For starters, am I finally posting correctly?

I am very newbie, and am wondering if I’m posting appropriately to ask questions to the community? Someone please let me know, and then I will ask my questions.

Thank you,

Kathy

OK, so I guess I’m finally posting correctly. I have been having the same problems as many others with viruses and spyware. I would like to get my system cleaned up so I can install all the Windows Updates and anything else I need to prevent these attacks. I been doing virus checks with avast and on-line Panda. I haven’t been getting notifications of any viruses today. I did spyware removal with Microsoft Antispyware and Spybot Search and Destroy. I also am thinking of installing Spyware Blaster and Ad-Aware, suggestions I picked up reading on this forum. But for now, I am concerned about the following:

  1. What is in my avast “chest” and “infected” section in the log. I’m afraid there is something I haven’t completed in the process because I really don’t understand all I am doing.

  2. I have a “Hijack this” file which I will post, but I don’t really understand this, and when people advise what to do, I’m afraid I won’t understand it. But here it is, and I really appreciate this forum and all the individuals who help.

Logfile of HijackThis v1.99.1
Scan saved at 9:27:17 PM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathy Schiff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [msci] C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\2004717193951_mcinfo.exe /insfin
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Yes, this is fine. Start a new thread for a new question.
I notice from your first post that you have problems with viruses; it would help others to help you if you could also say what operating system you’re using (win98 or ME or XP etc), as well as which version of Avast you have (right-click on the blue “a” ball and look at ‘about avast…’ and let the forum know which build and what vps file version you have)
Providing as much information as you can will help find the answers you need as quickly as possible.
Welcome to the forum, you’ll find it’s a very useful feature of Avast - there are some very knowledgeable folks around here.

Thank you. I run Windows XP Home edition. My avast is: version 4.6 Home Edition. File version is 0510-1. I have had various viruses such as Trojan-gen, and others. But as I said, I’m on-line now, and have been for several hours, and no sirens.

Also, I right-clicked on each file in my “chest” and am providing the information that came up after I chose to scan each file. I hope this help you direct me.

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest
Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: NCASEP~1.EXE
FileID: 7
Virus Description: Win32:Trojano-803 [Trj]

Move files to temporary folder: C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\aswB1.tmp
FileID: 0000000010 Original file name: C:\temp\NCASEP~1.EXE\NCASEP~1.EXE New folder: C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\aswB1.tmp\10.EXE

Scan files in the temporary folder: C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\aswB1.tmp
C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\aswB1.tmp\10.EXE[UPX] – no virus –
C:\DOCUME~1\KATHYS~1\LOCALS~1\Temp\aswB1.tmp\10.EXE Win32:Trojano-803 [Trj]

Action was completed successfully!

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: NCASEP~1.EXE
FileID: 7
Virus Description: Win32:Trojano-803 [Trj]

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: NCasePackage.exe
FileID: 9
Virus Description: Win32:Trojano-803 [Trj]

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: msexreg.exe
FileID: 12
Virus Description: Win32:Trojan-gen. {VC}

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: exul.exe
FileID: 11
Virus Description: Win32:Trojan-gen. {VC}

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: exul.exe
FileID: 11
Virus Description: Win32:Trojan-gen. {VC}

Thank you,

Kathy (kathoderayblue)


ANALYZER INFORMATION

Log created on : 12-03-2005 10:45:27
Analyzer version : 11
bad.dat version : 34
good.dat version : 36
rec.dat version : 27
dasb.dat version : 7
sus.dat version : 15
fire.dat version : 3


CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
Software firewall detected.


GENERAL INFORMATION :

All items in the original HijackThis log file which
are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

For email support on this application : hjtbeta@yahoo.com

Use www.google.com to find out more on items
not listed here or if you have doubts.

In addition to this application, you can also analyze the
original HijackThis log online at: http://hijackthis.de


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

\program files\common files\dell\eusw\support.exe
o2 - bho: (no name) - {549b5ca7-4a86-11d7-a4df-000874180bb3} - (no file)
o2 - bho: (no name) - {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - (no file)
o3 - toolbar: (no name) - {ba52b914-b692-46c4-b683-905236f6f655} - (no file)
o9 - extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - c:\windows\system32\msjava.dll (file missing)
o9 - extra ‘tools’ menuitem: sun java console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - c:\windows\system32\msjava.dll (file missing)
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (activescan installer class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing) ***
o23 - service: avast! web scanner - unknown owner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing) ***
***Don’t mess with those two!

