Avast stopped working, virus?

system · 2007-08-24T00:12:26.000Z

I ran toolbarcop and these were the results. I did not see ISTBar but maybe it is there…

n/a
Browser Extension
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users

Yahoo! Services
Browser Extension
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users

n/a
Browser Extension
{E2E2DD38-D088-4134-82B7-F2BA38496583}
%windir%\Network Diagnostic\xpnetdiag.exe
Enabled
All Users

Messenger
Browser Extension
{FB5F1910-F110-11D2-BB9E-00C04F795683}
C:\Program Files\Messenger\msmsgs.exe
Enabled
All Users

&Address
Toolbar
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
%SystemRoot%\system32\browseui.dll
Enabled
Current User

&Links
Toolbar
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
%SystemRoot%\system32\SHELL32.dll
Enabled
Current User

&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
Current User

(Empty)
Toolbar
{B7D3E479-CC68-42B5-A338-938ECE35F419}
(empty)
Enabled
Current User

&Google
Toolbar
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
c:\program files\google\googletoolbar3.dll
Enabled
All Users

Adobe PDF Reader Link Helper
BHO
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
Enabled
All Users

Yahoo! IE Services Button
BHO
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
C:\Program Files\Yahoo!\Common\yiesrvc.dll
Enabled
All Users

SSVHelper Class
BHO
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Enabled
All Users

Google Toolbar Helper
BHO
{AA58ED58-01DD-4D91-8333-CF10577473F7}
c:\program files\google\googletoolbar3.dll
Enabled
All Users

Google Toolbar Notifier BHO
BHO
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
Enabled
All Users

&D&ownload &with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
Enabled
Current User

&D&ownload all video with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
Enabled
Current User

&D&ownload all with BitComet
Menu Extension

res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
Enabled
Current User

swg
Run - Startup

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Enabled
Current User

ctfmon.exe
Run - Startup

C:\WINDOWS\system32\ctfmon.exe
Enabled
Current User

SunJavaUpdateSched
Run - Startup

“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
Enabled
All Users

SiSUSBRG
Run - Startup

C:\WINDOWS\sisUSBrg.exe
Enabled
All Users

SiS KHooker
Run - Startup

C:\WINDOWS\System32\khooker.exe
Enabled
All Users

Cmaudio
Run - Startup

RunDll32 cmicnfg.cpl,CMICtrlWnd
Enabled
All Users

avast!
Run - Startup

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Enabled
All Users

DavidR · 2007-08-24T00:39:31.000Z

No sign of 1stbar, can’t see anything else there.

system · 2007-08-24T01:17:48.000Z

Mauserme, I am not sure if this means anything but the Bagle virus that I believe started it all is still in my startup (it is inactive though)
I traced it to this folder wintems.exe.vir C:\QooBox\Quarantine\C\Windows\System 32

Can I delete it from my computer all together??

Also, the vsnpstd2.exe is located in C:\Windows and also in

C:\Program Files\GE\98067 MiniCam Pro

I am pretty sure this file is some sort of spyware.

system · 2007-08-24T11:57:30.000Z

DavidR post:150:

No sign of 1stbar, can’t see anything else there.

Me neither.

At this point I’ll go out on a limb and say the tool bar was actually gone before we started, but there are some left over registry entries that are pretty stubborn.

BJS post:151:

Mauserme, I am not sure if this means anything but the Bagle virus that I believe started it all is still in my startup (it is inactive though)
I traced it to this folder wintems.exe.vir C:\QooBox\Quarantine\C\Windows\System 32

Can I delete it from my computer all together??

Also, the vsnpstd2.exe is located in C:\Windows and also in

C:\Program Files\GE\98067 MiniCam Pro

I am pretty sure this file is some sort of spyware.

Qoobox is the ComboFix quarantine. Everything in there is safe - we’ll take care of it later when we clean things up.

Everything I find on vsnpstd2.exe relates it to a USB camera and many sites do seem to think its spyware. But it does give you some configuration options so I wasn’t rushing into removing it. If you don’t care about whatever options these might be we can take of it now. Let me know.

For the time being download AVG Antispyware. Install, update, scan and quarantine anything found. Then post the log.

http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0

How is the computer running?

system · 2007-08-24T14:39:32.000Z

OK, I will run the AVG antispyware when I get back.
As far as the vsnpstd2.exe file, we can get rid of it because we no longer have the camera.

The computer seems to be running fine (minus having no virus protection) now that I am using Firefox.
IE would not let me update security patches (because I could not install Windows Installer)
I am happy with Fierfox but a few things are of concern.

It takes about 2 minutes to get into my C drive folders and about the same amount of time to look at the add/remove programs. They do come up but not instantly like before.

Also, for some reason I cannot shut the PC of via the start button. I either have to put it on standby via the taskbar or shut it of manually.

I am not too concerned about those yet. I would just like to clean my system out and take care of those problems later.

system · 2007-08-26T00:05:57.000Z

Mauserme,
I guess I was meant to take my wifes PC to the shop :-\

Yesterday I was trying to post you a message stating that I could not download the AVG antivirus program (or Panda for that matter) when I was hit by the virus in the forum. It happened pretty quickly, something about spyware, then the screen went black and as I was rebooting, some new icon (it kinda looked like a knight or something) was on my desktop. After that, the computer just started to reboot over and over.
I tried safemode and it still would restart over and over. I did use that bootdisc that Oldman had me make and I could get into some dos commands but that was it.

Everything seemed to be going good and then this happens…kind of discouraging.

Luckily my PC has Avast and caught it (I also run Firefox)…

Lisandro · 2007-08-26T02:01:40.000Z

BJS post:154:

When I was hit by the virus in the forum.

