Virus found with Avast - unable to remove

Two days ago a Virus was found on my computer with Avast. However, I have been unable to remove the virus despite all of my attempts. I ran a through scan with Avast and deleted the problem files in both regular and safe mode. The virus name listed by Avast was "Win32: Adware [adw] ". I ran Ewido in safe mode and it logged the removal of 297 problems. However, I am still having the same problems. I think this is due to the System Restore which I cannot turn off. When I try to turn off System Restore in regular or safe mode I get the error (I am also unable to disable System Restore for individual partitions):

The listed event log error is:

Source = DCOM
Type = Error
Category = None
Event ID = 10005

I have searched the MS KB and the solutions did not solve the problem.

After running the AV and Ewido in the Process Analysis of Ewido I am still getting the following two processes that indicate a virus (trojan):

\??\C:\WINDOWS\System32\csrss.exe
\??\C:\WINDOWS\System32\winlogon.exe

the normal path should exclude the \??\

I have run HJT and I can't find anything in the log that looks suspicious but I could be missing something. Also, looking at the process from HJT does not show the above two suspicious processes.

However, ever since I ran the initial AV scan and restarted my computer all of my network connections were deleted and I am unable to recreate them to access the internet.

One fix I found suggested a reinstall of Avast because I lost the icons for the background providers. However after the re-install I am still unable to see these icons. Also, I was unable to place the infected files in the Chest because I received an error that it was not communicating and thus my only option was to delete the files and run a boot time scan (which I did without success).

The most recent HJT log is the following:

Logfile of HijackThis v1.99.1
Scan saved at 4:12:16 PM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\GetRight\getright.exe
D:\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\rundll32.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kofc.org/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\GetRight\xx2gr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 1.1.4.lnk = D:\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

I believe that this virus has been on my computer for quite a while because I noticed some other problems with my computer for a while including my last problem that I posted here concerning the inability to install my new DVD-CDRW and some minor functionality issues. However, these serious problems did not happen until I tried to remove this virus when detected by Avast.

 

Another things

Also I have just witnessed a Warning that states:

followed by an Application Error (ewidoguard.exe)

In the event log it is listed as:

Source = Application Popup
Category = None
Type = Information
Event ID = 26

 

Hi mosher, and welcome.

As there is nothing obvious in your logfile, lets get a back up scan from Trend Micro, and see what they find.

TrendMicroâ„¢ HouseCall Java Scan

• Please go HERE to run the Trend Microâ„¢ HouseCall Scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

And also, can you please provide for me the specific Ewido log that was generated.

 

I am unable to connect to the internet with the infected computer because of the Network Connections problems so unless I can download the scanner and transfer it with a jumpdrive then I am out of luck with House Call. However, the ewido reports is the following

---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 4:52:59 PM, 6/13/2006
+ Report-Checksum: A2BD191D

0: System Process
4: System Process
168: C:\Program Files\Logitech\MouseWare\system\em_exec.exe
180: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
204: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
212: C:\Program Files\QuickTime\qttask.exe
224: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
252: C:\WINDOWS\system32\ctfmon.exe
332: D:\GetRight\getright.exe
340: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
388: C:\WINDOWS\system32\rundll32.exe
396: D:\GetRight\getright.exe
484: D:\OpenOffice.org1.1.4\program\soffice.exe
656: \SystemRoot\System32\smss.exe
708: \??\C:\WINDOWS\system32\csrss.exe
732: \??\C:\WINDOWS\system32\winlogon.exe
776: C:\WINDOWS\system32\services.exe
788: C:\WINDOWS\system32\lsass.exe
944: C:\WINDOWS\system32\Ati2evxx.exe
956: C:\WINDOWS\system32\svchost.exe
1028: C:\WINDOWS\system32\svchost.exe
1112: C:\WINDOWS\System32\svchost.exe
1168: C:\WINDOWS\System32\svchost.exe
1204: C:\WINDOWS\System32\svchost.exe
1420: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
1452: C:\Program Files\ewido anti-malware\ewidoctrl.exe
1464: C:\Program Files\ewido anti-malware\SecuritySuite.exe
1508: C:\Program Files\Ahead\InCD\InCDsrv.exe
1804: C:\WINDOWS\System32\rsvp.exe
1836: C:\WINDOWS\system32\Ati2evxx.exe
1888: C:\WINDOWS\Explorer.EXE
1924: C:\WINDOWS\system32\mmc.exe
1960: C:\Program Files\ewido anti-malware\ewidoguard.exe
2008: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2016: C:\Program Files\Ahead\InCD\InCD.exe

If you notice the only avast system that is running the the Update Service even though I did a full re-install.

