Challenge: Please and Thank You

Hello all,
First of all, I’m not really sure what i’m doing here. My dad asked me to check his computer since it was running slower than usual. I have avast on my Laptop and decided to download it since it works very well for me.
I ran the boot scan and found a lot, and i mean a lot, of trojans. I moved them all to the chest, it’s been about 24 hours since I did that, i’ve run several programs between now and then just to make sure things were still running as normally as they had before I moved them. Well now that I’ve done all that I am not sure what to do next. I noticed it’s pretty standard to run Hijackthis and to post a log so that’s what i did as well.
Any help with trying to clean up this mess would be greatly appreciated.
I’m running Windows XP - and I just recently installed service pack 3 on it, and updated everything (hadn’t been updated in months), I did a disk cleanup, uninstalled AVG (I prefer avast) and then did the boot scan.
I think that’s everything…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:16 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=21940
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {61CA0A2E-0607-4646-942B-2310C9C3A439} - C:\WINDOWS\system32\qoMdASJA.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBuSKec.dll (file missing)
O2 - BHO: {e98f65ed-cf85-9a1b-6b14-9da4d7065d77} - {77d5607d-4ad9-41b6-b1a9-58fcde56f89e} - C:\WINDOWS\system32\ahenqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {807B0FEB-2E1E-44EA-A937-77FF112C47FA} - C:\WINDOWS\system32\vtUlIaYP.dll (file missing)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Zune Launcher] “C:\Program Files\Zune\ZuneLauncher.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230615570203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230615518328
O20 - AppInit_DLLs: ahenqo.dll
O20 - Winlogon Notify: geBuSKec - geBuSKec.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 6492 bytes

Rescan of Chest logfile:

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: rxnecsmawo.tmp
FileID: 1
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: A0082336.exe
FileID: 10
Virus Description: Win32:Fasec [trj]

Virus has been detected!
File Name: 13806.exe
FileID: 14
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: 11106.exe
FileID: 15
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: 11128.exe
FileID: 16
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: 1176.exe
FileID: 17
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: 11953.exe
FileID: 18
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: 12025.exe
FileID: 19
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: placeholder-1243426-2551807740[1].htm
FileID: 2
Virus Description: JS:Packed-AT [trj]

Virus has been detected!
File Name: 18691.exe
FileID: 20
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: 3147.exe
FileID: 21
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: 9169.exe
FileID: 22
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: 9203.exe
FileID: 23
Virus Description: Win32:Trojan-gen {Other}

Virus has been detected!
File Name: scan[1].htm
FileID: 24
Virus Description: JS:FakeAV-Q [trj]

Virus has been detected!
File Name: ads[1].htm
FileID: 25
Virus Description: HTML:Iframe-inf

Virus has been detected!
File Name: Acr3C39.tmp
FileID: 26
Virus Description: JS:Pdfka-O [Expl]

Virus has been detected!
File Name: 4.js
FileID: 27
Virus Description: JS:FakeAV-C [trj]

Virus has been detected!
File Name: smain[1].htm
FileID: 3
Virus Description: JS:Packed-AT [trj]

Virus has been detected!
File Name: fileslis[1].js
FileID: 4
Virus Description: JS:FakeAV-C [trj]

Virus has been detected!
File Name: ehoshopping[1].htm
FileID: 5
Virus Description: HTML:Iframe-inf

I suggest:
You clean your temparary internet files.
Keep the viruses in the chest for a few more weeks.
Uninstall and reinstall programs that a virus would want to infect.
Give us the programs you have on your PC. (The ones in Program files / You don’t have to share anything PERSONAL)
Empty your recycling bin.
Send the viruses to support@avast.com just to be on the safe side.
Download and scan with Malware Bytes’ Anti-Malware Free Edition
Download and scan with Super Anti-Spyware Free Edition
Download and scan with Spybot Search & Destroy Free Edition
Download and do a system scan with a save log file with Hijack This 2.0.2

Did you download an Anti-Virus? If so, whitch?
Did you use AVG Removal Tool?
Did you have an active firewall? If so, what did it block?
Did this information help you?

Put the Malware Bytes’ Anti-Malware, Super Anti-Spyware, Hijack This, and Spybot Search and destroy log in your next post. Answer the questions in your next post.


Actually, if avast is reporting these viruses, there is no need to send them to avast. They already know about them or they would not be detected. Follow the other advice given by Donovansrb10 after correcting the entries below with HJT.

An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: (no name) - {61CA0A2E-0607-4646-942B-2310C9C3A439} - C:\WINDOWS\system32\qoMdASJA.dll (file missing)
No information found. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBuSKec.dll (file missing)
Must be fixed! http://www.spyandseek.com/Search.php?search_for=6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C&search=SAS-Search
Unnecessary (deactivated) entry that can be fixed. [random file name] - VirtuMonde/Vundo, http://www.bleepingcomputer.com/forums/H ow-to-remove-the-TrojanVundoB-Search42co m-MSevents-tx18610-0.html#entry110599 adware variant.

O2 - BHO: {e98f65ed-cf85-9a1b-6b14-9da4d7065d77} - {77d5607d-4ad9-41b6-b1a9-58fcde56f89e} - C:\WINDOWS\system32\ahenqo.dll (file missing)
No information found. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7E853D72-626A-48EC-A868-BA8D5E23E045&search=SAS-Search

O2 - BHO: (no name) - {807B0FEB-2E1E-44EA-A937-77FF112C47FA} - C:\WINDOWS\system32\vtUlIaYP.dll (file missing)
No information found. Unnecessary (deactivated) entry that can be fixed.

O20 - AppInit_DLLs: ahenqo.dll
No information found. Related to an 02 entry above. This entry should be fixed.

O20 - Winlogon Notify: geBuSKec - geBuSKec.dll (file missing)
Must be fixed. Related to 02 entry above. Unnecessary (deactivated) entry.

Close all open windows/programs, run HJT again, check the boxes left of the above entries, and then click the “Fix checked” button.


Thank you for your replies.

CharleyO - I corrected the entries as you told me. I have windows firewall in place, and active. It was not active for months before I turned it on.

I’m working on Donovansrb10’s instructions now, but the scans are taking a very long time, as expected. i’ll post the scan logs when I finish all of them.

Program Files:

Adobe Flash player 10 ActiveX
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
Canon iP2600 series
Canon iP2600 User Registration
Canon My PRinter
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Ccleaner
Easy CD Creator 5 Basic
eGames Toolbar
Hijack This 2.0.2
HP Customer Participation Program 7.0
HP Imagine Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solutoin Center 7.0
Interl(R) Extreme Graphics Driver
iTunes
Malwarebytes’ Anti-Malware
Messenger Plus! Live
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional winth FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MSMXL 6.0 Parser (KB927977)
PIXMA Extended Survey Program
QuickTime
Safari
SoundMAX
Windows Driver Package - Microsoft WPD (8/28/2006 1.0.0.2)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zune

A good place to find any other software vulnerabilities is http://secunia.com/vulnerability_scanning/online/

It sounds like this computer had all sorts of out of date software on it, so this site will help you find anything else that is still out of date.

I wish you the best in getting this fixed!