I need help with a virus problem

[tandkand3a]

I ran a virus scan with AVG 6.0 and this is a list of all that was found.  I have tried to remove them with AVG and it says they can't be removed.  I don't have a clue on how to get rid of them.  I have tried to search the help sites with no luck.  I have not found these virus names on any site.  If someone knows how I can remove them please let me know.  Thanks!!

Results of Complete Test, date and time 9/28/2004 1:01:40 :

Testing C:\ volume LOCAL DISK serial 3938-1B06
C:\_RESTORE\TEMP\A0043201.0 Downloader.Alchemic.A
C:\_RESTORE\TEMP\A0043208.0 Downloader.Agent.2.AA
C:\_RESTORE\TEMP\A0044523.0 Downloader.Istbar.4.AD
C:\_RESTORE\TEMP\A0044526.0 Downloader.Alchemic.A
C:\_RESTORE\TEMP\A0044527.0 Downloader.Agent.AS
C:\_RESTORE\TEMP\A0044528.0 Downloader.Istbar.4.H
C:\_RESTORE\TEMP\A0044868.0 Downloader.Dyfica.2.AB
C:\_RESTORE\TEMP\A0044871.0 Downloader.Dyfica.2.AB
C:\_RESTORE\TEMP\A0044874.CPY Downloader.Istbar.4.AM
C:\_RESTORE\TEMP\A0049167.0 Downloader.Dyfica.2.AA
C:\_RESTORE\TEMP\A0049168.0 Downloader.Agent.2.AA
C:\_RESTORE\TEMP\A0049169.0 Downloader.Dyfica.2.AC
C:\_RESTORE\TEMP\A0051764.0 Downloader.Dyfica.2.AK
C:\_RESTORE\TEMP\A0051765.0 Downloader.Dyfica.2.AE
C:\_RESTORE\TEMP\A0051766.0 Downloader.Dyfica.2.AE
C:\WINDOWS\TEMP\HPOTDD000.log Cannot open; not checked!

Test finished, duration 00:10:20.7 s
12197 objects tested, 15 found infected

[dl65]

tandkand3a....I do not believe the items you listed are viruses ....but rather spyware , malware , adware and possibly page hijackers. ( pests )

ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

I would suggest D/L  Ad-Aware SE and Spybot and then
watch them run......lol
Have you not looked for them in the path which your AV gave you.......because thats where they are .
Have you noticed anything else odd about the way your pc is running ?
You failed to mention what operating system you have .

let us know
dl65  

[tandkand3a]

My OS is Windows ME.  I check and install updates on a regular basis.  I also run Ad-aware SE and Spybot.  Both of those scans show the computer as clean.  

[tandkand3a]

I have tried to search for the files and can't find them on the computer.  They are gone or I am not looking in the right place.  I have not experienced any problems with my computer, it seems to be operating normal.  Should I run Hijackthis?  

[dl65]

tandkand3a......

TROJ_ALCHEMIC.A     ......trojan
This memory resident Trojan is capable of downloading and installing additional applications without first notifying the user. The downloaded file may be updates to other adware programs.

It may act as a Browser Helper Object (BHO), which is able to monitor all Web sites visited. It may also display popup advertisements.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Dyfica.2.AB  ....... another trojan
Agent.2.AA  ....... another trojan
Istbar.4.AD ........ yet another trojan

Try this:
Remove Trojan horse Downloader.Istbar.4.H this way:
*Close all programs.
*Turn off System Restore
*Run AVG Complete Scan
*Turn on System Restore.
If you can't find Trojan horse Downloader.Istbar.4.G, AVG may have moved it to the Virus Vault. Check the Virus Vault.

Disabling System Restore on Windows ME
In Windows Millenium there is  System Restore. Windows ME creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes the disinfection difficult since the backup files can get infected. In those cases Windows will copy the infected file in the place of the clean one.

This feature can be disabled with the following steps

1. Right-click on the My Computer icon and select Properties
2. In the System Properties windows select the Performance tab
3. Click on File System... button
4. In the Filesystem Properties window select the Troubleshooting tab
5. Check the Disable System Restore checkbox
6. Click Apply button
7. Close the windows using the Close button
8. Click Yes when prompted for reboot

The System Restore feature can be enabled again with the same steps. At step 5. you have to uncheck the Disable System Restore checkbox.

If this doesnt get rid of the trojans......then run hijackthis ....but I dont think you should have to.

let us know how you make out

dl65  

[tandkand3a]

I checked the Virus Vault and it is empty.  I ran AVG again and tried to remove the 15 files and they could not be removed.  The system restore function is turned off.  I did run Hijackthis but it will not let me post the log on here.  It says that the message is to large.  Both Ad-aware and spybot shows the system clean.  Any ideas on how to post the log or other solutions.

[Raptor]

Run AVG in Safe mode.

[dl65]

tandkand3a........If you post your log in 2 pieces rather than one you should be able to post it ok.
And it looks like your trojans are residing in your restore files........have you looked there ?

let us know
dl65  

[tandkand3a]

I have run AVG in Safe Mode and the results are the same.  Here is part of the Hijackthis log.
Logfile of HijackThis v1.97.7
Scan saved at 11:07:48 PM, on 9/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETGEAR\WG511\UTILITY\WG511WLU.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\RAM\RAMBOOSTER.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\DESKTOP\PC HEALTH\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centralkansas.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://members.cox.net/mycrosmith/
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

[tandkand3a]

Here is the second part of the log.

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.3547569444
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab

[merlin_2]

forget ad-aware spy-bot try this one its beat bother of them>http://www.webroot.com   spysweeper... and do you use kazza or aol..or if you really get fed up re-install winme....locate the c:\windows\options\cab folder next to the scanreg icon ....is the famous icon called setup click this will re-install winme..without losing any files and disable system restore its not needed...and dont use ie6 either...

[tandkand3a]

Thanks Merlin_2 your advice worked.  I did re-install Windows and everything is working great now.  Thanks to EVERYONE who helped me.  This is a great forum!!