KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True

[St.Anger_561_]

Hello, I am having some issues with my cpu.  I hope someone can help me, please!!   :'(

Recently my avast would not update, it kept saying "Package was broken" when I attempted to update, hence I updated by downloading update file from avast website.  My cpu subsequently has been having all kinds of problems.  My webbrowsers keep crashing (both firefox and ie) although it does not happen everytime I am on the internet.  It is extremely annoying!!!!!   

Also sometimes my browser will do this:  when I do a google search and click on a website, my browser seems like it is redirected to another site pertaining to my search terms and I have to click back on my browser to get to the site that I clicked on from my websearch, if that makes sense.   

Further more once I do update avast manually, I run a scan and it found nothing, but then I ran a bootscan and it found the following:

JS: FakeAV-F [trJ]
JS: FakeAV-G [trJ]
TRJ[GEN]

There are files that Avast deleted on the bootscan, however I am STILL having the issues with the browser and avast not updating automatically, I have to manually download update from avast website directly.

Also during the bootscan it told me that my avast4/data/report/aswboot.txt  - Installer archinve is corrupted, whatever that means....   

And during the boot scan I have two zip files that came up with Error 42125 (ziparchive is corrupted)      

I tried to manually delete these files using this awesome Eraser program that I have, but when I right click for some reason it will not come up when I am in those particular folders, if that makes sense.        

I also was getting a windows error for Win32:GenericHostServices, any ideas? 

I sent that error report to microsoft, whatever that meessage means.     

Finally I will be posting some logs below, lets start with this one....

avast! Virus Cleaner Tool - version 1.0.211 Unicode

Creating log file: C:\Documents and Settings\All Users\Documents\ShareNetVideo\aswclnr.log

4/17/2009, 1:32:08 AM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (7.2s).
----------
Files scanning started...
C:\Documents and Settings\Cecilia Canyas\Application Data\Mozilla\Firefox\Profiles\qzsfvoya.default\sessionstore.js... file could not be scanned!
C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\OS5M5D38\bc_2.0.4[1].js... file could not be scanned!
C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\Firefox\Profiles\0yyypzpn.default\places.sqlite-journal... file could not be scanned!
C:\Program Files\Alwil Software\Avast4\Setup\part-vps-7110800.vpu... file could not be scanned!
C:\System Volume Information\tracking.log... file could not be scanned!
C:\WINDOWS\Temp\TMP0000002A25C1339356D519AC... file could not be scanned!
No virus body found.
Files scanning finished  (101792 files, 0 infected, 2257.1s).
Drives scanned: C:
----------

Of the above files I went to the website www.virustotal.com and of the 6 files that could not be scanned, they all said 0 bytes received when I tried to upload (which is odd because the last file under WINDOW\TEMP it showed me it was a 512kb file)      EXCEPT I was able to upload the files for places.sqlite-journal and virustotal had a 0/40 hit and also the tracking.log file I was able to upload and it had a 0/39 hit, so I guess that is good..?   

Below is an avast log from the bootscan, I believe:

04/09/2009 23:49
Scan of all local drives

File C:\Documents and Settings\All Users\Documents\ShareNetVideo\MusicManager.exe.part\$INSTDIR\Downloads\selectrebatessetup_tx1003.exe\[Embedded_R#1d700] is infected by Win32:Trojan-gen {Other}, Deleted
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temp\GLB99.tmp\Wise0003.bin Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temp\GLBE.tmp\Wise0003.bin Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\87Q6JUEE\3[1].htm is infected by JS:FakeAV-K [trj], Deleted
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\91FWE2BQ\flist000[1].js is infected by JS:FakeAV-G [trj], Deleted
File C:\Documents and Settings\Levent Canyas\My Documents\Bro\Road_Trip_March_2004.zip\Caught ya (Large).JPG Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Levent Canyas\My Documents\Bro\Road_Trip_March_20042.zip\Melissa and I (Large).JPG Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 11318
Number of tested files: 956097
Number of infected files: 3

[St.Anger_561_]

Finally I am running a current hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 5:33:30 PM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Levent Canyas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hometabl.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[St.Anger_561_]

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



I have used this forum before, a long time ago, when  I had a similar problem with TROJANS, but I do not remember how I resolved it, other then that I think Avast is the best antivirus and it was the only one that could help me before, now I am very    and  and 

My thought was to ininstall avast and try another antivirus program, but honestly I really would rather not do this because I still have faith.   

