Error prevents actions

My first problem in years: I have one Win32 Agent Trojan and five Win32 Adware files that I can’t do anything with because of an error message. First, the error kept them from being put in the chest, then of course, they can’t be repaired, same reason, so please tell me what I should do now? I got rid of the temp files, but the problem is still here.

Start with this, perhaps something will show up. Please post the paths and names of the files detected. This info can be found in the avast warning log. Right click the"a" icon, log viewer, warning button.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

What is the error message ?
File in use is common and you could get round that by scheduling an avast boot-time scan.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

Trojans for the most part can’t be repaired as the complete content of the file is malicious.

This is the results of following Old Man’s directions;(easier than I expected — and thanks!!!) David, has anyone really got a message saying the chest file is busy being used by someone?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:39 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nadine\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.paviliondownload.com/2.0/connect/EN_US/index.html?VER=0&URL=http://www.yahoo.com/p/hp/us/?http://hp.my.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [lxctmon.exe] “C:\Program Files\Lexmark 5400 Series\lxctmon.exe”
O4 - HKLM..\Run: [Lexmark 5400 Series Fax Server] “C:\Program Files\Lexmark 5400 Series\fm3032.exe” /s
O4 - HKLM..\Run: [EzPrint] “C:\Program Files\Lexmark 5400 Series\ezprint.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - ?p=ZUzed004YYUS_ZZzer000
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186372216812
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 6838 bytes

Not the chest file, but the file you are trying to send to the chest is in use, so you can’t move it to the chest.

Just a couple of things to fix in HJT and some old java that we can taake care of.

Go to add/remove programs and uninstall this, if present.

coupons or similar.

Open HJT, run a system scan only, check mark these lines if present

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab

Close all other browsers/windows, click fix, close HJT.

Can you please post the contents of this file? You can attach it, use the additioal options button on the reply page.

C:\program files\alwil software\avast4\data\log\warning.log

It will help determine the file detected and perhaps the cause of the error.

Thanks

For your java

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  • Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

For David: The last scan changed from “Error occurred attempting to put in chest” (that’s the best I can remember the words) to Warnings, so that is where I found this. ( to be more accurate, this is after I copied it to notepad, and this is more than I could see in the log file).
And I’m now working on my assignment, Old Man —3/13/2008 3:50:55 PM 3616 Sign of “Win32:Agent-RVE [trj]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\RPCInstall_US.dll” file.
3/13/2008 3:52:43 PM 3616 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\blinksetup.exe[Embedded#06140]$0\blink.exe” file.
3/13/2008 3:52:54 PM 3616 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\onestep.dll” file.
3/13/2008 3:53:04 PM 3616 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\onestep.exe” file.
3/13/2008 3:53:13 PM 3616 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\osopt.exe” file.
3/13/2008 3:53:19 PM 3616 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{458D3FDA-1450-4204-9AEE-1231AACE621E}\RP518\A0084409.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\uninstall.exe” file.

Pardon, but I have a question; the coupon printer saves me money each week on specific items;is it imperative that I uninstall it? Are there any options that you can suggest to keep it, but safely?

You can keep coupons if you knowingly installed it. It does track some of your internet activity. Most people do not want it. Sorry habit. :wink:

The entries from the warning log are system restore points. This may be because of a new detection added to avast.

These can be cleared and a new restore point created.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Then do a boot time scan and see if your scan come out clean.

Sorry, I should have phrased my comments about coupons a bit differently. It is usually clasified as adware. When I said tracks your activity, I should have said records your buying habits. I can’t find the link for the exact discription, but if you knowingly have, keep it.

re: detected files.

I found this about blink
http://www.siteadvisor.com/sites/blink.com/downloads/8129274/

Not a whole lot about the other 2
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Agent.hym&threatid=200623

Let me tell you what I did already, and see if your advice still applies. I have a restore point for every day for two weeks on this computer, so I restored to March 1 and ran a scan, but got the same results as I did yesterday, so I had it undo the restore, bringing it back to what it was. Now, does it sound like I need to follow those instructions? I’m thinking that what I did shows that this procedure won’t help ---- if you think I should do it, I will, but I have to call it a night for March 14th — good night, and don’t give up the ship, OK? I appreciate all this!

What that showed is something on your system from the past is being detected. This was something we all ready knew.

What I suggested would have shown two things

1.if by removing all the old restore points and only having one new one and there where no detections in the SR, then the source would no longer be present.
2. if there where still detections in the SR, we could have looked on your sytem for the file(s)

The files could then have been tested at a multiscanner site such as virustotal. This may allowed us to determine if the detections are a false positve.

A bootime scan would have shown if it was being loaded and what the actual file name and location was.

Since you used an old restore point, some of the"infected" files may now be on your system. This sounds more alarming than it is meant to be, so please don’t panic. The detections are adware and we don’t really know what avast is detecting, as mentioned, it could be a false positive.

One thing to keep in mind, SR is not a disk image. Only a portion of the registry and files are backed up. Sometimes, windows will protect the strangest things.

We can still see where the detections are coming from. A full scan or a bootime scan should find them on your system. Don’t be too concerned about the ones in system restore(System Volume Information), just the others.

I still suggest a scan. A boottime scan is a bit deeper than just a regular full scan. If nothing else you should be able to determine if it is a false positve.

OK, bear with me here; I have to admit I have never created a restore point and I need a little help — it says it can’t be changed so be sure I type in the name correctly; what kind of name are we talking about? Will the restore time be the time that I click it? (I really have to wait until tomorrow–I can’t even type any more!)

You can use System Restore Point Creator 1.1 (http://www.softpedia.com/get/Tweak/System-Tweak/System-Restore-Point-Creator.shtml).

Name the restore point anything you want and yes the time of the restore point will be the time you created it.

[color=purple]This morning I’m not quite so dense!
Is there a log somewhere that shows the results of a boot time scan? I did it and nothing happened- does that mean all this was for nothing, or did we fix something? :-\
I kept the coupon entry, and Java is currently loaded to the max and so I have to do that later.[/color
]

Check the C:\Program Files\Alwil Software\Avast4\DATA\Report\aswboot.txt that gives the boot-time scan stats, open using notepad.

I’m not sure what nothing happened means, you should have seen a blue screen showing a scan was in progress, see image 1 and if you did happen to find anything you would see another screen giving examples, see image 2 for examples.

So what did you do and what exactly happened, as something would have happened even if that was boot into windows or a black screen, what happened ?

Thanks, there is a long log list; should I post it? What actually happened was the blue screen, as you showed, and I left the computer; when I returned, the scan had finished and left no sign that it had ever occurred — with your coaching, I do know it ran and didn’t simply disappear! But of course, Avast is always reliable! :smiley:

You can attach it by using the additional options button on the reply page. You may have to scroll down a little to see the browse button.

If there had been anything detected you would have come back to the second image waiting for your input. So it is likely that nothing was found, so I’m a little surprised that there is a ‘long list’ probably files that it couldn’t scan, so I too wait for the attachment.