How to Remove Viruses/Trojans on First Scan/Detect

Hello All:

First Time Avast 4 user here.

During my first scan with the software, several viruses and trojans were detected. I am running Windows 2000.

When I hit repair, I get a message saying that the program cannot repair them because there is no Virus Recovery Database. How do I get the database established so that Avast can remove the viruses/trojans and then repair the files. The infected files are WINNT files, so I do not think it wise to just delete them.

Many thanks for any and all help on this.

Welcome to this board.

Run a boottime scan.

start Avast > Menu > plan boot scan

Let us know if the problem is solved after doing so.

Hey Eddy:

Thanks for the recommendation. Just tried your suggestion.

However, when Avast found a trojan or a virus, I pushed the number next to repair and got the following:

Repair: Error 42060

same thing happened whether I pushed Repair or Repair All.

Would appreciate your suggestions on the next step to do or try.

Many thanks again…

42060 AVAST_REPAIR_NOTREPAIRED [File was not repaired]

Not every infected file can be repaired. Some are the infection itself. Choose the “move to chest”, “move” or “delete” option.

Let us know how it is going. Also post a HijackThis log here and let us have a look at it.

Before you choose “Delete”,
please tell us exactly WHAT viruses were found WHERE… (full path/folder/filenames) → see avast’s report/logs

Hey Eddy:
Will do as you advise, but would appreciate some additional info on three follow up questions:

  1. What does “move to chest” actually do? I could not find anything in AVAST help to explain that.

  2. Will moving WINNT-located files to the chest - or deleting them - crash my system since they are in the WINNT-related files?

  3. In your message, you said
    Also post a HijackThis log here and let us have a look at it.

What is a HijackThislog?

Many thanks again Eddy - your help is mucho appreciated.

Rick

“move to chest” moves the files to a special folder within the Avast folder. Avast protects that folder so the system doesn’t access the files there. This will make sure the infected files won’t do harm. While in the chest, you can anlyze them further to see if they are really infected (need to be deleted) or not. If it is safe to delete them, you can do it from there. If it for whatever reason turns out that a file is falsly detected as infected, you can place it back to it’s original location from there.

For HijackThis, look HERE

Files in the winnt folder doesn’t mean they are system files. Many virusses place one or more files there as well do legitimate applications.

Hey Eddy:

Downloaded and Ran Hijackthis as you suggested: The log is as follows. While your looking at the log, I will try and retun AVANT during boot up and move the files to the chest. I’ll come back here to the post after that is finished and report the results.

Continued thanks guy.

Rick

Avant is not letting me post my entire hijack this log as it is too long, so I am cutting it into two posts.

First half:
Logfile of HijackThis v1.97.7
Scan saved at 11:34:33 AM, on 9/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\WINNT\System32\ofps.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\TSIRCSRV.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\TSI32\tsircusr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\myCIO\Agent\myagttry.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\timtemp\Spyware-Cop.exe
C:\timtemp\timtemp2_files\Spyware Doctor\spydoctor.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Application Data\q??o.exe
C:\WINNT\system32?hkdsk.exe
C:\Program Files\Photo Manager\Monitor.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINNT\myCIO\Agent\UpdDlg.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\timtemp\timtemp2_files\HijackThis1.exe

Second half of hijack this log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ajc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.ajc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\xxlpt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ajc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ajc.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FC679321-6CC1-3E32-448F-8BD6EC235E2C} - C:\WINNT\d3yx32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [PPWebCap] C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [Spyware-Cop] “C:\timtemp\Spyware-Cop.exe” /s
O4 - HKCU..\Run: [Spyware Doctor] “C:\timtemp\timtemp2_files\Spyware Doctor\spydoctor.exe” /Q
O4 - HKCU..\Run: [Brct] C:\Documents and Settings\Administrator\Application Data\q??o.exe
O4 - HKCU..\Run: [Pjxrddis] C:\WINNT\system32?hkdsk.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Manager Monitor.lnk = C:\Program Files\Photo Manager\Monitor.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Merriam-Webster (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .avi: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npavi32.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=1bc2dfe0cd56b08e83cbcd56822b9d185e66a8f156560ebb18ffa2c9543cc6154a3682076ebe09604513aa4789bd8e86d2adc8ed06413126da65b131d9d0c31979:1c94cf8dd60a92140234c44bda683591
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38116.5830902778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.9.0.0.2.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

Hey Eddy:

Ran Avant in the initial boot. Log created is as follows:
9/26/2004 7:36:22 PM NT AUTHORITY\SYSTEM 580 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
9/26/2004 7:36:24 PM NT AUTHORITY\SYSTEM 580 An error has occured while attempting to update. Please check the logs.
9/27/2004 8:25:40 AM ARCH\Administrator 1740 Sign of “Win32:Winshow [Trj]” has been found in “C:\WINNT\SYSTEM32\wmsgm.dll” file.
9/27/2004 8:28:56 AM ARCH\Administrator 1740 Sign of “Win32:SdBot-1093 [Trj]” has been found in “C:\WINNT\SYSTEM32\scvhosting.exe” file.
9/27/2004 8:30:30 AM ARCH\Administrator 1740 Sign of “Win32:Trojano-173 [Trj]” has been found in “C:\WINNT\CFJMP.exe” file.
9/27/2004 8:32:12 AM ARCH\Administrator 1740 Sign of “Win32:Trojano-173 [Trj]” has been found in “C:\WINNT\DGJ.exe” file.
9/27/2004 9:53:41 AM ARCH\Administrator 316 Sign of “Win32:Winshow [Trj]” has been found in “C:\WINNT\SYSTEM32\wmsgm.dll” file.
9/27/2004 9:54:31 AM ARCH\Administrator 316 Sign of “Win32:SdBot-1093 [Trj]” has been found in “C:\WINNT\SYSTEM32\scvhosting.exe” file.

Two questions:

  1. Can you tell me how to disable system restore so I can follow your instructions in your recent post to run hijack this again. I went to help in windows and could not find system restore in the help files.

  2. When I rerun hijackthis, and if I find any of the lines you highlighted, what should I do - delete them or just copy the log and report back here first?

Continued thanks…whenever your in Atlanta…lunch is on me!!

Rick

1] Enable/disable system restore

2] Put a checkmark in front of the items I mentioned in HijackThis and click on FIX

3] The things Avant found sure look harmfull. Check them on JOTTI to make sure. If they are indeed harmfull, remove them.

Good luck.

Hey Eddy:

Followed your instructions: ran hijackthis and “fixed” all the offending files you identified. Ran avant again and moved all found infected files to an avant folder. I then went to jotti and evaluated each - and each showed up as infected:

dgj.exe
emzums.exe
epjwid.exe
fkrabi.org
installo22.exe
randomize.dll
scvhosting.exe
wehbuo.dat
winadx.dll
xgbykn.dat
xxvsgc.txt

Next steps:

  1. Do you recommend I just use the delete key to delete them (and then clean the waste basket)?
  2. Do I need to do any specific backups or emergency disk procedures before deleting them?

Continued thanks…

Rick

  • Yup, delete those files. They do definatly not belong on your system.
  • Remove them from the recycle bin.
  • Reboot and run a full system scan.
  • Run HijackThis again and post a new log here.

We are almost there :wink: