Help Please. I think I'm infected!

Unknown
edited March 2007 in Spyware & Virus Removal
Dear folks,

First, Thank You for the site and the work you all do.

Here's the way my problem started....

I downloaded the newest of AVG Free Antivirus (v.7.5) and installed it over my previous version (v.7.1) by using the "Repair Installation" option. When I restarted my laptop I got an 2 errors when AVG tried to start. Those errors were "avgcc.exe: application error. Application failed to initiate (0xc0000005)" and "avgwb.dat: application error. Application failed to initiate (0xc0000005)". I uninstalled a couple of times, did a fresh download all with the same result. After searching the error at AVG (no real help) and a Google search on the error I found this site. After reading in the forums here I figured I was infected. I followed the instructions in the sticky thread about what to do before posting. Some things were found, but when I got to the section on downloading an antivirus program I tried to re-install AVG Free. Got the same error(s) as above. I then tried Avast!. It installed fine and ran its first scan on re-booting successfully (finding 3 threats and moving to "Chest"), but it gave the same errors as AVG after Windows XP started.

I'm using Windows XP Pro, SP2 on an IBM R31 with 1 GB of RAM and 80 GB HD. I'm not sure if it is proper protocol or not, but here is my HJT log:




Logfile of HijackThis v1.99.1
Scan saved at 4:52:58 AM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [\\FRANKM_DR\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P38 "\\FRANKM_DR\EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161834983977
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Thank you very much for looking & any help,
Frank Mann

Comments

  • TroganTrogan London, UK
    edited February 2007
    Hello Frank and sorry for the delay.

    The problem may not be Malware related. I do not see any signs of infection in your HijackThis log. This may well be a hardware problem, perhaps a Memory issue but lets run a few scans to see what they reveal.


    1. Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

    Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

    You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

    DON'T choose Rename if something was found!

    Post the contents of the fsbl.xxxx.log to here (blacklight log from your desktop)


    2. Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases

        [*]Click OK
        [*]Now under select a target to scan:
          Select
        My Computer

        [*]This will program will start and scan your system.
        [*]The scan will take a while so be patient and let it run.
        [*]Once the scan is complete it will display if your system has been infected.
        • Now click on the Save as Text button:
        [*]Save the file to your desktop.

        Please post the Kaspersky log, along with the Blacklight log and a new HijackThis log.
      • fmann2
        edited February 2007
        Trogan,


        Thank you for your reply. You are right, the on-line scanners DO take a while!


        No problem with the delayed response. I am not sure I am infected. However, when I ran the tests and scans recommended in the sticky thread “Read before you post.....” I found some references to two WIN32 downloaders. I was able to find some info on one of them, but not the other.


        Re: my initial problem of running AVG and avast! Ant-virus software I think I found the problem if there is no interfering malware. As I was looking through my registry I saw some references to Symantec and Norton. I know AVG and Norton do not mix well together. I'm not not sure how the Norton stuff got on my system, but I plan to delete those reference and see if AVG will then run.


        The things I saw in the previous mentioned tests were as follows:


        PandaVision ActiveScan


        Incident Status Location


        Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\Mail\localhost\Inbox[postcard.exe]
        Virus:W32/Nurech.A.worm Disinfected C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\Mail\localhost\Inbox[Flash Postcard.exe]
        Adware:adware/exact.bargainbuddy Not disinfected C:\WINDOWS\launcher.exe




        avast! Boot scan results
        02/20/2007 04:06
        Scan of all local drives
        File C:\Program Files\Netscape\Netscape Browser\defaults\safetynet\updateLists.exe\[UPX] is infected by Win32:Agent-EBU [Trj], Repair: Error 42060 {The file was not repaired.}, Moved to chest
        File C:\System Volume Information\_restore{0AA3E1EB-C079-40B6-A26F-E4A37AC4AA78}\RP239\A0017393.exe\[UPX] is infected by Win32:Agent-EBU [Trj], Repair: Error 42060 {The file was not repaired.}, Moved to chest
        File C:\WINDOWS\system32\ActiveScan\pskavs.dll is infected by Win32:CTX, Repair: Error 42060 {The file was not repaired.}, Moved to chest


        Number of searched folders: 3996
        Number of tested files: 51575
        Number of infected files: 3


