0

The problem from the beginning.

The system was being slow in general so I knew something was wrong.

I had AVG anti-virus. I found AVG to be a pain because I had to update it manually all the time. I download and install Avast antivirus.

I scan with Avast finds some viruses and I delete.
I keep getting messages from Avast (whilst on-line) that there is a virus/worm/Trojan in my system. Delete every time.
This happens every ten minutes or so, with the same files being detected.
The next day (17/09/08), I turn on the computer, booted, and then selected my user name to log in to my account. It hanged. Turned off/on again several times and it would hang on the same point.
I managed to get in using the “last known configuration that worked” option.
I completely delete AVG antivirus.
I run a Malwarebytes’ Anti-Malware scan. 79 files infected. I deleted all.
Reboot the computer.
Avast cannot update. I get the error message:
"...avast.setup has encountered a problem and needs to shut down..."
Problem signature as follows:
AppName: avast.setup AppVer: 4.8.0.0 ModName: ntdll.dll
ModVer: 5.1.2600.2180 Offset: 0001302c
Try to update to SP3. Cannot update.
Verified Window’s Files – No problem.
Repaired/reinstalled windows XP. – The antivirus has updated correctly, automatically straight after reboot but tried to do it manually and it won’t update again. Microsoft SP3 won’t update either.

This, I think, is important! Whilst I was doing the reinstall, I was getting the message for several files (I have written most of the names down) that they cannot be found in the CD. I have my original Windows XP with SP2. I tried looking for the file myself. The file is there!!! I had no choice but to abort the copying of the file to carry on with the repair. But we are talking for about 50 files!
I copied I386 (where all the aborted files where) manually to my PC – No luck

Below the report from HijackThis ( Run scan and produce a log ) and further down from Eset Online scanner (this one found threats but following forum advice, I haven't set to delete anything)

Any thoughts are much appreciated. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:36 μμ, on 23/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ECDL Hellas SA\ECDL Internet Update 4.4\InternetUpdate.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [ECDL Internet Update 4.4] C:\Program Files\ECDL Hellas SA\ECDL Internet Update 4.4\InternetUpdate.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [UtilActSh] C:\WINDOWS\system32\xonqtwvc.exe
O4 - HKLM\..\Policies\Explorer\Run: [sWro5FNa44] C:\Documents and Settings\All Users\Application Data\vkrebife\dmvavutg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221952188775
O20 - AppInit_DLLs: C:\WINDOWS\system32\smsqrdab.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7963 bytes

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3466 (20080923)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=78e942a5b885ed4ca07fe460cbd2dd95
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-09-23 08:27:41
# local_time=2008-09-23 11:27:41 )
# country="Greece"
# osver=5.1.2600 NT Service Pack 2
# scanned=373519
# found=12
# scan_time=2116
C:\WINDOWS\system32\drivers\OLD3.tmp probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\WINDOWS\system32\drivers\OLD7.tmp probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\WINDOWS\system32\drivers\tgfdtq.sys probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\WINDOWS\LastGood\system32\drivers\fetnd5.sys probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\WINDOWS\LastGood\system32\drivers\rasirda.sys probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\Documents and Settings\user\Τα έγγραφά μου\Windows Password Cracker.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021
C:\Documents and Settings\user\Τα έγγραφά μου\NetBIOS Cracker.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021
C:\Documents and Settings\user\Τα έγγραφά μου\L0pht 4.0 Windows Password Cracker.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021
C:\System Volume Information\_restore{70C64950-8CA4-4E7C-A44C-7855A4BC8A0D}\RP1\A0000140.sys probably a variant of Win32/Spy.Goldun.AXT trojan CF96CBE013475AFBCCE07AAD8EBA2CE6
C:\atestest\Brutus FTP Cracker.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021
C:\atestest\L0pht 4.0 Windows Password Cracker.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021
C:\atestest\sdbot with NetBIOS Spread.exe Win32/Zalup trojan 151944A656EA412EE1494DBF27230021

2
Contributors
5
Replies
6
Views
9 Years
Discussion Span
Last Post by jholland1964
0

Re-run ESET scanner and let it fix everything found.

The antivirus has updated correctly, automatically straight after reboot but tried to do it manually and it won’t update again.

