no dial up sound and virus removal from chest?

[mc61]

You'll have to excuse me as I'm a bit of a novice in these matters !

Since I installed Avast 4 home edition and ran the virus scanner.I moved the infected files (as they would not repair ?) to the chest.

When I now connect to the internet ,there is no dial up sound ? Also what do I do with the infected filed in the chest ? Quite alot.

Help appreciated...please keep it simple !!  Cheers.

[Gene Johnson]

mc61; welcome to the avast forum. Glad to have you aboard. Once the files are in the chest they can no longer affect your computer. They are perfectly safe there. If your sound stopped after you did a scan, that would indicate that one of the files you placed in the chest was related to your sound card. Give us more details about your system (ie: OS) and look in the chest to see if one of the files appears to be related to your sound card. One of our more technical guys will probably be along shortly with a more technical answer.

[DavidR]

Hi mc61, welcome to the forums.

I could be that you have moved an infected system file to the chest in which case you could experience a problem, this is however, guesswork.

Please Help us to Help you In order to help fully we need more information....
   - What OS are you using? is it up to date?
   - What email program are you using - if applicable?
   - avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
   - What was the virus name, what was the filename, where was it found
     example (C:\windows\system32\infected-filename.xxx)?
   - What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User's FAQ.

It is also possible that (again guesswork) the warning could have been a false positive. To check confirm or deny check out the suspect file at: Jotti - Multi engine on-line virus scanner www.virusscan.jotti.dhs.org if any other scanners here detect them it is less likely to be a false positive.

Get back to us with more info, especially the infor required to help you and the result of the Jotti Scan.

HTH David

[mc61]

Hi thanks for your help.

I am using windows xp.

They're are over a hundred infected files in there.

one example....c:\system volume information\_restore....win32trojan_ge

As I said, I'm a real novice !

[whocares]

Hi,

- please disable system RESTORE & reboot
(how-to: see "VirusRemoval"-link below in my sig)
- click here:
http://www.tomcoyote.org/hjt/
and follow the instructions how to make/post a hijackthis-Log here (just the log, not the startup-list)

 

[DavidR]

Do as whocares suggests, this will help us to help you further.

Just in case - Win XP-ME - How to disable System Restore

After a short period if your system is running correctly you can remove (delete) files from the chest, however, they are doing no harm there and it is safer not to delete too quickly, just in case.

David

[mc61]

Sorry about this...how do I copy and paste the files from the chest ! ?

Have patience ! I also have spybot,do I need to do anything with that ?

[mc61]

Is it ok to click on  hijack this before I disable system restore ?

[whocares]

yes, that's ok ...
disabling RESTORE is necessary only afterwards, when we have decided on the steps necessary to fully clean your PC

I'd suggest you leave the files in the chest alone for the moment..



 

[mc61]

Hi..I've clicked on Hijack this....

Logfile of HijackThis v1.98.2
Scan saved at 17:31:07, on 24/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\run32smss32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pete\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcfc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\System32\nihiy.dll
O2 - BHO: (no name) - {4399242A-D9B8-4AED-9588-EBEEF53475A7} - C:\WINDOWS\System32\piruzuk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [smss32] C:\WINDOWS\System32\run32smss32.exe
O4 - HKLM\..\Run: [hostspool] C:\WINDOWS\System32\host32data.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [lwozehzc] C:\WINDOWS\System32\mqztjt.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ktulid] C:\WINDOWS\ktulid.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskMon] C:\DOCUME~1\Pete\LOCALS~1\Temp\taskmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [sysspoolexpolrer] C:\WINDOWS\System32\host32data.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [runcrypt] C:\WINDOWS\System32\run32smss32.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm179
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://www.xzoomy.com/media/new/7k41.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C02D395-7C67-4E4B-8C75-0538A712CF39}: NameServer = 194.168.4.100 194.168.8.100

[whocares]

Oh Jeez...

[mc61]

Is it bad ?  

[whocares]

your system has loads of nasties and is compromised:
Setting up from scratch would be best, more secure and faster than cleaning/repairing
->
If it's somehow possible for you, I'd advise
- data backup
- Format C:
- Windowsreinstall (WITHOUT!!  going online or behind firewall)
- Apply Windows XP-ServicePack2 OFFLINE
- securing your system better

 

To help you decide, here's an anlysis of the LOG:
http://hijackthis.de/logfiles/0d72307b76583fde40324a701e711c68.html

-> All red items are BAD, and most of the yellow ones too

didn't you have any protection/AV before installing avast.. ?

[whocares]

P.S.: if you dont want to/can't format, then please come back here before fixing anything !!!

[mc61]

Sorry, my norton subscription ran out. I have spybot...What should I do now, I haven't got a clue !