Hi Everybody, Merry Christmas and Happy Holidays to all.

I’m not to sure where I should be posting this topic so if this is the wrong place I would hope that a Moderator would move it to the right forum.

I have been having some real strange things happening with my PC over the past several months; e.g. >:( odd files appearing on my desktop, the password to the Master or Top level Computer Administrator account being removed and left blank, an Administrative Account being deleted, installation of unauthorized Administrator account… to mention but a few.

All of that worries me because I am the only one with Administrative Privileges on my PC, and to the best of my knowledge I have it locked down so that there is NO remote access allowed.

Now for maybe the past week I have started being logged off\out of my Yahoo messenger account ‘because I logged in at a different location or from a different device’, which needless to say I hadn’t done. I have changed the password to that account three times since that started happening yet the problem persists… It is making me wonder if a Trojan has managed to install a key logger on my machine.

I am running Windows XP Home Edition with SP2 and all updates installed. I use Avast! Home for my anti-virus and as far as I know it is up and running 24-7-365.

Every time that I do a virus scan with Avast! the results come back clean yet when I ran an online virus scan last night with KASPERSKY it showed that I had ten infected files, and said that I had four virus’s ???. Here are the files that it listed as infected.

                         ************************************

Sunday, December 23, 2007 8:22:30 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/12/2007
Kaspersky Anti-Virus database records: 492043

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3166 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3322 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3327 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3366 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3369 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3370 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3567/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3567/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe/file3567 Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\ADMIN\Desktop\ICONS\UBCD4WinV304.exe Inno: infected - 9 skipped

                               ***************************

I’m not sure if this is a false positive on the part of KASPERSKY or if Avast! is actually missing some infected files. :-\

Then I ran the Avast! Virus Cleaner Tool and it didn’t pick up anything at all :D. Here is the log that it generated;

12/23/2007, 8:31:33 PM
Memory scanning started…
No virus body found in memory.
Memory scanning finished (33.2s).

Files scanning started…
C:\WINDOWS\system32\CatRoot2\edb.log… file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb… file could not be scanned!
C:\WINDOWS\system32\drivers\fidbox.dat… file could not be scanned!
C:\WINDOWS\system32\drivers\fidbox.idx… file could not be scanned!
C:\WINDOWS\temp\ZLT0648c.TMP… file could not be scanned!
C:\WINDOWS\temp\ZLT07648.TMP… file could not be scanned!
No virus body found.
Files scanning finished (69496 files, 0 infected, 2026.3s).
Drives scanned: C:

I just downloaded PC Tools Free Anti Virus program and when I started the installation wizard it was quick to tell me that it had detected that I already had Avast! and Trend Micro PC-cillin Internet Security 2007 programs installed on my PC.

Well, I do have Avast! anti virus but I also have AVG 7.5 which, for some reason, the PC tools setup wizard didn’t detect. However, I do not have Trend Micro PC-cillin Internet Security 2007, nor have
I ever had it installed on my machine… well, unless that’s another name for AVG 7.5.

PC Tools AntiVirus just completed its first scan of my system. It reported finding two infected files :o. I placed them in Quarantine. It was actually just one file ‘Microburner.exe’ that was located in two different places on my PC.

I don’t actually think that that program is infected as I’ve had it, and I’ve been using it for well over a year with no ill effects and it has never shown up as having been infected on any previous scans that I’ve done with any virus scanner.

Is there any way that I can get that file into the Avast! Virus chest so that I can send it to Avast! to see if it is infected?

Any help will be greatly appreciated.

Thanks,

Wendy

Hi Wendy,

Installing more than one AV will just ad to your woes: they will conflict and cause system instability.

Go to Start>Control Panel>Add/Remove Programs and remove all but one. (Trend Micro PC-cillin is not the same as AVG 7.5.)

You seem to have Ultimate Boot CD for Windows (UBCD4W) which contains a lot of tools that Kaspersky is suspicious of. These tools can be used for good or ill, but UBCD4W is a legitimate utility, so I suspect they are nothing to worry about.)

