Infected by trojan and possibly others

[elmerjen]

hello,
I ran spybot but didn't find any problems, but avast! antivirus detected several files that were infected, which I placed in the avast! virus chest. I don't know what to do with them in the chest. There was one particular that came up many times even after placing in the chest:
flsmontr.exe infected by Win32:Inject-DC.
I didn't want to update windows with sp2 until the computer is clean. If you could help, I'd appreciate it. The HJT and Kaspersky reports follow. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:17 PM, on 11/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\~Ammy~\My Documents\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\~Ammy~\My Documents\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O4 - HKCU\..\Run: [Intel Audio Studio V2.0] C:\WINDOWS\fmideploy.exe
O4 - HKCU\..\Run: [Audio Studio V2.8] C:\WINDOWS\flsmontr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195099123474
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195099301890
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5466 bytes

[elmerjen]

Here is the Kaspersky report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 8:43:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/11/2007
Kaspersky Anti-Virus database records: 460707
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 26665
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:43:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Elmer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\History\History.IE5\MSHist012007111620071117\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Temp\~DFB905.tmp Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Elmer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe WiseSFX Dropper: infected - 3 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\esitserv.dll Infected: Backdoor.Win32.Agent.cjf skipped
C:\WINDOWS\ncscolib.dll Infected: Backdoor.Win32.Agent.cjf skipped
C:\WINDOWS\rvxutil32.dll Infected: Backdoor.Win32.Agent.cjf skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5127C689-EDCB-4A32-89E2-E3166C239FE2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.sam Infected: Trojan.Win32.Qhost.vt skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_434.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I'll give it a try, you have junk I have never seen before, probably from bearshare p2p sharing.

If you want help, read and follow the directions. Kaspersky scan first:

Infected music files, you need to figure out how to delete them.
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe/WISE0044.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\~Ammy~\My Documents\My Music\ammy's music downloads\BearShareV6.exe WiseSFX Dropper: infected - 3 skipped


You have an infected hosts file:
C:\WINDOWS\system32\drivers\etc\hosts.sam Infected: Trojan.Win32.Qhost.vt skipped

follow these directions:
Download HostsXpert v4.\1 - Hosts File Manager.
http://www.funkytoad.com/download/HostsXpert.zip
Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.1 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Do this in the numbered order:


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O4 - HKCU\..\Run: [Intel Audio Studio V2.0] C:\WINDOWS\fmideploy.exe
O4 - HKCU\..\Run: [Audio Studio V2.8] C:\WINDOWS\flsmontr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these files in red

C:\WINDOWS\esitserv.dll
C:\WINDOWS\ncscolib.dll
C:\WINDOWS\rvxutil32.dll
C:\WINDOWS\runtfs32.exe
C:\WINDOWS\fmideploy.exe
C:\WINDOWS\flsmontr.exe


6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Empty the Recycle Bin, restart the computer and post a new HJT log. Tell me now the computer is running.

Thanks

[elmerjen]

Thank you for responding. I did as you told me and the computer seems to be ok, I can't see any problems. Should I run Kaspersky scan again to see if all the infections are gone? What should I do with the files that I have in the avast! chest? The new HJT report is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:28 PM, on 11/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\~Ammy~\My Documents\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\~Ammy~\My Documents\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195099123474
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195099301890
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4202 bytes

[pskelley]

Thanks for the feedback, you asked questions, this one:

What should I do with the files that I have in the avast! chest?

sounds like their version of a quarantine folder. If that is where they put bad stuff they can't delete, clean out what ever is in there and remember to empty your Recycle Bin.

This is a line that got missed in the HJT log, it is not malware just clutter. Use HJT to remove it if you wish.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

Please do run another Kapersky scan and use these settings:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks...Phil

[elmerjen]

hello phil, I ran Kaspersky scan as you asked and it seems like the host file is still infected by a trojan virus. Well here's the Kaspersky report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 22, 2007 4:04:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 435314
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29020
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:46:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Elmer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\History\History.IE5\MSHist012007112220071123\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Temp\~DFD887.tmp Object is locked skipped
C:\Documents and Settings\Elmer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elmer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Elmer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.sam Infected: Trojan.Win32.Qhost.vt skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[pskelley]

Thanks for returning the information and the feedback. You were able to follow the instructions in my post #3 to do this:

Click Restore Microsoft's Hosts file and then click OK.

were you not? If so, let me have a look at the hosts file and if it is extremely large you may post it as an attachment.

To view the Hosts file:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS

A window opens, choose Notepad from the list and hit OK.