 

Ok, it looks to me that for some reason, Ewido gives those two processes that file path probably due to some type of reading error, because they are the same in each and every single Ewido process report I could find, and none were deemed malicious.

Also, I need to see what Ewido removed from your system or said was suspicious, that was just a process list.

To be honest this appears more of a technical problem than a virus or Trojan.

Does Avast have any type of restore capabilities? Perhaps what you deleted were system required files.

Provide the specific Avast logs\findings so we can get a better picture of what you have already done.

 

I am unable to bring up a log that has all the list of files that Avast deleted because of the re-install. I had a friend do it for me over the phone (I was out of the office) and didn't think of asking him to back up the log file.

Also, my version of Ewido does not offer an option to list all of the problem files it detected. However, looking through the quarantine list it seems as if it is only a group of cookies that seem benign. The exception to this are the files:

NDNuninstall6_38.exe which is listed as a Medium risk and Infected with Adware.NewDotNet

and

uninstall6_38.exe which is listed as a Medium rist and Infected with Adware.NewDotNet

I will run sfc/scannow to see if some of my problems are fixed.

Also, concerning the csrss.exe and winlogon.exe file with the extention having a value of \??\ according to the Ewido Process List the following site lists the problem as being directly related to one of four trojans. That is why I am concerned. The link to that site is the following:

http://www.answersthatwork.com/Tasklist_pages/tasklist_c.htm

scroll down to csrss and it lists one as a normal windows file and the other as malicious.

 

The things in quarentine are what you detected and removed, I'd assume you would allow it to remove all you were confident of removing.

And that link at ATW, it is the only link I can find saying the files could be a virus, no other links to any av sites, so there is my rational for thining the process listing in Ewido is just incorrect. And as I stated, all the other logs I saw, listed those two running processes the same manner and no one had any viruses.

Let me know how the scannow runs. If you get that machine online, you can scan those files, or the entire system.

 

Yes, I was comfortable with all the changes that ewido made. However, I am concerned about the Avast deletions (obviously). The reason why I opted to delete as opposed to move to the chest was because I could not choose the move to chest option.

Now, maybe we are looking at this the wrong way. One of the initial problems was that the System Restore could not be turned off. What would cause System Restore to not turn off keeping in mind the AV was detecting a virus with the general name Win32: Adware [adw]?

BTW: sfc didn't help. The problems I have noticed so far are the following:

1. Serious hanging at Start-up and Log-off of Windows
2. System Properties takes at least 5 minutes to activate
3. Network Connections not visible
4. Unable to create new Network Connections (even through the wizard)
5. Unable to cut and paste programs from the HD to Removable Drive
6. Minimized windows and programs do not appear in Task Bar
7. Background AV and Anti-Malware systems crash or do not load
8. Search does not load
9. System Restore will not disable
10. System Restore will not run if an attempt is made to revert to last restore point.
11. All problems are in Safe Mode and Regular Mode
12. sfc/scannow does not solve the problem
13. Inside AV transfer of infected files to chest not allowed

 

Have you tried using 'Last Know Good Configuration' yet? It is one of the options when accessing 'Safe Mode'.

You can also try and run chkdsk /f /r . Quite honsetly, I am out of my area of knowledge at this point, as I'm fairly certain this is not malware related, but more related to what you removed with Avast. Let me point this thread to a couple of others here on the forum and see what they have to say.

Link for chkdsk:
http://www.updatexp.com/windows-xp-chkdsk.html

Let me know how that all goes.

Tom

 

Thank you very much for your help however I have resolved to just format and reinstall XP considering that there are so many problems that seem to get worse each time I reboot. Perhaps if I do this it will solve some of the other functionality problems that I was having even before this whole mess. I will post with any other problems that I run into.

Also, please, if someone can solve this problem with the information provided please do. This will help anyone else that finds themselves in this situation in the future.

 

Thank you,

That was exactly what I concluded myself. So, I reformatted and reinstalled fresh - and I must say it is like being able to breath again.