org/downloads/cleanup/]CleanUp[/url] or the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
The best things in life are free.

wkenny

  • Guest
Re: Cannot get rid of virus
« Reply #3 on: April 20, 2007, 08:20:39 PM »
Thanks for your help. I think I've got rid of the problem now. It may be helpful to others what succeeded. First the log showing the problem. I have deleted the times, but these were spread over two days between several reboots/bootscans.
 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Zhelatin-ML [Wrm]" has been found in "C:\WINDOWS\system32\dlh9jkd1q5.exe" file. 
Sign of "Win32:Small-BLF [Trj]" has been found in "C:\WINDOWS\system32\dlh9jkd1q1.exe" file. 

1) Closed all apps and ran Ccleaner.exe
2) Ran Avast full scan
3) Downloaded and ran a-squared full scan
4) Downloaded and Reinstalled IE6
5) Downloaded and Reinstalled IE6 updates/patch
6) Scheduled Avast boot scan - this again found problem files - selected Move to Chest

Was surprised to find winsock32.dll and kernel.dll in chest.

Have now being running for hours without problem. Fingers crossed

Thanks again

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Cannot get rid of virus
« Reply #4 on: April 20, 2007, 08:34:14 PM »
Hi you are infected with malware that will keep returning till it is cleaned totally.  I suggest you start a new thread in the Virus section referencing this thread

 
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Cannot get rid of virus
« Reply #5 on: April 20, 2007, 09:27:59 PM »
Try using Ewido too. Scan your computer with it
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

wkenny

  • Guest
Re: Cannot get rid of virus
« Reply #6 on: April 20, 2007, 10:46:06 PM »
Thanks. Here is the log


Logfile of HijackThis v1.99.1
Scan saved at 23:41:48, on 20/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Office97\Office\Osa.exe
C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Visual Studio\Vb98\Vb6.exe
C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\COMMON\TOOLS\VS-ENT98\VMODELER\RVSINTEGRATIONMANAGER.EXE
C:\OFFICE97\OFFICE\MSACCESS.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Xenu\Xenu.exe
C:\Program Files\FileZilla\FileZilla.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LineOne
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005930232519_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O5 "LPT1:" /M "Stylus D68"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series (Copy 2)] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P32 "EPSON Stylus D68 Series (Copy 2)" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Office97\Office\OSA.EXE
O4 - Global Startup: PositionAgent.lnk = C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Save Web Page - {38102769-5e64-4193-a798-a9e9becc65f2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3A79B9-4F7A-4CC6-A4FA-E7E035EDC95C}: NameServer = 80.58.61.250 80.58.61.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


AssistantX

  • Guest
Re: Cannot get rid of virus
« Reply #7 on: April 21, 2007, 12:01:04 AM »
Gozilla is likely spyware and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of gozilla.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information.

- Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

Tells that Gozilla (C:\Program Files\Go!Zilla\) should be removed.
« Last Edit: April 21, 2007, 12:03:22 AM by AssistantX »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Cannot get rid of virus
« Reply #8 on: April 21, 2007, 10:14:56 AM »
Hi wkenny,

Run HijackThis! again, put a tick next to these items and click 'Fix':

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005930232519_mcappins.exe /v=3 /cleanup

O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe

O16 - DPF: {33331111-1111-1111-1111-615111193427} -

Reboot into Safe Mode and delete the following file:

C:\WINDOWS\system32\regscan.exe

http://www.pchell.com/support/safemode.shtml

You may need to enable 'View hidden files and folders'.

http://www.bleepingcomputer.com/tutorials/tutorial62.html

Download and run AVG Anti-Spyware free- Don't neglect to update first:

http://free.grisoft.com/doc/avg-anti-spyware-free/lng/us/tpl/v5

Post a new log so we can check you're clean.

Good luck!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

wkenny

  • Guest
Re: Cannot get rid of virus
« Reply #9 on: April 21, 2007, 02:48:37 PM »
I've deleted entries and files referenced above (regscan.exe and gozilla files were not on the system).
I've also installed and run AVG which picked up more problems.

The new log is

Logfile of HijackThis v1.99.1
Scan saved at 14:25:41, on 21/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Office97\Office\Osa.exe
C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LineOne
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O5 "LPT1:" /M "Stylus D68"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series (Copy 2)] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P32 "EPSON Stylus D68 Series (Copy 2)" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Office97\Office\OSA.EXE
O4 - Global Startup: PositionAgent.lnk = C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Save Web Page - {38102769-5e64-4193-a798-a9e9becc65f2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Cannot get rid of virus
« Reply #10 on: April 21, 2007, 05:20:27 PM »

Was surprised to find winsock32.dll and kernel.dll in chest.


If these files are in the user files section of the chest, they belong there. Avast made a backup copy of these files and placed them there for safe keeping.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Cannot get rid of virus
« Reply #11 on: April 21, 2007, 05:28:05 PM »
That should read if they are in the System Files they are back-up copies of important system files.

The chest has several sections to it and the only one that should directly concern you is the Infected Files section.

The User Files section is were you, the user puts suspect files undetected by avast for protection as they can do no harm there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Cannot get rid of virus
« Reply #12 on: April 21, 2007, 05:56:44 PM »
That should read if they are in the System Files they are back-up copies of important system files.


Yes DavidR is correct. Sorry about that   :-[

wkenny

  • Guest
Re: Cannot get rid of virus
« Reply #13 on: April 25, 2007, 02:09:54 AM »
First of all I'd like to thank everybody who has replied to this post. I really appreciate all your input.

I've tried all the suggestions and it would appear now as if my system is clean (i.e. if I run Avast or AVG no problems are found). But.... my computer is now running so slow its ubelievable ... what have I introduced to cause this. I now have two antivirus progs running (Avast an AVG) and also A-Squared and Zone Alarm as my firewall ... what should I do?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Cannot get rid of virus
« Reply #14 on: April 25, 2007, 02:41:23 AM »
my computer is now running so slow its ubelievable ... what have I introduced to cause this. I now have two antivirus progs running (Avast an AVG)

You have answered your own question. The two avs with conflict with one another. Uninstall one of them.