New User with multiple viruses that somehow got past Avast...

Hello all,
Strangely enough I posted a need for my daughter’s computer last week, which she has turned over to her school tech dept. (she gave up), but now MY pc has a ton of viruses on it thanks to my daughters who love to download pics and music. I thought I was safe since I’ve been a fan/ user of Avast for a number of years now, but apparently it’s not bullet proof. I freely admit that I am not an expert. I did follow the previous advice given, and here are the results:
But first, the scenario:
On restart yesterday, all of a sudden the computer came up with all kinds of virus alerts. Apparently some weeks ago, my daughter loaded on some music from a friend that is/was infected (not the friend, but the files ;D). My daughter started using the “delete” option instead of “virus chest” so I don’t know what might have been harmed before I got to her. At the moment, The computer is operating fine except that when I try to look at my files using “My Computer”, “Explore”, or view the contents of my 500gb external drives, I get the dialog box asking me which program I want to use to “open this file”… “My documents” and the other folder style elements work fine.

  1. I ran avast and put everything I found in the virus chest. results attached.

NEXT, I downloaded Dr. Web and ran it. It found two things and here they are.
ProxyPac.dll;C:\Program Files\dialcom\Client-Svc;BackDoor.Gtps.origin;Incurable.Moved.;
A0054391.dll;C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP424;BackDoor.Gtps.origin;Incurable.Moved.;


NEXT, I downloaded and ran “Hijackthis” per request and the results attached:

What on the planet earth should I do now? Thanks so much for your kindness.

First
Let’s not worry about those items in system restore
second
can you make a folder called “suspect” in your root drive
C:\suspect
then go into avast and exclude that folder C:\suspect from the avast scanner
copy or extract the files (not the ones in restore) to c:\suspect
then go on line to virustotal (google) and then navigate to c:\suspect and upload
I am interested especially in the -gen files and would like to get a positive ID
third
clean temp files you can use ATM Cleaner or C Cleaner or internet options
fourth
go to malwarebytes.org and update and run free rogure remover and malware bytes anti malware
with mbam update scan and check any malware found then click “remove selected”
post the logs
fifth
download update and scan with super anti spyware
post the log
then a new HJT

do each of hhe kids and you have user accounts or is everyone running as administrator?

what firewall

I’ll try and get a peek at your hjt a little later

what are these

C:\Program Files\Internet Content Filter\SafeEyes.exe

C:\Program Files\Spontania Video Collaboration\SpontaniaVideoCollaboration.exe

can you uninstall this one or make it not start ask toolbar
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

this may go away or we may fix it
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
It may have been Windows live messenger if it was it is just as well gone- did you REMOVE MSN messenger?

what is this?
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM..\Run: [MSN Messenger Mutex] msnstartup.exe

O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

HKUS\S-1-5-18..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User ‘SYSTEM’)

LSP errors
Check your system with
LSPFix from Cexx.org. These entry should not be fixed with HJT!
Your best bet to repair it is to try the LSPFix from Cexx.org.

what’s this?
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

have the girls google anything they are not familiar with (just look at reliable sites)
let me know what you find
I’ll dbl check anything left after the antimalware scanns mentioned


What is SafeEyes …

from http://www.spyany.com/files/SafeEyes_exe.html :

SafeEyes.exe is the main executable for Internet Content Filter software, which enables you to block unwanted contents from being displayed.

A little more info here :

http://www.processlibrary.com/directory/files/safeeyes

http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=10485

What is SpontaniaVideoCollaboration …

http://www.prevx.com/filenames/1171926210008894659-0/SPONTANIAVIDEOCOLLABORATION.EXE.html

http://www.runscanner.net/filelibrary/spontaniavideocollaboration.exe.html

This one …

O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

… belongs to Microsoft and is used to monitor hardware components for performance bottlenecks.

This one is bad …

O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

Info on ckvo.exe …

http://www.prevx.com/filenames/1945005718982325452-X1/CKVO.EXE.html

http://www.bleepingcomputer.com/startups/ckvo.exe-23750.html

http://www.threatexpert.com/files/ckvo.exe.html

What is Keyscrambler …

This encrypts keystrokes to defeat keylogers.

http://www.qfxsoftware.com/

This one seems to be related to a FaceBook trojan …

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

http://g.s.scandoo.com/search?hl=en&q=ProtectService.exe&btnG=Search

I hope this helps.


Safe Eyes=parental control
http://www.internetsafety.com/safe-eyes-parental-control-software.php

The 010 lines are valid and belong to this program also.

I’m not sure if I’d be running Facebook from the Trusted Zone. This zone has lower security settings.

thanks oldman
let’s see what the general purposes scanners remove before trying point by point removals
This system needs some work
and some of it can/t be done by HJT without leaving tons of garbage

I just spent some time on my brothers Vista Laptop
all the dual core and memory wasted
98SE even with SSM Avast and Counterspy (or Spyware Doctor) is more responsive

Here we have the system scan information through the hjt log file txt presented above.
What could be observed is that there seems not an active software firewall to be running, why is this?

