3 Viruses Found

[ekitchens]

I've had 3 viruses pop up this morning. Hoping you can give me some insight on if I'm clean now.

Avast sent me about 20 alerts of eapp32hst.dll being found and moved to the chest. It looks like the virus kept trying to restart itself because I was getting so many alerts until I finally just shut down.

I rebooted and deleted the files from the chest. No problems.

I then downloaded and ran MBAM and it found Trojan.Alureon and Trojan.FakeAlert. I had MBAM remove those trojans and on reboot, had it do another scan. They seem to be gone too.

The only thing that's happening now that is out of the ordinary is I'm getting a popup in my toolbar that says there are some blocked startup programs. When I open the icon (Vista), the programs don't look suspicious. I've got:

ObjectDock
VistaBatterySaver
Microsoft Media Center Tray Applet
Microsoft Userinit Logon Application
Microsoft Windows Explorer
Windows Defender
Dell Wireless WLAN Card Wireless Network Tray Applet
Alps Pointing Device Driver
Monitor Application (For LeapFrog)
Avast
Malwarebytes' Anti-Malware


Here's my Hijack this file now after the Trojans have been removed (if they are really removed):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:07 PM, on 10/20/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Apryl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [VistaBatterySaver] C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4883 bytes

[essexboy]

Unblock MBAM as it needs to run to complete its work

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Raylene]

Wow and I thought I have problems: I am very new here and below is what my avast home edition 4.8 has in my virus chest. I would like to ask if I may delete them from my virus chest? All but two of them have been there a few weeks. No problems with my computer that I can tell. Thank you!

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp129922682.tmp
FileID: 0000000004  Original file name: c:\WINDOWS\Temporary Internet Files\Content.IE5\856Z4LY3\107ae10e9febf2099803a7743ecdaa8c766a3009011[1].js  New folder: C:\WINDOWS\TEMP\_avast4_\unp129922682.tmp\4.js

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp129922682.tmp
C:\WINDOWS\TEMP\_avast4_\unp129922682.tmp\4.js  JS:FakeAV-EJ [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!


Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp204220377.tmp
FileID: 0000000007  Original file name: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\85INGPQR\4MENU[1].HTM  New folder: C:\WINDOWS\TEMP\_avast4_\unp204220377.tmp\7.HTM

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp204220377.tmp
C:\WINDOWS\TEMP\_avast4_\unp204220377.tmp\7.HTM  HTML:Iframe-inf
------------------------------------------------------------------------------------------
Action was completed successfully!

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp38075730.tmp
FileID: 0000000009  Original file name: c:\WINDOWS\Temporary Internet Files\Content.IE5\4LWJSZWJ\example_form[1].htm  New folder: C:\WINDOWS\TEMP\_avast4_\unp38075730.tmp\9.htm

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp38075730.tmp
C:\WINDOWS\TEMP\_avast4_\unp38075730.tmp\9.htm  JS:ScriptIP-inf [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp239879747.tmp
FileID: 0000000005  Original file name: c:\WINDOWS\Temporary Internet Files\Content.IE5\E3QLQX0X\listfile[1].js  New folder: C:\WINDOWS\TEMP\_avast4_\unp239879747.tmp\5.js

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp239879747.tmp
C:\WINDOWS\TEMP\_avast4_\unp239879747.tmp\5.js  JS:FakeAV-FF [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp206814036.tmp
FileID: 0000000008  Original file name: c:\Program Files\AOL 9.0\download\scanner.exe  New folder: C:\WINDOWS\TEMP\_avast4_\unp206814036.tmp\8.exe

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp206814036.tmp
C:\WINDOWS\TEMP\_avast4_\unp206814036.tmp\8.exe  Win32:Trojan-gen
------------------------------------------------------------------------------------------
Action was completed successfully!

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\WINDOWS\TEMP\_avast4_\unp214935725.tmp
FileID: 0000000006  Original file name: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\JVF3RC55\SCANNER10[1].HTM  New folder: C:\WINDOWS\TEMP\_avast4_\unp214935725.tmp\6.HTM

Scan files in the temporary folder: C:\WINDOWS\TEMP\_avast4_\unp214935725.tmp
C:\WINDOWS\TEMP\_avast4_\unp214935725.tmp\6.HTM  JS:FakeAV-DO [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!

[ekitchens]

Hi essexboy,

Thank you for the reply and the instructions. I ran TDSSKiller and it found no infections or suspicious files.

I've attached the report it gave as a .txt. The forum says the report exceeds the maximum character count so if there's another way I should post it, please let me know!

Thanks in advance for your help.

[SafeSurf]

@ Raylene,

It appears that the files you had in the Virus Chest (VC) you re-scanned.  Did they come out clean this time? 

1. Since they are temp. Internet files, you can delete them but you need a cleaner like CCleaner, a freeware system optimization, privacy and cleaning tool.  There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down.  It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner (I suggest making a registry back up in My Documents as a "just in case"). 

2. After cleaning with CCleaner, then run TFC, especially since your temp. Internet files were IE related.  Download TFC by OldTimer to your desktop.

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
·   Please double-click TFC.exe to run it.  (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
·   It will close all programs when running, so make sure you have saved all your work before you begin.
·   Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
·   Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

3. I noticed that these temp. Internet files are from IE5, which is obsolete.  You really should update to IE8 (and soon IE9 if you have Vista or higher OS).

4. In addition, you are still using Avast 4.0 and 5.0.677 has been out for almost a year.  Version 4.0 support will be discontinued at end of this year, so you should consider upgrading to the new version (5.0.677).  Avast 5.1 will be released soon, so you should familiarize yourself with version 5.0 first.