A notepad document opens, copy the contents to here

Thanks

[elmerjen]

hello, I did ask you asked and here is the info:
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

What I did notice is that if I went ahead and typed the file you asked, as I got to end where I typed "hosts", several other files were listed for me choose from like:
C:\WINDOWS\System32\drivers\etc\hosts.2007112-213317.backup
C:\WINDOWS\System32\drivers\etc\hosts.2007112-213318.backup
C:\WINDOWS\System32\drivers\etc\hosts.2007112-222139.backup
C:\WINDOWS\System32\drivers\etc\hosts.2007112-223352.backup
C:\WINDOWS\System32\drivers\etc\hosts.2007113-195128.backup
C:\WINDOWS\System32\drivers\etc\hosts.2007113-195129.backup
and several like those above but the last one was:
C:\WINDOWS\System32\drivers\etc\hosts.sam
Hope that helps out.

[pskelley]

No it does not, I have not seen a Hosts file like this before, here is some information to look over.
http://www.google.com/search?hl=en&q...am&btnG=Search

I don't know why those backups or the hosts.samples are there, do you have any idea.

I don't much like fooling around in the hosts file. I think we can just navigate to here:

C:\WINDOWS\System32\drivers\etc\ <<< in that folder and tell me what files are in there.
One file will look like this: hosts.sam Open that file with Notepad and copy/paste the contents here, if it is a hugh file, then attach it, that seems to be the problem file.

I am also interested in how the computer is performing, any issues?

Thanks

[elmerjen]

The following is what is in the etc folder:
Name Size Type Date Modified

hosts 1 KB File 11/24/2007 11:46 AM
hosts.20071112-213317.backup 7 KB BACKUP File 11/12/2007 9:33 PM
hosts.20071112-213318.backup 7 KB BACKUP File 11/12/2007 9:33 PM
hosts.20071112-222139.backup 5 KB BACKUP File 11/12/2007 9:33 PM
hosts.20071112-223352.backup 4 KB BACKUP File 11/12/2007 10:21 PM
hosts.20071113-195128.backup 212 KB BACKUP File 11/12/2007 10:33 PM
hosts.20071113-195129.backup 212 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195130.backup 212 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195131.backup 212 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195132.backup 212 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195133.backup 211 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195134.backup 211 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195135.backup 211 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195136.backup 210 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071113-195137.backup 210 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071114-183226.backup 210 KB BACKUP File 11/13/2007 7:51 PM
hosts.20071114-183227.backup 209 KB BACKUP File 11/14/2007 6:32 PM
hosts.20071114-183228.backup 209 KB BACKUP File 11/14/2007 6:32 PM
hosts.20071114-183298.backup 209 KB BACKUP File 11/14/2007 6:32 PM
hosts.20071116-122355.backup 209 KB BACKUP File 11/14/2007 6:32 PM
hosts.20071116-183803.backup 209 KB BACKUP File 11/16/2007 12:23 PM
hosts.sam 7 KB SAM File 10/31/2007 4:29 PM
lmhosts.sam 4 KB SAM File 8/23/2001 4:00 AM
networks 1 KB File 8/23/2001 4:00 AM
protocol 1 KB File 8/23/2001 4:00 AM
services 7 KB File 8/23/2001 4:00 AM