I suspect the PCTools detection is a false positive as well.

To check for keyloggers, I’d suggest you scan with some free anti-spyware applications: these can be installed alongside your AV:

AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

a-Squared Free

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

A check for rootkits (hidden malware) would be good too:

Panda Antirootkit

Blacklight

AVG Anti-Rootkit

You can also try some online scans. (Disable avast! while scanning.) These scanners detect and remove malware, but won’t conflict with your installed AV. (Although if you have another AV running while scanning , you may see false detections.)

F-Secure

BitDefender

Panda

Trend Micro Housecall

Good luck!

Hi FreewheelinFrank, Thanks for the reply.

I do have more than one AV program but Avast! is the only one that I let run all the time. I use the others, in safe mode, from time to time because I’m paranoid. They shouldn’t interfere with each other if I use them like that… should they?

You’re right about having UBCD4W on my machine. I kind of figured that might have been the case but I wanted to ask anyway. I have already burned the UBCD4W thingy to a CD, do I still need to keep it on my hard drive too?

I kind of thought that the PCTools thing was a false positive as those suckers don’t give you even one free removal or fix of anything that they list as bad. They just tell you to go buy the working version.

As for scanning for that pesky keylogger goes, I’ve used all of the tools that you listed in your reply, in safe mode and with the plug pulled too, and they haven’t found a darned thing.

Yet my problem persists.

Where ever that sucker is hiding it’s doing a good job of avoiding detection. Here’s something else about that little bugger, it only seems to be getting activated when I open a Microsoft IE Browser.

It actually caught my attention because someone seemed to be logging in on my yahoo messenger account while I was using it. I changed the PW several times, using Firefox, and everything would be OK until I opened an IE and then they would start knocking me off line again.

AND I have been finding any where from one to six instances of iexporer.exe listed as running in Task Manager even though I haven’t been using IE, don’t have any open, and there are none showing in my task tray.

It’s as though someone has remote access to my PC and is opening IE browsers, and making those things run in the background.

You got any ideas as to what might be going on?

Happy New Year Boo!

Wendy

Hi Wendy , Download HJT if you havent already got it and generate a log file then post that log in your next reply.
http://www.trendsecure.com/portal/en-US/threat_analytics/quick_start_guide.php

Yes, they interfere: services, low level drivers… Generally, disable is not enough…

It won’t harm, but you can delete and wait for the new upgrade to download a new iso CD.

Did you try the tools that Frank posted (antitrojan and antirootkit)?

Hi Cloussau, Thanks for the reply.

I just ran HJT and will post the results below in this reply.

Hi Tech, Thanks for the reply.

I have already done just about everything that Frank suggested but I can’t run any of the online scans as all of those things want me to use IE and I want to avoid doing that as I have a sneaky feeling that that is where my problem lies.

Heres my HJT and Start up logs… hope they shed some light on the subject.

Thanks for any help.

Wendy

Logfile of HijackThis v1.99.1
Scan saved at 11:26:28 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRAM FILES\A-SQUARED ANTI-DIALER\a2adguard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost, 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [a-squared Anti-Dialer] “C:\PROGRAM FILES\A-SQUARED ANTI-DIALER\a2adguard.exe” /d=60
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [Vidalia] “C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Answers… - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.3.1_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.6.0) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Oops! It wouldn’t all fit in one reply so heres the rest of it.

