Cannot get rid of virus

Avast reports two trojan horses small blf and helatin. I’ve Moved to chest, scanned all local drives and rebooted but the viruses are found again. I’ve made sure to close all apps and not to launch other apps while scan is in progress. The scan finds the two bad files and they are moved to chest but after reboot they are back. I’ve also tried running the scan in Safe Mode - it does not find any problem files but when I reboot in normal mode, the system infected icon (red circle white cross) shows in the system tray…

I am running Win 2000k Professional, Zonealarm firewall. My Avast stuff is all up to date.

I have new problems with IE 6 - don’t know if they are related. IE6 will not show images (Action cancelled message), will not load a page if I click on its link, and will not go into google.com or yahoo.com. Firefox works fine.

On booting up, when the Windows Logon prompt screen shows there is now a substantial delay before I can enter Password - this is new.

Any help or ideas appreciated.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Were there recreated in the same location and file name ?

If so you may have other elements to this infection restoring the malware.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

Besides using the programs recommended by David, I suggest:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.

  2. Clean your temporary files. You can use [ur=http://www.stevengould.org/downloads/cleanup/]CleanUp[/url] or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

Thanks for your help. I think I’ve got rid of the problem now. It may be helpful to others what succeeded. First the log showing the problem. I have deleted the times, but these were spread over two days between several reboots/bootscans.

Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.

  1. Closed all apps and ran Ccleaner.exe
  2. Ran Avast full scan
  3. Downloaded and ran a-squared full scan
  4. Downloaded and Reinstalled IE6
  5. Downloaded and Reinstalled IE6 updates/patch
  6. Scheduled Avast boot scan - this again found problem files - selected Move to Chest

Was surprised to find winsock32.dll and kernel.dll in chest.

Have now being running for hours without problem. Fingers crossed

Thanks again

Hi you are infected with malware that will keep returning till it is cleaned totally. I suggest you start a new thread in the Virus section referencing this thread

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Try using Ewido too. Scan your computer with it

Thanks. Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 23:41:48, on 20/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Office97\Office\Osa.exe
C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Visual Studio\Vb98\Vb6.exe
C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\COMMON\TOOLS\VS-ENT98\VMODELER\RVSINTEGRATIONMANAGER.EXE
C:\OFFICE97\OFFICE\MSACCESS.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Xenu\Xenu.exe
C:\Program Files\FileZilla\FileZilla.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LineOne
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://home.netscape.com/bookmark/7_2/home.html”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005930232519_mcappins.exe /v=3 /cleanup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 “EPSON Stylus D68 Series” /O5 “LPT1:” /M “Stylus D68”
O4 - HKLM..\Run: [EPSON Stylus D68 Series (Copy 2)] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P32 “EPSON Stylus D68 Series (Copy 2)” /O6 “USB001” /M “Stylus D68”
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Office97\Office\OSA.EXE
O4 - Global Startup: PositionAgent.lnk = C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Save Web Page - {38102769-5e64-4193-a798-a9e9becc65f2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O17 - HKLM\System\CCS\Services\Tcpip..{8D3A79B9-4F7A-4CC6-A4FA-E7E035EDC95C}: NameServer = 80.58.61.250 80.58.61.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Gozilla is likely spyware and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of gozilla.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information.

  • Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

Tells that Gozilla (C:\Program Files\Go!Zilla) should be removed.

Hi wkenny,

Run HijackThis! again, put a tick next to these items and click ‘Fix’:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005930232519_mcappins.exe /v=3 /cleanup

O4 - HKCU..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe

O16 - DPF: {33331111-1111-1111-1111-615111193427} -

Reboot into Safe Mode and delete the following file:

C:\WINDOWS\system32\regscan.exe

http://www.pchell.com/support/safemode.shtml

You may need to enable ‘View hidden files and folders’.

http://www.bleepingcomputer.com/tutorials/tutorial62.html

Download and run AVG Anti-Spyware free- Don’t neglect to update first:

http://free.grisoft.com/doc/avg-anti-spyware-free/lng/us/tpl/v5

Post a new log so we can check you’re clean.

Good luck!