Overview of running tasks: (Click on the task for more info)
smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
Ati2evxx.exe

Driver

ATI Display Adapter Assistant
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
brsvc01a.exe

Backgroundtask

Brother Print Processor
spoolsv.exe

System task

Microsoft Printer Spooler Service
brss01a.exe

Application

Brother Print Processor
AppleMobileDeviceService.exe

Backgroundtask

Apple Mobile Device Service
AsfIpMon.exe

Driver

Broadcom ASF IP Monitor
mDNSResponder.exe

Backgroundtask

Bonjour for Windows Component
GoogleUpdaterService.exe

Backgroundtask

Service Component

RioMSC.exe

Unknown task

Unknown task
svchost.exe

System task

Microsoft Service Host Process
Explorer.EXE

System task

Microsoft Windows Explorer
ctfmon.exe

System task

Alternative User Input Services
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
ashWebSv.exe

Virusscan

avast! Web Scanner
jusched.exe

Backgroundtask

Sun Java Update Scheduler
stsystra.exe

Driver

SigmaTel C-Major Audio Tray App
cli.exe

Application

ATI Catalyst
DVDLauncher.exe

Backgroundtask

A process belonging to the Cyberlink PowerCinema video viewing software which allows you to play DVDs upon insertion.
DLACTRLW.EXE

Backgroundtask

Sonic Solutions Drive Letter Access (DLA)
svchost.exe

System task

Microsoft Service Host Process
ashDisp.exe

Virusscan

Avast AntiVirus
Monitor.exe

Backgroundtask

Scheduler for the Pagis scanning suite from Scansoft.
isuspm.exe

Backgroundtask

InstallShield Automatic Updater

SafeEyes.exe

Unknown task

Unknown task

E_S4I4D1.EXE

Unknown task

Unknown task
iTunesHelper.exe

Application

Apple Itunes
DSAgnt.exe

System task

Dell Support Agent offers additional support and update features for your Dell computer or laptop
Skype.exe

Backgroundtask

Skype Internet Telephoney
NMBgMonitor.exe

Backgroundtask

Nero Home
NMBgMonitor.exe

Backgroundtask

Nero Scout

SpontaniaVideoCollaboration.exe

Unknown task

Unknown task
Wcescomm.exe

Backgroundtask

Microsoft ActiveSync Connection Manager
MsnMsgr.Exe

Application

MSN Messenger
NMIndexingService.exe

Backgroundtask

Nero Home
NMIndexStoreSvr.exe

Backgroundtask

Nero Home
GoogleUpdater.exe

Backgroundtask

Google Updater
GoogleUpdater.exe

Backgroundtask

Google Updater
WinCinemaMgr.exe

Backgroundtask

WinCinema Manager is needed when using the WinDVD Remote Control for WinDVD from Intervideo.
soffice.exe

Backgroundtask

OpenOffice StarOffice suite
soffice.BIN

Backgroundtask

OpenOffice Module
rapimgr.exe

Backgroundtask

Microsoft ActiveSync Module
iPodService.exe

Backgroundtask

Apple iTunes
SkypePM.exe

Backgroundtask

Skype Extras Manager
cli.exe

Application

ATI Catalyst
ashSimpl.exe

Virusscan

Virus scanner
jucheck.exe

Backgroundtask

Sun Java UpdateChecker Module
firefox.exe

Application

Mozilla Firefox
launch.exe

Backgroundtask

Vantarakis Launch Application

_start.exe

Unknown task

Unknown task
setup.exe

System task

Standard setup
HijackThis.exe

Application

Merijn Hijackthis
NOTEPAD.EXE

Application

Windows Notepad

ashChest.exe

Unknown task

Unknown task
thunderbird.exe

Backgroundtask

E-mail manager
NOTEPAD.EXE

Application

Windows Notepad

polonus

To the ones that need parental control, consider www.k9webprotection.com for free and can be used side by side with other programs.

Thanks to you all… I see a bunch of comments including:
'm not sure if I’d be running Facebook from the Trusted Zone. This zone has lower security settings.
Should I follow the advice I got on the first response? Any modifications to that advice or proceed?

wyrmrider and others,
I have followed instructions as best as I could decipher. I have a couple of questions, answers, and observations.
first, the site “virustotal” is not working as far as I can tell. It comes up blank in my browser while all others work. what now? I exported the virus-affected files that were NOT of the “restore” list (with restore in the directory name listed in the virus chest report) into the directory suggested.

second, question, what is HJT

THIRD,“download update and scan with super anti spyware - post the log” is the instruction; I assume don’t clean/remove or the equivalent? I am on hold with that till I get an answer. The report is attached below.