Wendy

StartupList report, 12/30/2007, 11:32:34 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

• Using default options
  ==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRAM FILES\A-SQUARED ANTI-DIALER\a2adguard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ADMIN\Start Menu\Programs\Startup]
ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
CallWave.lnk = C:\Program Files\CallWave\IAM.exe
Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
WinPatrol = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
a-squared Anti-Dialer = “C:\PROGRAM FILES\A-SQUARED ANTI-DIALER\a2adguard.exe” /d=60
ZoneAlarm Client = “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Vidalia = “C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe”
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry value not found
HKLM..\Policies: Shell=Registry value not found

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {089FD14D-132B-48FC-8861-0048AE113215}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

Enumerating Download Program Files:

[{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}]

[{3B0EA9E6-7003-4B38-B398-9B1B6DF439C5}]
CODEBASE = http://download1.answers.com/pub/AnswersSetup.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[CWDL_DownLoadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CWDL_DownLoad.dll
CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

[SABScanProcesses Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sabspx.dll
CODEBASE = http://www.superadblocker.com/activex/sabspx.cab

[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 7,263 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

On first impression it looks ok but this line worries me
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
and by googling it I found this
http://www.securitystronghold.com/gates/mspy2002.html
which confirms to me that this is a rogue program which im sure would remove that threat and download a couple more for a fee.
You seem to have an abundance of anti spyware programs and I guess with that mindset you were bound to get a bum deal with one sooner or later.

By all means wait for a second opinion as im no expert but this is an obvious one that should have an uninstaller in Add-Remove programs.
There is also a BHO that is bad
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
This might go when MSPY2002 is uninstalled but if it doesnt just tick it and fix it in HJT

And yes more is not better with 2 anti virus

Good luck

Hi Cloussau, Thanks for the reply.

I’m not gonna swear to it right off the bat but I think that → O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ← is a part of a Windows Language pack that I turned on after I had installed my translator. I believe that it is used for for translating Japanese and Chinese. I’ll have to double check on that.

You gave me a good chuckle with this Boo → You seem to have an abundance of anti spyware programs and I guess with that mindset you were bound to get a bum deal with one sooner or later. ← I sure do have a bunch of that stuff don’t I ?

But I doubt seriously that anyone would be getting infected from downloading any of those as those are all programs that I have been instructed to download, over a period of time, by the security professionals on sites like Avast!, CastleCops, BleepingComputers, and GeeksToGo.

They’re all recommended, by the people who work on those sites HJT Log forums, for use in hunting down and killing evil things on my PC AND they were all free too.

You are most likely right about that O2 BHO entry but I’ll leave it till a malware specialist tells me that it’s OK to scrub it.

Thanks,

Wendy

I do have more than one AV program but Avast! is the only one that I let run all the time. I use the others, in safe mode, from time to time because I'm paranoid. They shouldn't interfere with each other if I use them like that... should they?

Both have services which run at startup and may conflict. I’d recommend only having one AV installed.

You're right about having UBCD4W on my machine. I kind of figured that might have been the case but I wanted to ask anyway. I have already burned the UBCD4W thingy to a CD, do I still need to keep it on my hard drive too?

No, you can delete the folder.

You seem to have an abundance of anti spyware programs and I guess with that mindset you were bound to get a bum deal with one sooner or later. <-- I sure do have a bunch of that stuff don't I ?

You don’t have to keep all the anti-spyware programs you installed. Pick and choose and keep one or two you get on with if you like, otherwise remove them if having so many is causing any sort of slow-down.

It's as though someone has remote access to my PC and is opening IE browsers, and making those things run in the background.

I notice you have a server set up on your computer. Is that secured properly in your firewall configuration? Not something I know much about, but if your firewall is not properly configured, it could be allowing outside access to more than you intended.

Here are a couple of “stand-alone” malware scanners you can run without installing anything:

http://www.prevx.com/freescan.asp

http://www.freedrweb.com/cureit/

You can also run Trend Micro Housecall in Firefox.

You could also try overwriting IE6 with IE7: this may fix any problem, and IE7 is more secure anyway.

http://support.microsoft.com/kb/318378

I’d also be tempted to run the online scans, even if it does involve using IE.

Hi FreewheelinFrank, Thanks for the reply.