I appreciate your time, knowledge, guidance, and expertise and I look forward to hearing from anyone and am open to most any suggestion to resolve this matter (besides a system restore or a wipe of the hard drive).

Thank you,

St.Anger 561 

[St.Anger_561_]

almost immediately after my last post I got this error again:

Generic Host Process for Win32 Services has encountered an error and needs to close   

I am a college graduate, but computers are not my area of expertise

[!Donovan]

Also sometimes my browser will do this:  when I do a google search and click on a website, my browser seems like it is redirected to another site pertaining to my search terms and I have to click back on my browser to get to the site that I clicked on from my websearch, if that makes sense.

That can be fixed by editing the hosts file. (Unless the virus rechanges the host file every few seconds...)

:Instructions For Windows XP:
1. Goto "C:\WINDOWS\system32\drivers\etc" on your computer.
2. Open the hosts file in notepad.
3. Delete everything in the file.
4. (Maybe, don't close but save it and type like "#A" so maybe the virus can't modify it)
5. Try opening Internet Explorer and search (Maybe it automadicly changes when you open IE or Firefox.)

[YoKenny]

Download the latest level of HijackThis v2.0.2 and install to the default location NOT the Desktop as your Desktop will become cluttered with backup log files:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Then run a scan after all browser windows are closed then select the following then Fixed checked to remove these items:
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

Post a new HijackThis log.

[St.Anger_561_]

here is the most recent log.  I only removed the 023 - Service:  iPod Service & the                                                             023 - Service : NMIndexingService because those were the only two that came up with the (filemissing) when I ran the hijackthis program prior to the repairs that generates the following log:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hometabl.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[St.Anger_561_]

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 11001 bytes


As an aside, I tried to update to IE8.0, but the installer program would not finish, it kept saying "downloading updates" I am guessing because of this trojan?  Thanks again.

[St.Anger_561_]

That can be fixed by editing the hosts file. (Unless the virus rechanges the host file every few seconds...)

:Instructions For Windows XP:
1. Goto "C:\WINDOWS\system32\drivers\etc" on your computer.
2. Open the hosts file in notepad.
3. Delete everything in the file.
4. (Maybe, don't close but save it and type like "#A" so maybe the virus can't modify it)
5. Try opening Internet Explorer and search (Maybe it automadicly changes when you open IE or Firefox.)

I did what you were asking here and opened the host file, deleted everything (wow there was alot of stuff in there!!) then I saved the file as host_#A and performed a websearch, but I do not know what effect this had on the original host file.  THe new one I saved remained blank, is that what you meant? 

Thanks again for your time and for looking at this everyone. 

[St.Anger_561_]

hey good morning ppl out there reading this,  i updated t ie8.0 (finally!!)

however after I updated I got the generic host services error for win32 (sent error report)

I saw on another post about trj[GEN] a website that checks your cpu for updates

I did update my java but there were several items (notable Adobe) that it said were "vulnerable" because I did no thave the most recent update.

I am going to update all of those this am.  My browser has not been redirected or crashed on me, yet, but when I try to update avast through the program I am still getting "package is broken"