Fourth: malware bytes anti malware report attached. done in order suggested in your post.

Fifth: There are individual accounts, to answer your question to my original post.

Sixth: Firewall is standard windows firewall, to answer your question to my original post.

I’ll try to answer your questions. With SAS, you should quaratine whatever it finds. The same with malwarebytes, except it’s quarantine is “remove selected”. I see you didn’t do that.

HJT is hijackthis.

www.virustotal.com is the correct link for virustotal. What happens when you click on it. We may be able to find a way to get you there.

If there are multiple accounts, HJT may see the other accounts if the users are not logged off.

do I want to have the other accounts logged on, or off?

thanks oldman

no idea on the other accounts question- I’d try it with everything turned on
on mbam
from my first post
“with mbam update scan and check any malware found then click “remove selected””
a quick scan will be ok then remove selected
At least we know it will remove some things

I think oldman answered about SAS CLEAN or whatever and Quarantine, Chest, Vault whatever just do not delete/remove where it is completely gone

It does take a while to get started if you have never done this before

Is the upload to virus total drill ok now?

get your girls to help with this

here is the Hijack log latest… btw, while I was letting Superantispyware quarantine its files, Avast sounded off with an alert…
Logfile of Trend Micro HijackThis v2.0.2

I still get a blank page when I try to access the virus total page… are you able to access it now?

The avast alert is normal, it’s reading the file as SAS is movin it. Safe mode scans avoid this because avast is not running then.

I can get to virustotal with no problem. Try this instead

http://virusscan.jotti.org/

The malware scans should be all right even with other users logged on. It’s just HJT.

http://www.virustotal.com/ worked for me

Is this last HJT after MBAM and SAS scans?
could you post the SAS and MBAM logs please?

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

look in add remove programs for Ask tool Bar and/or Search Assistant and uninstall
or
many applications have their own uninstall file that is placed in the same directory or program group.
See Start>Programs
or “program files” and look for ask toolbar and or search assistant

Typically, applications can be removed using ‘Add/Remove Programs’. Should this option not be available, double-click the uninstall file applicable to the specific application.

if you can’t find it or it will not remove post back
here is an authoritative view on ask toolbar- of course you can keep it if you want to but then do you need Yahoo toolbar?
http://www.benedelman.org/spyware/ask-toolbars/

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
I already asked you about this one- not malicious - we can FIX it if necessary but not urgent

O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
oldman commented on this one
you can turn this off with startup manager if you are not using it

O4 - HKLM..\Run: [MSN Messenger Mutex] msnstartup.exe ???
are you using microsoft windows messenger (not MSN instant messenger)?

O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
This one really concerns me MBAM and/or SAS and or Avast should have nuked this one
let’s see those logs

Polonus oldman says to ignore these 010’s example>
O10 - Unknown file in Winsock LSP: icf.dll

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
let’s see if MBAM and/or sas get’s this one

rerun those scans and let em work
post the logs showing the fixes
then post a new hjt

let’s hope those two baddies are gone and all their hidden friends with them

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe oldman commented on this one you can turn this off with startup manager if you are not using it
Actually it was CharleyO. ;)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

Haven’t seen anything on this one before. The file should be tested.

I meant to mention it before. You shouldn’t use your email for a user id. It will get harvested and you will be buried in spam.

virsscan result one:

File: c9hehpa.bat
Status:
INFECTED/MALWARE
MD5: ffb21ccb9aaabca76467c0f3731fbc97
Packers detected:

Scanner results
Scan taken on 22 Sep 2008 04:06:51 (GMT)
A-Squared
Found Worm.Win32.Viking.ex!ik
AntiVir
Found TR/Vundo.Gen
ArcaVir
Found Worm.Autorun.Epk
Avast
Found Win32:Monga
AVG Antivirus
Found nothing
BitDefender
Found Trojan.PWS.OnlineGames.ZQF
ClamAV
Found nothing
CPsecure
Found W32.W.AutoRun.epk
Dr.Web
Found Trojan.Nsanti.Packed
F-Prot Antivirus
Found W32/Onlinegames.gen (probable variant)
F-Secure Anti-Virus
Found Worm.Win32.AutoRun.epk
Ikarus
Found Worm.Win32.Viking.ex
Kaspersky Anti-Virus
Found Worm.Win32.AutoRun.epk
NOD32
Found Win32/PSW.OnLineGames.NMY
Norman Virus Control
Found W32/Viking.gen5
Panda Antivirus
Found W32/Lineage.JMI.worm
Sophos Antivirus
Found Mal/EncPk-EK
VirusBuster
Found nothing
VBA32
Found Trojan-GameThief.Win32.Magania.aayp

O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
This one really concerns me MBAM and/or SAS and or Avast should have nuked this one
let’s see those logs

Logs attached to post #9

I am running malwarebyte’s anti-malware again now.