Unknown virus removal/recommended non-lagging virus protection

[Candora]

Well, here's what I have:

1. For some reason, the "WINDOWS" folder shows up automatically in my Recycle Bin.

2. Scanning with my Avast! Antivirus: Home Edition, it seems there is a lot more trojans and nothing I can do with them

And I need an awesome antivirus program. Basically, Avast! sucks. It says viruses are in places I need to run some of my programs. And it always lags my computer (Well, more then usual).

Windows XP

Any other info?

[evilfantasy]

Any antivirus is only as good as the user behind it. They are safety nets and far from bullet proof.

Read through this thread and post the logs when complete.

[Candora]

Logs posted.

Yes, I am fully aware of Messenger Plus!. But I don't plan to remove it unless it indeed is causing harm and slowing my computer

Porn, huh? I know who to scold for that >_>

[recovering space - attachment deleted by admin]

[evilfantasy]

You need to uninstall one of the antivirus. Either the Yahoo/eTrust EZ Antivirus or Avast. Running two is never advised. It only leads to problems, slowdowns, crashes etc.

----------

The scans took care of alot but there is still more work to do.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {2390F91F-186A-47CF-B607-CEE6C8D4016D} - (no file)
- O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - (no file)
- O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - (no file)
- O2 - BHO: (no name) - {F88310BA-827B-4806-A016-BFD374B9E623} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

.
If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

----------

Next run a new Hijackthis scan and post that log as well.

----------

Next post
Combofix log
New Hijackthis log

[Candora]

"log" is the Combofix Log as requested

Hope I did it right

[recovering space - attachment deleted by admin]

[evilfantasy]

Well that revealed some new infections.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O20 - Winlogon Notify: fccyayw - fccyayw.dll (file missing)
- O20 - Winlogon Notify: vtsqp - C:\WINDOWS\system32\vtsqp.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download FindAWF by noadfear from one of the below links.   

• Link 2
  
• Link 2

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: From the Keyboard Press 1 then Enter to scan for bak folders
 
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced.
Please add the Find AWF report in your reply.

[mcxeb52!]

and you might want to do the scan in safe mode to help things out.

[evilfantasy]

and you might want to do the scan in safe mode to help things out.

Please follow my instructions. If safe mode is needed I will explicitly request it.

[Candora]

I had to remove two other files with HJT as well because I seem to be getting help from another post
http://www.computerhope.com/forum/index.php/topic,57111.msg359218.html#msg359218

- O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
- O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"

[recovering space - attachment deleted by admin]

[evilfantasy]

We were getting to those entries. I wanted more information from these scans first though. I didn't know there was another thread you were working in and as you can see there is more wrong than what is being revealed in the other thread. You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. This needs to be fixed or the other problems likely won't be completely healed.

This is a multiple step process, we are half way there

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: From the Keyboard Press 2 then Enter to restore files from bak folders

A text file will open called: files.txt
Copy the text in the Code box below.
Click below the line in files.txt and paste the following list of files to be restored:

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
"C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe"
"C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"

Next, close the text file and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:

* It attempts to terminate the process represented by each filename on the list, if running
* Deletes the rogue file from the parent folder, if present
* Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.

Please add the new FindAWF log in your reply.

[Candora]

Halfway there X_X lol okay okay

[recovering space - attachment deleted by admin]

[evilfantasy]

Halfway there X_X lol okay okay

Well for this program anyway

Double-click FindAWF.exe to start the tool.

• Select option #3 - Remove bak folders by typing e and press Enter
  
• A text file will open up.  Please copy/paste the text in the box below into the text file:

Code: [Select]

C:\HP\KBD\BAK
C:\PROGRA~1\MULTIM~1\BAK
C:\WINDOWS\SMINST\BAK
C:\WINDOWS\SYSTEM\BAK
C:\PROGRA~1\HP\{45B61~1\BAK
C:\PROGRA~1\SBCSEL~1\SMARTB~1\BAK
C:\PROGRA~1\YAHOO!\BROWSER\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

• Close the .txt file and click Yes to save the changes.
  
• When the tool has completed, a report will open up in notepad. 
• Please post the results of the awf.txt in the next reply.

[Candora]

Uh...uh oh. I can't post the logfile this time. I exited out by mistake >_<

[evilfantasy]

Re run it from step one and post that log.

Use the following option: From the Keyboard Press 1 then Enter to scan for bak folders

[Candora]

uh, don't think I did it right...

[recovering space - attachment deleted by admin]