WHen I clicked "View Log" this is what Avast shows me:   What does it all mean??   
18.04.2009 07:59:16 general: Started: 18.04.2009, 07:59:16
18.04.2009 07:59:16 general: Running setup_av_pro-537 (1335)
18.04.2009 07:59:16 system: Operating system: WindowsXP ver 5.1, build 2600, sp 3.0 [Service Pack 3]
18.04.2009 07:59:16 system: Memory: 55% load. Phys:582260/1308672K free, Page:778236/1553724K free, Virt:2069344/2097024K free
18.04.2009 07:59:16 system: Computer WinName: D3Z3PF41
18.04.2009 07:59:16 system: Windows Net User: D3Z3PF41\Levent Canyas
18.04.2009 07:59:16 general: Cmdline: /downloadpkgs /noreboot /updatevps /silent /progress 
18.04.2009 07:59:16 general: DldSrc set to inet
18.04.2009 07:59:16 general: Operation set to INST_OP_UPDATE_GET_PACKAGES
18.04.2009 07:59:16 general: Old version: 537 (1335)
18.04.2009 07:59:16 registry: Deleted registry: Software\Alwil Software\Avast\4.0\UpdateReady
18.04.2009 07:59:16 system: Using temp: C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748 (32446M free)
18.04.2009 07:59:16 general: SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
18.04.2009 07:59:16 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;p)
18.04.2009 07:59:16 system: Computer DnsName: D3Z3PF41
18.04.2009 07:59:16 system: Computer Ip Addr: 192.168.1.96
18.04.2009 07:59:16 system: Installed in: C:\Program Files\Alwil Software\Avast4 (32446M free)
18.04.2009 07:59:16 internet: SYNCER: Type: use IE settings
18.04.2009 07:59:16 internet: SYNCER: Auth: another authentication, use WinInet
18.04.2009 07:59:16 package: Part prg_av_pro-537 is installed
18.04.2009 07:59:16 package: Part vps-9041300 is installed
18.04.2009 07:59:16 package: Part news-4f is installed
18.04.2009 07:59:16 package: Part setup_av_pro-537 is installed
18.04.2009 07:59:16 package: Part jrog-e1 is installed
18.04.2009 07:59:16 general: Old version: 537 (1335)
18.04.2009 07:59:16 general: GUID: ecb7bf8d-ad96-4921-8ba9-ede68d7d1fa6
18.04.2009 07:59:17 general: Server definition(s) loaded for 'main': 266 (maintenance:0)
18.04.2009 07:59:17 general: SelectCurrent: selected server 'Download734 AVAST Server' from 'main'
18.04.2009 07:59:17 internet: SYNCER: Type: use IE settings
18.04.2009 07:59:17 internet: SYNCER: Auth: another authentication, use WinInet
18.04.2009 07:59:17 general: Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: progress thread start
18.04.2009 07:59:17 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;f)
18.04.2009 07:59:38 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 07:59:53 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 07:59:53 file: GetFileWithRetry: servers.def.vpu downloaded .
18.04.2009 07:59:53 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748\onefile), error: 0x2000000B
18.04.2009 07:59:53 package: Download servers.def, servers.def.vpu failed with error 0x20000011.
18.04.2009 08:00:08 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 08:00:24 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 08:00:24 file: GetFileWithRetry: servers.def downloaded .
18.04.2009 08:00:24 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748\onefile), error: 0x2000000B
18.04.2009 08:00:24 package: Tried to download servers.def but failed with error 0x20000011.
18.04.2009 08:00:24 package: LoadAllDefs failed 0x20000011
18.04.2009 08:00:24 general: Err:The package is broken

[St.Anger_561_]

Additionally I went into windows update after updating to IE 8.0 and this is what it tells me I need to update:

 
Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86
Download size: 248.4 MB , less than 1 minute
Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The .NET Framework 3.5 Family Update provides important application compatibility updates.  Details...
Don't show this update again
 
Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)

I am really CONFUSED because I am using sp3, why does it say I need  this second update for Service Pack 1??   Any ideas...?  thanks again

[St.Anger_561_]

Yeah my browser is still messed up!!!!             

I tried to run adaware se personal and that program started, but it also would not update.

I tried to do a search for adaware se personal, but when I clicked on the link I was redirected to a website for "City Search", which is not what I clicked on               

I had to click back on my browser a few times, this is really annoying, can anyone help me please?!?

Thanks in advance for your expertise.

[micky77]

I see you have SAS, try to update and scan, also download MBAM, if you need to use another pc download the updates too.Transfer to bad pc Install MBAM then exit. Double click update files to update both programs.I don't think you should messing with the host file.There are programs like hostsxpert, to clear bad entries.If you have renamed the file, I would rename to its original name    hosts

Please post back with progress on MBAM and SAS.

SAS UPDATES  for 4.2.6.100 http://www.superantispyware.com/definitions.html

MBAM http://filehippo.com/download_malwarebytes_anti_malware/

MBAM UPDTAES http://www.gt500.org/malwarebytes/database.jsp

[St.Anger_561_]

ok' dokey status update, I have the new Ad-aware Anniversary Edition Installed (finally).  It wasn't installing properly at first (perhaps some conflict w/my Ad-Aware SE?)

By the way, during the Installation of the AE it told me that it had to remove Adaware SE-Personal, but now when I go under start>>Programs>>Lavasoft It lists both the Ad-Aware SE Personal and the new Ad-Aware, should I try running the uninstall for Ad-Aware SE Personal ?   

Also here is whats the new adaware found :  Pattern of Dropper DR/Sahat.AS  it quarantined the two files they were UVFDInstaller.exe , whatever that is.

I am pretty sure this hijacker is still active b/c when I tried to type in avast forum it redirected me to another site when I clicked on the search result links, and I had to hit back again.

I have to exit IE to run the install of the MB program, be back soon.  Thanks again.

[micky77]

Forget about Ad aware its lame.Concentrate on mbam and sas