The virus wasn’t on avast forum but at on a redirect iframe. Luckily it was on avast virus database and was stopped. I wish an explanation of which risk have we run into yesterday. I’m not bashing avast, far from this, just trying to learn how to improve security. I also run Firefox like you.

BJS post:154:

Everything seemed to be going good and then this happens…kind of discouraging.

For me it’s encouraging to learn how to get even more protected.

system · 2007-08-26T03:14:38.000Z

BJS post:154:

Mauserme,
I guess I was meant to take my wifes PC to the shop :-\

Sorry to be so long responding. Like many others I was unable to log in. Avant (an IE shell), Opera, Firefox - nothing worked. I could see that DavidR and Tech were logged in but I couldn’t . Maybe they will share their secrets with me.

Anyway, if you are able to boot the machine at all, we need to take a very deep look a things which we can do with a WinPfind log.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Non-Microsoft Only
Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

I would also loke you to run SDFix:

Download SDFIX and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose “Extract All”,
Open the extracted folder and double click “RunThis.bat” to start the script.
Type Y to begin the script.
It may remove Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

system · 2007-08-26T04:53:55.000Z

I can boot to DOS (using the bootdisc) but I cannot get to my desktop in Windows :-\

system · 2007-08-26T13:28:54.000Z

How would you like to proceed?

I mean, our patience with these things is virtually endless around here (even if our abilities have limits). And from my point of view I want to know what’s going on and solve this. But we have to face another re-install of the OS, this time with an XP Home disc. With or without the current problem we would have to do this to get you back to the correct OS.

I just want to make sure you’re OK with this.

oldman960 · 2007-08-26T14:59:16.000Z

I agree with mauserme. Somewhere along the line you have to get back to xp home. Whether here or at a shop. And I too am interested in what is happening. But it’s your call.

system · 2007-08-26T18:53:29.000Z

Ok, I will try to find a copy of XP (home edition) once I find it and upgrade I will post.

Thanks again

system · 2007-08-26T19:46:26.000Z

BJS post:160:

Ok, I will try to find a copy of XP (home edition) once I find it and upgrade I will post.

When you install use the key from the computer case.

After installation see if you find c:\windows\system32\chkdsk.exe If it’s missing copy it from c:\windows\system32\dllcache to c:\windows\system32

Download a fresh copy of ComboFix and scan. Also scan with WinPFind and save the log. Then post those two logs plus a fresh HJT log.

Keep the computer off line as much as possible except to download the tools, post the logs, or get Windows updates.

system · 2007-08-28T21:04:11.000Z

Please don’t run ComboFix yet. I have been advised of a problem that I beleive is not common but we will avoid it all together.

The WinPFind3U log will be best for now.

system · 2007-09-20T10:18:47.000Z

Mauserme,
I did get a copy of XP Home and could get back into my desktop. But I did not want to risk getting a 3rd virus (having no virus protection at all)
so I just made backup disks of my documents and files and then formatted my hard drive. I then did a scan on the disks to make sure they were clean and added them back.

Now that I have reinstalled XP and reformatted my drive, everything is great. Pretty much like a new PC and Avast! is working again. I did learn quite a few things from you and Oldman (some tools such as Erunt, Combofix, F-secure blacklight and toolbar cop) along with a few handy websites (virus total) but hopefully I will not need them again.

I also learned the hard way about the bagle virus. No more downloading scrabble games for me!

Thanks again for all your help…

DavidR · 2007-09-20T12:52:58.000Z

That is what it is all about, learning and to do that mostly you have to make mistakes to truly learn ;D

All the tools for cleaning are great but what you should be trying for is prevention and a back-up and recovery strategy if the dark brown stuff hits the fan, much less painful all round. This topic is also quite long so I don’t recall if these points have been mentioned:

Run applications that connect to the internet under DropMyRights to limit the potential for infection. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob’s, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link. http://mysharedfiles.no-ip.org/dropmyrights

A long time ago I purchased some hard disk imaging software and every now and then I got the later versions to work with my updated OS, etc. This software takes an exact copy of your Partitions or Hard Disk and saves the ‘image’ to another location, which could be a second HDD or DVD or to an external storage device. I do this bak-up image weekly as part of my system maintenance.

If you have a serious problem and this would certainly come under that heading (or a crash resulting serious corruption, etc.), then you restore the last back-up image and your problem is resolved. This type of software has hauled my a** out of the fire many times (not virus issues) as to more than compensate from what I paid for the software and I can be up and running in a little over 15 minutes.

oldman960 · 2007-09-20T15:21:35.000Z

Hello BJS

Glad you got it going again. Still haven’t got that disk made, just no time.

system · 2007-09-20T17:59:55.000Z

BJS post:163:

… so I just made backup disks of my documents and files and then formatted my hard drive.

Sorry it had to get to that but its probably the most efficient solution.

As David said, learning is good and I certainly did while working on your thread.

system · 2007-09-20T20:34:22.000Z

David,
I took your advice and now start my browser under “DropMyRights”
I just start my browser (either Firefox or IE) from the icon on my desktop, it flashes for a sec and then it starts.

Thanks for the tip…

I might invest in the image device. A freind also has one and he swears by it.

Thanks again to Mauserme and Oldman and everyone else that chipped in.
The situation was bad, but I actually found I enjoyed some of the things we tried. I like to know how things tick and this was a crash course (sorry about the pun) ;D

DavidR · 2007-09-20T20:56:38.000Z

Your welcome.

You should also consider the same DMR for your email program (or P2P and Instant Messaging if you use them) as that is still a major route of entry.

Announcements