Maybe there are no new updates available.
You said you ran MBA-M, may we see that log please. Open the program, click the Logs tab. You will find it there. Please post it here.

If a system is troubled, slow or has problems one must make sure all is in order BEFORE installing a new service pack.
PLEASE do NOT update the computer to XP SP3. You should NEVER update to a new service pack unless you can absolutely guarantee the computer is clean and free of infection.
The steps given HERE must be followed exactly before installing XP3.

0

Thanx, the problem that I was getting error messages when trying to update ie, I couldn't update, not that there were no updates.

Solved the problem my self.

0

the problem that I was getting error messages when trying to update ie, I couldn't update, not that there were no updates.Solved the problem my self.

That is NOT what you told us, what you told us was

Avast cannot update. I get the error message:

and the error message that you posted had nothing to do with an error updating ie
the error message was for Avast;

"...avast.setup has encountered a problem and needs to shut down..."
Problem signature as follows:
AppName: avast.setup

I think everyone would like to know HOW you solved this problem and why now you say the error was in updating ie. It would help others for sure.

I have read this over multiple times and here are some key sentences that you have written

I had AVG anti-virus. I found AVG to be a pain because I had to update it manually all the time. I download and install Avast antivirus.

BUT you do NOT say that you Uninstalled AVG at that time. THe way to do this, if you are downloading a new anti-virus program is yes, download the program but do not install it. Once it is downloaded then is when you UNINSTALL the previous anti-virus program When it is gone, install and update the new one.

I scan with Avast finds some viruses and I delete.

You should always Quarantine rather than delete, at least at first. Virus programs DO sometimes flag legitimate files as a virus or trojan. These are called "false positives". So when your anti-virus program finds an infection you are better off to Quarantine them at first. Wait a week or so, if no problems develop from this removal then go ahead and delete the quarantined items. These items flagged "could" have been portions on that AVG program still on the computer...the files may have looked similar to known trojans/viruses and since the program was still on the computer it was natural they would be flagged. Anti-virus programs have abilities to remove files, to alter files so they won't work, but so do trojans and viruses. Anti-virus programs are also somewhat intertwined with key system files at times so if it was this type of file the Avast was flagging then deleting them would also be deleting that portion of a key file and therefore corrupting or actually removing it.

I keep getting messages from Avast (whilst on-line) that there is a virus/worm/Trojan in my system. Delete every time.
This happens every ten minutes or so, with the same files being detected.
The next day (17/09/08), I turn on the computer, booted, and then selected my user name to log in to my account. It hanged. Turned off/on again several times and it would hang on the same point.
I managed to get in using the “last known configuration that worked” option.
I completely delete AVG antivirus.

So, for a portion of the time you were running two anti-virus programs on your computer, which could have been the cause of either the infection warning and the problem booting the computer, because of key files being removed.
But you finally can reboot using "last known congfiguration that worked" which would have been BEFORE the install of the Avast program but AFTER key files were either deleted or corrupted. There are times when last known configuration just cannot really "get you there" especially if key files have been damaged.
I would recommend that you download a NEW copy of Avast to your desktop. DO NOT install it, just download it to the desktop. Once you have done that THEN UNINSTALL that improperly working Avast program, via Add/Remove. THEN go to C:\Program Files\ and look for the Alwil Software folder and delete that if you find it. It may very well not be there since you will have all ready Uninstalled via Add/Remove. If you do find it, do delete it.
Once you have done that then go to that NEW Avast Install program and install it and update it. Try all that and see if it works ok.
But I would also like a list of the files which are missing AND I would like to see that MBA-M log.
Judy

0

The abbreviation i.e. stands for the Latin id est, which means "that is." It is followed by an explanation.
Sorry, it is my fault for not putting the fullstops in. I can understand how it is very confusing in an IT forum.

As for the rest, Thank You for your contribution.

0

Oh come on! I was an English major and worked for a newspaper, I KNOW what i.e. means! That is NOT what you wrote.

I can understand how it is very confusing in an IT forum.

That is one of the most patronizing answers I have ever received.
patronizing- i.e. assuming the manner of airs of a superior toward another. To treat in a condescending manner.
Next time you have problems with your computer consult the library.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.