5. Also check to see if your MS Updates are current as there have been many upgrades recently.

6. If you have other outdated software, an easy way to find out is with a free scan of Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/.  This site will give you the direct vendor's link for easy patch fixes.  Many of us here scan our systems weekly since software is changing so quickly.

By having outdated software, this allows for huge security holes and ways for malware to enter your machine.  You are very lucky that this is all that happened to you, but you never know what will happen next time.

Let me know if you have any questions so that I can help you secure your system better.  Thank you. 

[Raylene]

Thank you and as far as coming out clean? I suppose they did. I scanned them again within the chest and two of them would not repair and none of them showed any access to any path. They remain in the VC as we speak. My computer seems to be running optimum and so I may try and delete the things in VC other than the two most recent ones and I will leave them there for a few weeks. I am very good at finding and fixing viruses within the human body but I really am bad with programs like Avast and other anti virus software. Thing is more than 99% of my time is spent with programs to repair human parts. I have a few newer computers but I reserve those for my work. This one is oldest and I tend to play on it out of boredom sometime.

I have just recently come outside the box and began to be a little social on computers. Of course I have been over at myspace for a few years but old Tom makes it really difficult for members these days. Seems the things I pick up I am either on google, myspace (what I like to call tomsloserspace....LOL)  or surfing other places on the web. Its all true I run 4.8 Avast and I recently downloaded the slim cccleaner you speak of. I ran it and it did indeed free up much space for me. I guess I am just scared of deleting something that may cause this old trusty box to go into a crash...lol The old man downstairs really gets irate when we do something silly to crash our machines. I am up to date with everything I can be as far as running an older computer. I allow Avast to update at every log on.

I will attempt the other things you suggest but I already know I cannot download the Malwarebytes program as I tried already. Much love and light my friend for all the info you responded with.....Raylene

[SafeSurf]

To rescan what is in the VC, right click each item and it will give you the option to rescan it.  Make sure your virus definitions are up to date first.  If the rescan comes out clean, then you can safely delete all these items since they are temp. Internet files...junk.  Then run the CCleaner and TCF...both of them in this case.

BTW, since you are in the field you are in, don't be afraid to use CCleaner.  It used to be called Cr*p Cleaner...so it gets rid of waste on your machine if you know what I mean.   Plus, it helps protect your privacy too.

I appreciate you getting out more on the Internet, but make sure your browser is well protected and you surf safely.  That is why you really need to update it.  IE6 is very dangerous right now.  Secunia will help you with your patches and make things easy for you.

[Raylene]

You are most kind and I appreciate this. Yes I need to update lots of my older equipment. However on this machine I run Win Me and IE6 with SPC1 I believe its called. I have all the latest updates from Micro and windows that this old timer can have. I need to retire it but I need it at least through the rest of this year. Speaking of old timer I downloaded that program you suggested but after download it informed me it was not compatible. Story of my life it seems. I am Italian and I am used to being denied access....LOL

My Avast definitions are all up to date and I will do as you suggest. I do however have an old version of Mcaffee on this computer and I was wondering if I go to their site and get their removal tool will it spoil anything in my Avast to where I will need to reinstall Avast? I apologise for being so unsavvy regarding these things. Thank you for holding my hand. Love and light my friend.....BTW My real name is Savannah and I will check out your Secunia....:-)

[Pondus]

I do however have an old version of Mcaffee on this computer

you should absolutely remove the old McAfee, and you can find removal tool here http://uninstallers.blogspot.com/

[SafeSurf]

I agree with Pondus post.  Here is additional information for uninstalling McAfee since you should not have 2 antivirus software on your machine as this may cause problems and conflicts:

This article provides the steps to remove McAfee from the Security Center from your computer:
http://ts.mcafeehelp.com/faq3.asp?docid=71525

Also for direct download: http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe.  Reboot after you remove McAfee.

Thank you for your kind words.    Please let me know if you have any additional questions.  Thank you.

[ekitchens]

Hi,

I'm the OP. Can anyone tell me if the info I posted shows my system is clean now?

(I posted a TSDDKiller report plus my HJT log.)

Thanks so much!

[Pondus]

I'm the OP. Can anyone tell me if the info I posted shows my system is clean now?

Essexboy will lok at your log when he enters the forum, late uk time

You have saved the TDSS log as UNICODE so it is not readable, looks like chinese.......save it as ANSI

[essexboy]

Hi there back again  @ekitchens  - I was able to decode the necessary parts of the TDSSKiller log

Lets do a final sweep for anything that is hidden

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Raylene]

My hat is off to all you helpful people. I have just come online a short while and I will go and uninstall the Mcafee. It was on this machine when it was issued to me. I don`t seem to be having any critical issues or yet I may say. I have however noticed that at every start up I see this black screen that says please wait while windows updates your configuration files. I don`t appear to have any problems loading after that messege. Seems I was not getting that messege ubtill I downloaded and installed the cccleaner? Or so I think.

Thank you again for all your support. I am amazed at all the help being offered to people and without a price tag attached. I also admire the way my questions have been approached here. I simply mean that so many people have not jumped at the chance to beat a horse to death as this tends to somewhat confuse people. Love and light my friends. Many smiles and thanks. I`m going now to attempt to remove the Mcafee anti virus program..........:-)) Savannah (my real name)

[Pondus]

Here you can read about what can happen if running two AV

See the reply from quietman7
http://www.bleepingcomputer.com/forums/topic260844.html/page__view__findpost__p__1441638