Viruses: trojan (win32:kavos)

[FreewheelinFrank]

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders'.

Search for and delete fsaht.cmd wherever you find it (check thumb drives too).

It'll probably be in the root directory (C:\, D:\ or whatever it's called.

[swaprules]

Ran the boot time scan. I looked at it while it was running a couple of times but as far as I could see most of the files shown were corrupt but not infected.
Heres my new HJT log-->

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:20 PM, on 6/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\security\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A14B453-F018-4131-9F3D-7C5735E1FB87}: NameServer = 203.187.215.35 203.187.192.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A14B453-F018-4131-9F3D-7C5735E1FB87}: NameServer = 203.187.215.35 203.187.192.15
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6740 bytes

Avast is still informing of the infected file fsaht.cmd once in a while and telling me to do a boot time scan.Should I allow it to delete it?It was in windows32  folder so I dont want to take chances. THanx for all the help!
Edit: DIdnt read the last post.Finding and deleting the fsaht.cmd now.
Edit 2.0: NOt able to find the file.Will delete it next time avast shows the warning .

[Maxx_original]

one more update of the detection will come out tomorrow...

swaprules: was the button "send to alwil for further analysis" (or something like that) checked in the heuristic warning dialog?

[DavidR]

NOw once in a while avast is detecting an infected file with what it says a heuristic or something scan (??).The file always is the same fsaht.cmd.Any idea about this??

"A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis."

Don't click the don't tell me about this option, let it be detected in the future and keep allowing it to be sent for analysis.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

[swaprules]

I have sent it for analysis many times and finally clicked delete this time.Will do other scans tomm now.Feelin sleepy.THanx guys!

[swaprules]

I sent the file for analysis to virustotal.It was said to be already analyzed and the link is
http://www.virustotal.com/analisis/b18d702860bb9545a395b2b691e0e270ee535d630762badab577ac4eec15e443-1245165025 .

Also it seems avast is unable to delete the file as still it is showing the warnings once in awhile.


Edit: Had the file reanalysed too.
New link --> http://www.virustotal.com/analisis/b18d702860bb9545a395b2b691e0e270ee535d630762badab577ac4eec15e443-1245210201

[swaprules]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/17/2009 at 09:29 AM

Application Version : 4.26.1004

Core Rules Database Version : 3938
Trace Rules Database Version: 1881

Scan type       : Complete Scan
Total Scan Time : 00:13:44

Memory items scanned      : 431
Memory threats detected   : 0
Registry items scanned    : 6017
Registry threats detected : 6
File items scanned        : 16456
File threats detected     : 6

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\E8MAIN0.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}

Adware.Tracking Cookie
   C:\Documents and Settings\User\Cookies\user@adinterax[1].txt
   C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
   C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
   C:\Documents and Settings\User\Cookies\user@windowsmedia[2].txt
   C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt

[FreewheelinFrank]

a-squared    4.5.0.18    2009.06.17    Worm.Win32.Taterf!IK

You can run a-Squared Free.

a-Squared Free

Don't forget to update before scanning.

[emantoyaks]

This is a new viruses that infects my pc also...

[swaprules]

Is asquared worth the download?Just askin coz it will take me a long time to download it.

[FreewheelinFrank]

You could just wait for the updated avast! detection and see if that helps.

[mkis]

Did you turn off System Restore when you ran a boot-time scan?

http://forum.avast.com/index.php?topic=46120.msg387243#msg387243

Dont bother with HjT this time.

Alternatively run your avast scan in Safe Mode.
Run MBAM ( http://www.malwarebytes.org/mbam.php ) latest version beforehand. In Safe Mode.

But make sure System Restore is turned off to wipe viruses whose backup may be stored there.
Right click on My Computer-> Properties-> System Restore tab-> click on Turn off System Restore.
You may need to restart the computer.

[Maxx_original]

i believe that today's VPS update will solve the problem (in boot-time scan) 

[swaprules]

Did everything mkis told me to.
HEres MBAM log--->
Malwarebytes' Anti-Malware 1.38
Database version: 2301
Windows 5.1.2600 Service Pack 2

6/18/2009 9:22:31 AM
mbam-log-2009-06-18 (09-22-16).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 166472
Time elapsed: 39 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorDoctor (Rogue.ErrorDoctor) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\xdglur.bat (Spyware.OnlineGames) -> No action taken.
d:\xdglur.bat (Spyware.OnlineGames) -> No action taken.
e:\xdglur.bat (Spyware.OnlineGames) -> No action taken.
C:\autorun.inf (Trojan.Agent) -> No action taken.
c:\fsaht.cmd (Trojan.Agent) -> No action taken.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> No action taken.

Also why does avast thorough scan in safe mode take so long?It took me almost 4 hrs for 50% on a 80gb hdd.
Also right after the reboot after scanning it showed again the infected file with type or sumthing win 32:kavos though file name was different and also a rootkit of similar nam.Sent them for analysis at avast using the option provided.
What else do I do?
P.S. avast anti rootkit didnt find any rootkits.
Will My pc ever be clean?

[FreewheelinFrank]

You need to tell MBAM to remove those detected items: the long says 'No action taken'.