And here is what is in the hosts.sam file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
0.0.0.0 ad.doubleclick.net
0.0.0.0 ad.fastclick.net
0.0.0.0 ads.fastclick.net
0.0.0.0 ar.atwola.com
0.0.0.0 atdmt.com
0.0.0.0 avp.ch
0.0.0.0 avp.com
0.0.0.0 avp.ru
0.0.0.0 awaps.net
0.0.0.0 banner.fastclick.net
0.0.0.0 banners.fastclick.net
0.0.0.0 ca.com
0.0.0.0 click.atdmt.com
0.0.0.0 clicks.atdmt.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 download.mcafee.com
0.0.0.0 download.microsoft.com
0.0.0.0 downloads.microsoft.com
0.0.0.0 engine.awaps.net
0.0.0.0 fastclick.net
0.0.0.0 f-secure.com
0.0.0.0 ftp.f-secure.com
0.0.0.0 ftp.sophos.com
0.0.0.0 go.microsoft.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 mast.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 media.fastclick.net
0.0.0.0 msdn.microsoft.com
0.0.0.0 my-etrust.com
0.0.0.0 nai.com
0.0.0.0 networkassociates.com
0.0.0.0 office.microsoft.com
0.0.0.0 phx.corporate-ir.net
0.0.0.0 secure.nai.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 service1.symantec.com
0.0.0.0 sophos.com
0.0.0.0 spd.atdmt.com
0.0.0.0 support.microsoft.com
0.0.0.0 symantec.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 vil.nai.com
0.0.0.0 viruslist.ru
0.0.0.0 windowsupdate.microsoft.com
0.0.0.0 www.avp.ch
0.0.0.0 www.avp.com
0.0.0.0 www.avp.ru
0.0.0.0 www.awaps.net
0.0.0.0 www.ca.com
0.0.0.0 www.fastclick.net
0.0.0.0 www.f-secure.com
0.0.0.0 www.kaspersky.ru
0.0.0.0 www.mcafee.com
0.0.0.0 www.my-etrust.com
0.0.0.0 www.nai.com
0.0.0.0 www.networkassociates.com
0.0.0.0 www.sophos.com
0.0.0.0 www.symantec.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.viruslist.ru
0.0.0.0 ftp://ftp.kasperskylab.ru/updates/
0.0.0.0 ftp://ftp.avp.ch/updates/
0.0.0.0 http://www.kaspersky.ru/updates/
0.0.0.0 http://updates1.kaspersky-labs.com/updates/
0.0.0.0 http://updates3.kaspersky-labs.com/updates/
0.0.0.0 http://updates4.kaspersky-labs.com/updates/
0.0.0.0 http://updates2.kaspersky-labs.com/updates/
0.0.0.0 http://updates5.kaspersky-labs.com/updates/
0.0.0.0 http://downloads1.kaspersky-labs.com/updates/
0.0.0.0 http://www.kaspersky-labs.com/updates/
0.0.0.0 ftp://updates3.kaspersky-labs.com/updates/
0.0.0.0 ftp://downloads1.kaspersky-labs.com/updates/
0.0.0.0 www3.ca.com
0.0.0.0 ids.kaspersky-labs.com
0.0.0.0 downloads2.kaspersky-labs.com
0.0.0.0 downloads1.kaspersky-labs.com
0.0.0.0 downloads3.kaspersky-labs.com
0.0.0.0 downloads4.kaspersky-labs.com
0.0.0.0 d-ru-1f.kaspersky-labs.com
0.0.0.0 d-ru-1h.kaspersky-labs.com
0.0.0.0 d-ru-2f.kaspersky-labs.com
0.0.0.0 d-ru-2h.kaspersky-labs.com
0.0.0.0 d-eu-2f.kaspersky-labs.com
0.0.0.0 d-eu-2h.kaspersky-labs.com
0.0.0.0 d-eu-1f.kaspersky-labs.com
0.0.0.0 d-eu-1h.kaspersky-labs.com
0.0.0.0 d-us-1f.kaspersky-labs.com
0.0.0.0 d-us-1h.kaspersky-labs.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 update.symantec.com
0.0.0.0 download.mcafee.com
0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
#
0.0.0.0 nod32.com
0.0.0.0 www.nod32.com
0.0.0.0 eset.casablanca.cz
0.0.0.0 updates1.kaspersky.com
0.0.0.0 updates2.kaspersky.com
0.0.0.0 updates3.kaspersky.com
0.0.0.0 updates-us1.kaspersky.com
0.0.0.0 downloads1.kaspersky.com
0.0.0.0 downloads-us1.kaspersky.com
0.0.0.0 norton.com
0.0.0.0 www.norton.com
0.0.0.0 u2.eset.com
0.0.0.0 u3.eset.com
0.0.0.0 u4.eset.com
0.0.0.0 u7.eset.com
0.0.0.0 v27.eset.com
0.0.0.0 ts99.eset.com
0.0.0.0 eset.com
0.0.0.0 www.eset.com
0.0.0.0 www.norman.com
0.0.0.0 sandbox.norman.com
0.0.0.0 norman.com
0.0.0.0 virus.org
0.0.0.0 www.virus.org
0.0.0.0 scanner.virus.org
0.0.0.0 virustotal.com
0.0.0.0 www.virustotal.com
0.0.0.0 virusalert.nl
0.0.0.0 antivirus.pagina.nl
0.0.0.0 perantivirus.com
0.0.0.0 www.virusalert.nl
0.0.0.0 www.antivirus.pagina.nl
0.0.0.0 www.perantivirus.com
0.0.0.0 bitdefender.com
0.0.0.0 www.bitdefender.com
0.0.0.0 upgrade.bitdefender.com
0.0.0.0 dnl-us1.kaspersky-labs.com
0.0.0.0 dnl-us2.kaspersky-labs.com
0.0.0.0 dnl-us3.kaspersky-labs.com
0.0.0.0 dnl-us4.kaspersky-labs.com
0.0.0.0 dnl-us5.kaspersky-labs.com
0.0.0.0 dnl-us6.kaspersky-labs.com
0.0.0.0 dnl-us7.kaspersky-labs.com
0.0.0.0 dnl-us8.kaspersky-labs.com
0.0.0.0 dnl-us9.kaspersky-labs.com
0.0.0.0 dnl-us10.kaspersky-labs.com

This is what I did after the above: If I opened Spybot-S&D and selected to Immunize and then checked the hosts file, I found a lot of entries. If I then ran HostsXpert 4.2 (not 4.1 cause I guess that's the new one) and clicked Restore MS Hosts File, and then checked the hosts file I found the same thing like the one I posted previously which is just the local host. Should I just not run HostsXpert cause it seems to be deleting everything that Spybot put except local host? How can I post or attach the hosts file (after Spybot's Immunize but before HostsXpert) because it is beyond the attachment limit of 19.5 KB, it is about 209 KB?