Help - no virus detected

avast (vps 0437-0) and mcafee free scan do not detect a virus but my win xp
spawns a calculator and then shuts down at random (a couple of times just after logging but mostly it likes to work for a period of time before shutting down)

What other information do I need to supply?


Logfile of HijackThis v1.98.2
Scan saved at 11:06:28, on 09/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HJTanalyzer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4390/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip..{769CB126-60BB-4206-9368-7D05016648F0}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

The HJT log is clean. What tells you it is a virus and not something else? It could be a corrupted installation of windows.

What windows version?
If XP, have you checked the event and system log?
What have you tried sofar to solve the problem?

Thanks for the swift response!

It may well not be a virus but if it isn’t I don’t have a clue what it is! I presumed it was virus related due to the calculator popping up (I know some viruses do this).
I changed :[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18]
“ShellExecute”=“calc.exe”
to point to charmap.exe and now it spawns the charmap before shutting down - progress but probably not in the right direction!

Windows version : XP Professional + SP2(everything seemed fine until I installed the service pack)

I have checked the logs but nothing stood out - what type of thing should i be looking for?

What have you tried sofar to solve the problem? SpyBot, Avast boot scan,
Avast scan in safe mode, Mcafee free scan, another freescan I can’t remember, running around in a circle and tearing my hair out - all for no noticeable gain. Any advice will be gratefully recieved!

Theres a few of these in the event log - but I presumed this was just a side effect of windows shutting down ?

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 08/09/2004
Time: 07:48:04
User: NT AUTHORITY\SYSTEM
Computer: THECLAP
Description:
Windows saved user THECLAP\MrHappy registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Set that key back to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18]
“ShellExecute”=“calc.exe” That is a normal key and should be there. The problem is finding out what is calling that registry entry. Let’s start with 2 log files I mentioned. Do you see any error or warning in there? If so let us know. Tell the things I pointed out as shown in the picture. There is ofcourse the option to reinstall everything or the in-place repair. But they are a bit drastic to do at this point. Let’s see if we can solve it in anotherway.

Personally I was lucky when installing SP2. Only trouble I had was that when I started Excel, windows was showing Excel and everything worked, but at the same time it started the installation of Publisher which I already had installed and was perfevtly working. Strange things happen to many people who install SP2 :wink:

Found some interesting info on this error HERE perhaps it helps. Check what things are running under services in taskmanager. It may tell us something more.

I used to get loads of these (and long shutdowns), after the LSASS windows update, in my tracking down the problem I heard of a windows service that you can download from MS.

User profile hive cleanup service - UPHClean, sorry I haven’t a link but you should be able to find it. After installing this service, end of problem, see the image it shows the cleaner inaction. Although this is not exactly the same event error, the “This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account” certainly is.

HTH David

Hi, no virus detected by Avast, but my computer are infected !
WORM_AGOBOT.UE
Discovered: Jul. 27, 2004 trendmicro
Please, I need help.
Thanks

Sorry for not replying sooner but the problem deteriorated and my computer wasnt on long enough to write and post a reply before shutting down.

Then twice the computer did not respond to the keyboard - problem went away on reboot.

This got me to thinking, as Eddy said “The problem is finding out what is calling that registry entry” plus with the keyboard playing up, could it be hardware related and not a virus.

If an intermittent fault with the keyboard was responsible, ineffect generating false keypresses that lead to the spawned calculator and the shut downs and also muting the sound. I replaced the keyboard and problem went away!

Thanks for the advice - I’m off to investigate the Userenv issue!

Hi Atos,

if UPDATED avast deoesn’t detect the file, even in SafeMode or Boot-time scan, then please send the file to
virus (at) avast.com in a password-protected Zip-file; include problem description and ZIP-password in mailtext…

  1. Please immediately apply all Securitypacks/important Windowsupdates !!
    and change all your passwords
  2. read the link “VirusRemoval” below and come back with more info,
    e.g.:
  • Hijackthis-Log
  • full path/folder/filename of infected file
  • your WIN version

P.S.:
here you’ll find Infos & removal instructions for your agobot-variant:
VGREP

→ the red links there to Trendmicro, Mcafee & symantec are usually the most helpful… :wink:

Good to hear it is solved Ian.

Atos,

your comments here have nothing to do with this thread. Please start a new one in the section “viruses and worms”. Tell exactly what is going on and provide rlevant details. Like what version of Avast, what vps version, what exactly file(s) is(are) detected as being infected and what the location(s) is(are).