I’ve deleted entries and files referenced above (regscan.exe and gozilla files were not on the system).
I’ve also installed and run AVG which picked up more problems.

The new log is

Logfile of HijackThis v1.99.1
Scan saved at 14:25:41, on 21/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Office97\Office\Osa.exe
C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LineOne
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://home.netscape.com/bookmark/7_2/home.html”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\met2jg9d.slt\prefs.js)
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O1 - Hosts: 62.81.237.170 beta.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 “EPSON Stylus D68 Series” /O5 “LPT1:” /M “Stylus D68”
O4 - HKLM..\Run: [EPSON Stylus D68 Series (Copy 2)] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P32 “EPSON Stylus D68 Series (Copy 2)” /O6 “USB001” /M “Stylus D68”
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Office97\Office\OSA.EXE
O4 - Global Startup: PositionAgent.lnk = C:\Program Files\Microsoft bCentral\PositionAgent\PA.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Save Web Page - {38102769-5e64-4193-a798-a9e9becc65f2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

If these files are in the user files section of the chest, they belong there. Avast made a backup copy of these files and placed them there for safe keeping.

That should read if they are in the System Files they are back-up copies of important system files.

The chest has several sections to it and the only one that should directly concern you is the Infected Files section.

The User Files section is were you, the user puts suspect files undetected by avast for protection as they can do no harm there.

Yes DavidR is correct. Sorry about that :-[

First of all I’d like to thank everybody who has replied to this post. I really appreciate all your input.

I’ve tried all the suggestions and it would appear now as if my system is clean (i.e. if I run Avast or AVG no problems are found). But… my computer is now running so slow its ubelievable … what have I introduced to cause this. I now have two antivirus progs running (Avast an AVG) and also A-Squared and Zone Alarm as my firewall … what should I do?

You have answered your own question. The two avs with conflict with one another. Uninstall one of them.

But.... my computer is now running so slow its ubelievable ... what have I introduced to cause this.

Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

This could cause conflict as they both fight for control over what AV locks a file prior to scanning it, this could cause the slowing you mention.

Unless you are talking about AVG Anti-Spyware, which isn’t an anti-virus but an anti-spyware program. avast should have detected AVG and may disable elements to try and avoid conflict.

What should you do, uninstall the second AV, AVG anti-virus.

Seems that is AVG antispyware and not the antivirus… Two programs with the same name give this confusion all the time…

Just repartition/reformat dude. If you do this you will be 100% sure that no viruses are in your system. For example, if the trojan installed a rootkit, avast will tell you that you are clean, when in fact you are not clean.

Sorry for the nuclear option to be used for a limited war is an over kill scenario reinstalling windows and all its security patches is no light matter, not to mention you could well be very vulnerable to exploits whilst on-line getting these security updates. Then there are all your programs and the settings you have tweaked and made it work how you want it; email account set-up, etc. etc. not a matter to be taken lightly.

If you were to continually reformat and install windows because your AV doesn’t detect anything you would have a lot of down-time. If you suspect a rootkit then you use rootkit tools, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

Before pressing the nuclear ‘final’ option you should try the tools which may do the job without the collateral damage.

wkenny,

You would seem to have the trial version of a-Squared with resident protection running, as well as AVG Anti-Spyware with resident protection running.

I suggest you uninstall a-Squared and download a-Squared Free, which doesn’t have resident protection.

http://www.emsisoft.com/en/software/free/

AVG Anti-Spyware will revert to the free version with no resident protection after the 40 day trial. In the meantime you can disable the resident shield from the Status section of AVG Anti-Spyware.

(Of course if you decide to purchase either product, having an anti-Spyware program with resident protection running alongside your AV will be fine as long as your system does not take a performance hit- but as yours is an older OS, I’d suggest just keeping the free versions with on-demand scanning which won’t take up system resources.)

If your system is still slow, you could try swapping ZA for Kerio (now Sunbelt) firewall.

http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/Requirements/

I agree with David that reinstalling the OS is unnecessary. However if you want to check for rootkits, BlackLight will run on Win2K:

http://www.f-secure.com/blacklight/blacklight_help.html#system_requirements