Sorry for not having replied sooner. First I got rid of AVG, now I have a question about downloading it in the future. Most of the self help web sites that offer free help want you to download AVG…so my question is “when I’m running its install wizard I get a question asking if I want it to run at startup, if I choose ‘No’ will that keep it from interfering with Avast at a later date if I leave it installed?”

Next; I shall do away with the UBCD4W thing.

Next; As for the anti-spyware programs that I have installed, I think I have them all set to be run manually but I shall be rechecking everything and doing away with some of those buggers too.

Next; As for that Apache stuff… I don’t know why it is showing up as I have previously uninstalled it. Now I have even deleted its folder.

Next; I got that prevx CSI thing onto my desktop but I can’t get cureit to do a darned thing other than keep asking me to buy it.

Next; My PC is weird when it comes to IE as I don’t have it listed in my Add\Remove Programs thingy so I don’t know if I want to play around with that or not.

Thanks again for your reply Boo.

Wendy

The self-help web sites just want you to install an anti-virus program: if they think AVG Free is the only free program, then they’re probably not very knowledgeable.

If you want a second opinion, you can scan with multiple online scanners, but I’d only recommend having one AV installed.

If you have burnt the UBCD4W disc, you can delete the folder on your computer: it’s only intended for you to burn a rescue disc, as far as I’m aware.

OK, Apache is gone: you can fix this entry in HijackThis! if you want- just as a clean up exercise.

O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)

Just ignore any invitations to buy DrWeb and just click the ‘scan’ button on CureIT!

I don’t think IE does show up in Add/Remove. Installing IE7 certainly is a good idea because it is much more secure than IE6. It may even clear up some of your problems as described in the link I posted earlier.

Hello,

can somebody tell me how to scan my files without getting the message: files can not be scanned. Password protected.

Please give enough info how to avoid the protection of the passwords and if possible in The dutch lanquage.

Kind regards

Ger

Sorry, not in Dutch

The password protected message you are recieving is valid. It probably comes from scanning another security program’s files or quarantined files. Avast can not open them, avast does not know the “password”.

Check your logs and you will see the path and which files are being referenced.

I will include a screenshot from mine and you will see it’s superantispyware’s files.

avast can’t scan files that are password protected, it doesn’t know the password.
Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it). Do you use any other security based programs?

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

Hello potlood, hoe vandaag doet u?

Ik ben verry droevig om te horen dat u een probleh, echter hebt, wanneer u een vraag hebt dat u in dit forum zou willen vragen u verondersteld bent om uw eigen onderwerp te beginnen. U zult betere answere op die manier krijgen, en dat helpt ook om heel wat confussion te vermijden.

Tevreden repost uw vraag in een onderwerp van uw.

[sorry if my Dutch is not so good]

Wendy

Hi FreewheelinFrank, Thanks for the reply.

→ The self-help web sites just want you to install an anti-virus program: if they think AVG Free is the only free program, then they’re probably not very knowledgeable.<-- Oh No! That wasn’t what any of them said, and they advertise Avast! too, that’s how I found Avast!

→ Just ignore any invitations to buy DrWeb and just click the ‘scan’ button on CureIT!<-- Ha, ha! Old Dr. Web has either gotten wise to people doing that or is in need of money because it wouldn’t let me get past the nag screen without clicking on the buy now button, so I just gave up on it.

→ I don’t think IE does show up in Add/Remove<-- Well, according to all of the people that I’ve talked to at self help site try to tell me that I’m looking in the wrong place because IE is supposed to be in the Add\Remove thing.

I don’t remember how I did it but I had tried IE7 about a year ago, couldn’t get along with it and uninstalled it in favor of IE6.

Thanks,

Wendy

I can’t find IE in add remove either. But if you go to system information and click tools, repair internet explorer , you can uninstall the last version you undated to.

Hi oldman, Thanks for the reply.

Do you mean “Start>All Programs>Accessories>System Tools>System Information”? or something else, because that doesn’t get me to anything that has anything about repairing IE, it just gets me to The Help and Support Center.

Thanks,

Wendy