Avast stopped working, virus?

[BJS]

HJT results


Logfile of HijackThis v1.99.1
Scan saved at 1:39:13 AM, on 23/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[mauserme]

You did everything?  The registry fix and OtMoveIt deletions included?

[Lisandro]

Maybe this is left behind...

O11 - Options group: [INTERNATIONAL] International: Currently only the 'CommonName' hijacker uses this Extra group in IE 'Advanced Options' window.

[BJS]

You did everything?  The registry fix and OtMoveIt deletions included?

Yes, I did everything the registry fix (and backed the original registry up), deleted the 2 files using HJT and used OTMoveIt succesfully.

I did find the chksdk in the c:\windows\system32\dllcache

Does it look like I missed something 

[Lisandro]

I did find the chksdk in the c:\windows\system32\dllcache
Does it look like I missed something 

C:\WINDOWS\system32\chkdsk.exe (and not chksdk.exe as you've posted).

[mauserme]

Maybe this is left behind...

O11 - Options group: [INTERNATIONAL] International: Currently only the 'CommonName' hijacker uses this Extra group in IE 'Advanced Options' window.

That's OK I think - its International Domain Name Support for IE7.  BJS has IE6 now but used to have IE7.

[Does it look like I missed something 

Well, no, I don't think you missed anything but my registry fix didn't do what I had hoped.

Open Add/Remove Programs in the Control Panel and see if you find ISTBar.  If its present, uninstall it.

Then upload c:\windows\system32\dllcache\chkdsk.exe to Virus Total so we can make sure its clean.  If it is clean and the spellling is correct we'll copy that to c:\windows\system32

[BJS]

As to not being able update, I would say the product key is already registered on another computer that doesn't match the system you are trying to run it on now. Yeah, MS has tied the os to the system, you can make only gradual changes to the system over time before you have to call MS and have a new key issued. This applies to retail versions, oem's are a totally different story. This info is just basic, there is a bit more to it then that.

I don't have to worry about the Windows Installer now. I have switched from IE to Firefox. I have been meaning to do this for awhile and not being able to get security updates from Microsoft was the last straw.
I actually like Firefox quite a bit. It may just be in my mind, but I think it is faster and from what I gather from the internet and people I know, it is actually more secure.

[BJS]

[/quote]

Open Add/Remove Programs in the Control Panel and see if you find ISTBar.  If its present, uninstall it.

Then upload c:\windows\system32\dllcache\chkdsk.exe to Virus Total so we can make sure its clean.  If it is clean and the spellling is correct we'll copy that to c:\windows\system32
[/quote]

OK will do...

[BJS]

Virus Total results for chkdsk.exe


File chkdsk.exe received on 08.23.2007 19:57:14 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.8.22.0   2007.08.23   -
AntiVir   7.4.1.63   2007.08.23   -
Authentium   4.93.8   2007.08.23   -
Avast   4.7.1029.0   2007.08.23   -
AVG   7.5.0.484   2007.08.23   -
BitDefender   7.2   2007.08.23   -
CAT-QuickHeal   9.00   2007.08.23   -
ClamAV   0.91   2007.08.23   -
DrWeb   4.33   2007.08.23   -
eSafe   7.0.15.0   2007.08.23   -
eTrust-Vet   31.1.5082   2007.08.23   -
Ewido   4.0   2007.08.23   -
FileAdvisor   1   2007.08.23   -
Fortinet   2.91.0.0   2007.08.23   -
F-Prot   4.3.2.48   2007.08.23   -
F-Secure   6.70.13030.0   2007.08.23   -
Ikarus   T3.1.1.12   2007.08.23   -
Kaspersky   4.0.2.24   2007.08.23   -
McAfee   5104   2007.08.23   -
Microsoft   1.2803   2007.08.23   -
NOD32v2   2480   2007.08.23   -
Norman   5.80.02   2007.08.23   -
Panda   9.0.0.4   2007.08.23   -
Prevx1   V2   2007.08.23   -
Rising   19.37.32.00   2007.08.23   -
Sophos   4.20.0   2007.08.23   -
Sunbelt   2.2.907.0   2007.08.23   -
Symantec   10   2007.08.23   -
TheHacker   6.1.8.171   2007.08.23   -
VBA32   3.12.2.3   2007.08.23   -
VirusBuster   4.3.26:9   2007.08.23   -
Webwasher-Gateway   6.0.1   2007.08.23   -
Additional information
File size: 11776 bytes
MD5: 5f7eaaf5d10e2a715d5e305ac992b2a7
SHA1: 4c30315b9c16106b542f088921888d83d3f185f7

[mauserme]

Did you find ISTBar?

[BJS]

I looked for the ISTBar in add/remove programs but could not find any. Could it be hidden? 

[DavidR]

I wouldn't have though it would be an add remove item as it is a browser toolbar add on.

ToolbarCop http://www.snapfiles.com/get/toolbarcop.html is usually at finding bad browser toolbars .

[BJS]

Thanks, I will try it..

[BJS]

I ran toolbarcop and these were the results. I did not see ISTBar but maybe it is there...


----------------------------------------
n/a
Browser Extension
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users
----------------------------------------
Yahoo! Services
Browser Extension
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users
----------------------------------------
n/a
Browser Extension
{E2E2DD38-D088-4134-82B7-F2BA38496583}
%windir%\Network Diagnostic\xpnetdiag.exe
Enabled
All Users
----------------------------------------
Messenger
Browser Extension
{FB5F1910-F110-11D2-BB9E-00C04F795683}
C:\Program Files\Messenger\msmsgs.exe
Enabled
All Users
----------------------------------------
&Address
Toolbar
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
%SystemRoot%\system32\browseui.dll
Enabled
Current User
----------------------------------------
&Links
Toolbar
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
%SystemRoot%\system32\SHELL32.dll
Enabled
Current User
----------------------------------------
&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
Current User
----------------------------------------
(Empty)
Toolbar
{B7D3E479-CC68-42B5-A338-938ECE35F419}
(empty)
Enabled
Current User
----------------------------------------
&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
All Users
----------------------------------------
Adobe PDF Reader Link Helper
BHO
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
Enabled
All Users
----------------------------------------
Yahoo! IE Services Button
BHO
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users
----------------------------------------
SSVHelper Class
BHO
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users
----------------------------------------
Google Toolbar Helper
BHO
{AA58ED58-01DD-4D91-8333-CF10577473F7}
c:\program files\google\googletoolbar3.dll
Enabled
All Users
----------------------------------------
Google Toolbar Notifier BHO
BHO
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
Enabled
All Users
----------------------------------------
&D&ownload &with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
Enabled
Current User
----------------------------------------
&D&ownload all video with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
Enabled
Current User
----------------------------------------
&D&ownload all with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
Enabled
Current User
----------------------------------------
swg
Run - Startup

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Enabled
Current User
----------------------------------------
ctfmon.exe
Run - Startup

C:\WINDOWS\system32\ctfmon.exe
Enabled
Current User
----------------------------------------
SunJavaUpdateSched
Run - Startup

"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
Enabled
All Users
----------------------------------------
SiSUSBRG
Run - Startup

C:\WINDOWS\sisUSBrg.exe
Enabled
All Users
----------------------------------------
SiS KHooker
Run - Startup

C:\WINDOWS\System32\khooker.exe
Enabled
All Users
----------------------------------------
Cmaudio
Run - Startup

RunDll32 cmicnfg.cpl,CMICtrlWnd
Enabled
All Users
----------------------------------------
avast!
Run - Startup

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Enabled
All Users

[DavidR]

No sign of 1stbar, can't see anything else there.