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [gcasserv] “c:\program files\microsoft antispyware\gcasserv.exe”


WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

Nothing found.


THE FOLLOWING ITEMS ARE SAFE TO KEEP :

\windows\system32\smss.exe
\windows\system32\winlogon.exe
\windows\system32\services.exe
\windows\system32\lsass.exe
\windows\system32\svchost.exe
\windows\system32\svchost.exe
\windows\system32\lexbces.exe
\windows\system32\spoolsv.exe
\windows\system32\lexpps.exe
\progra~1\common~1\aol\acs\acsd.exe
\program files\alwil software\avast4\aswupdsv.exe
\program files\alwil software\avast4\ashserv.exe
\windows\system32\cisvc.exe
\windows\system32\nvsvc32.exe
\windows\system32\svchost.exe
\windows\wanmpsvc.exe
\windows\system32\svchost.exe
\program files\alwil software\avast4\ashmaisv.exe
\windows\system32\wuauclt.exe
\windows\explorer.exe
\progra~1\alwils~1\avast4\ashdisp.exe
\program files\microsoft antispyware\gcasserv.exe
\program files\microsoft antispyware\gcasdtserv.exe
\windows\system32\wbem\wmiapsrv.exe
\windows\system32\cidaemon.exe
\windows\system32\cidaemon.exe
\program files\alwil software\avast4\ashsimpl.exe
\program files\alwil software\avast4\ashsimpl.exe
\program files\internet explorer\iexplore.exe
r0 - hkcu\software\microsoft\internet explorer\main
r0 - hklm\software\microsoft\internet explorer\main
o2 - bho: acroiehlprobj class - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll
o2 - bho: flplauncher class - {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - c:\program files\e-book systems\flipviewer\fplaunch.dll
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
o2 - bho: google toolbar helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system32\msdxm.ocx
o3 - toolbar: &google - {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
o4 - hklm..\run: [dwlclient] c:\program files\common files\dell\eusw\support.exe
o4 - hklm..\run: [avast!] c:\progra~1\alwils~1\avast4\ashdisp.exe
o8 - extra context menu item: &google search - res://c:\program files\google\googletoolbar1.dll/cmsearch.html
o8 - extra context menu item: backward links - res://c:\program files\google\googletoolbar1.dll/cmbacklinks.html
o8 - extra context menu item: cached snapshot of page - res://c:\program files\google\googletoolbar1.dll/cmcache.html
o8 - extra context menu item: similar pages - res://c:\program files\google\googletoolbar1.dll/cmsimilar.html
o8 - extra context menu item: translate into english - res://c:\program files\google\googletoolbar1.dll/cmtrans.html
o9 - extra button: real.com - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - c:\windows\system32\shdocvw.dll
inc. - c:\progra~1\common~1\aol\acs\acsd.exe
o23 - service: avast! iavs4 control service (aswupdsv) - unknown owner - c:\program files\alwil software\avast4\aswupdsv.exe
o23 - service: avast! antivirus - unknown owner - c:\program files\alwil software\avast4\ashserv.exe
inc. - c:\windows\system32\lexbces.exe
o23 - service: nvidia driver helper service (nvsvc) - nvidia corporation - c:\windows\system32\nvsvc32.exe
inc. - c:\windows\wanmpsvc.exe

o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing)
o23 - service: avast! web scanner - unknown owner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing)

are wrongly analyzed due to a bug in HijackThis version 1.99.0 and 1.99.1.
As Spyros said, do NOT do anything with them.

Spyros:
fyi, the beta of the new analyzer is giving their correct status. So there is hope ;D

Thank you so much for all your help. My compter seems to be clean now. I’ve installed all the Windows Updates, but I’m holding off on Service Pack 2 until I’m backed up and can reinstall everything. I’ve been told that it may conflict with several programs if you install it after. I’m now going to work on my son’s computer which also is full of spyware & virus, but now with a little more confidence.

Thanks again,

Kathy