        The scans and tests you requested to see follow:


        fsbl-20070226071514.log
        02/26/07 02:15:14 [Info]: BlackLight Engine 1.0.55 initialized
        02/26/07 02:15:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
        02/26/07 02:15:14 [Note]: 7019 4
        02/26/07 02:15:14 [Note]: 7005 0
        02/26/07 02:15:29 [Note]: 7006 0
        02/26/07 02:15:29 [Note]: 7011 3300
        02/26/07 02:15:30 [Note]: 7026 0
        02/26/07 02:15:30 [Note]: 7026 0
        02/26/07 02:15:38 [Note]: FSRAW library version 1.7.1021
        02/26/07 02:31:44 [Note]: 7007 0



        KASPERSKY ONLINE SCANNER REPORT
        Tuesday, February 27, 2007 2:13:04 AM
        Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
        Kaspersky Online Scanner version: 5.0.83.0
        Kaspersky Anti-Virus database last update: 26/02/2007
        Kaspersky Anti-Virus database records: 273398


        Scan Settings:
        Scan using the following antivirus database: extended
        Scan Archives: true
        Scan Mail Bases: true


        Scan Target - My Computer:
        C:\
         D:\


        Scan Statistics:
        Total number of scanned objects: 51084
        Number of viruses found: 13
        Number of infected objects: 23 / 0
        Number of suspicious objects: 0
         Duration of the scan process: 21:51:15


        Infected Object Name / Virus Name / Last Action
        C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
        C:\Documents and Settings\ME\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\ME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\ME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\ME\Local Settings\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\ME\Local Settings\History\History.IE5\MSHist012007022620070227\index.dat Object is locked skipped
        C:\Documents and Settings\ME\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\ME\ntuser.dat Object is locked skipped
        C:\Documents and Settings\ME\ntuser.dat.LOG Object is locked skipped
        C:\Documents and Settings\ME\UserData\index.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Asterisks Password/AriskKey/ariskkey.exe/data0002 Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Asterisks Password/AriskKey/ariskkey.exe/data0003 Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Asterisks Password/AriskKey/ariskkey.exe Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Asterisks Password/Asterisks Password/asterwin.exe Infected: not-a-virus:PSWTool.Win32.AsterWin.a skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Dial-up Password/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.f skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Email Password/mailpv.exe Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Instant Messenger Password/mspass.exe Infected: not-a-virus:PSWTool.Win32.Messen.104 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe/data0006 Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.105 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe/data0007 Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.104 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Home Key Logger/HomeKeyLogger.exe Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.104 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe/ci-temp1.cab/WinSystems.exe Infected: Trojan-Spy.Win32.Agent.bk skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe/ci-temp1.cab Infected: Trojan-Spy.Win32.Agent.bk skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe/ci-temp2.cab/pl.dll Infected: Trojan-Spy.Win32.Agent.bk skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe/ci-temp2.cab Infected: Trojan-Spy.Win32.Agent.bk skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Key Logger/Professional Key Logger/CaptainMnemo.exe Infected: Trojan-Spy.Win32.Agent.bk skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Netscape Password/Netscapass.exe Infected: not-a-virus:PSWTool.Win32.NetScaPass.a skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Network Password/netpass.exe Infected: not-a-virus:PSWTool.Win32.NetPass.b skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Password Management & Recovery/Password Recovery/Protected Storage Password/pspv.exe Infected: not-a-virus:PSWTool.Win32.PassView.162 skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Speedup & Optimization/Download Accelerator/FlashGet/FlashGet1.exe/WISE0016.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Speedup & Optimization/Download Accelerator/FlashGet/FlashGet1.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Speedup & Optimization/Download Accelerator/FlashGet/FlashGet1.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped
        C:\PCbeginner\pcbeginner-full.ISO/WinTool/Speedup & Optimization/System Speedup/Delete stubborn files & folders/copylock/CopyLock.exe Infected: not-a-virus:RiskTool.Win32.Replacer.a skipped
        C:\PCbeginner\pcbeginner-full.ISO ISO image: infected - 22 skipped
        C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\Setup\setup.ini Object is locked skipped
        C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
        C:\System Volume Information\_restore{0AA3E1EB-C079-40B6-A26F-E4A37AC4AA78}\RP242\change.log Object is locked skipped
        C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
        C:\WINDOWS\SchedLgU.Txt Object is locked skipped
        C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
        C:\WINDOWS\Sti_Trace.log Object is locked skipped
        C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
        C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
        C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
        C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\default Object is locked skipped
        C:\WINDOWS\system32\config\default.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SAM Object is locked skipped
        C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\SECURITY Object is locked skipped
        C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
        C:\WINDOWS\system32\config\software Object is locked skipped
        C:\WINDOWS\system32\config\software.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\system Object is locked skipped
        C:\WINDOWS\system32\config\system.LOG Object is locked skipped
        C:\WINDOWS\system32\h323log.txt Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
        C:\WINDOWS\Temp\Perflib_Perfdata_2ec.dat Object is locked skipped
        C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
        C:\WINDOWS\wiadebug.log Object is locked skipped
        C:\WINDOWS\wiaservc.log Object is locked skipped
        C:\WINDOWS\WindowsUpdate.log Object is locked skipped


        Scan process completed.




        Logfile of HijackThis v1.99.1
        Scan saved at 2:20:15 AM, on 2/27/2007
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\System32\ibmpmsvc.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        C:\Program Files\Alwil Software\Avast4\ashServ.exe
        C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
        C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
        C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
        C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
        C:\WINDOWS\system32\E_S00RP1.EXE
        C:\Program Files\Lenovo\System Update\SUService.exe
        C:\WINDOWS\system32\TpKmpSVC.exe
        C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
        C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
        C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
        C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
        C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\tp4serv.exe
        C:\WINDOWS\system32\igfxtray.exe
        C:\WINDOWS\system32\hkcmd.exe
        C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
        C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
        C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
        C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
        C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
        C:\WINDOWS\LTSMMSG.exe
        C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
        C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
        C:\Program Files\Hijackthis\HijackThis.exe
        C:\Program Files\Netscape\Netscape\Netscp.exe


        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\prefs.js)
        N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\nqlebtx9.slt\prefs.js)
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
        O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
        O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
        O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
        O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
        O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
        O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
        O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
        O4 - HKLM\..\Run: [\\FRANKM_DR\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P38 "\\FRANKM_DR\EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
        O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
        O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
        O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
        O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
        O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE
        O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
        O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
        O4 - Global Startup: D-Link AirPlus.lnk = ?
        O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
        O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
        O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
        O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
        O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
        O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
        O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
        O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161834983977
        O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
        O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
        O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
        O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
        O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
        O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
        O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
        O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
        O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
        O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
        O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
        O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
        O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
        O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
        O23 - Service: System Update (SUService) - - C:\Program Files\Lenovo\System Update\SUService.exe
        O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
        O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
        O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

        Thank you for helping,
        Frank Mann
      • TroganTrogan London, UK
        edited February 2007
        Hi Frank

        The first thing I must stress is that you should NOT be running two or more anti-virus programs. I understand you downloaded avast due to the problems with AVG, however, running both together will not help matters. You need to un-install one through Add/Remove programs.

        Secondly, if you suspect Norton entries in your registry, then please Download and run the Norton Removal Tool instead of editing/messing with the registry.

        Panda has Disinfected the two Worms it found.

        The BlackLight log is fine.

        Kaspersky found the pcbeginner-full.ISO file to have plenty of infected files within it. Please delete the file, which I have highlighted in RED:

        C:\PCbeginner\pcbeginner-full.ISO <-- This file

        Also, delete this file:

        C:\WINDOWS\launcher.exe <-- This file

        If you have trouble finding any of the above files, then make sure you can View Hidden Files and Folders
        • Click Start.
        • Open My Computer.
        • Select the Tools menu and click Folder Options.
        • Select the View Tab.
        • Under the Hidden files and folders heading select Show hidden files and folders.
        • Uncheck the Hide protected operating system files (recommended) option.
        • Click Yes to confirm.
        • Click OK.

        Once that is done, reboot and post a new HijackThis log.
      • TroganTrogan London, UK
        edited March 2007
        Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

        Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

        If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

        Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
        If you are not the user who started this thread, you must start a new Thread instead :)
      This discussion has been closed.