unable to install, computer is a sitting duck

[Jimklinker]

This is the first time that I ask for help regarding my computer. So please don't shoot me if I say something totally noob.

My computer has a weird problem. I think it has a virus of some kind. First I will tell you the symtoms

-Avast can't be started. When I try to start it, it says that ashavast.exe couldn't be located. I tried to reinstall it several times, but the same error keeps occuring.
-My firewall is gone for some reason. I first used sygate personal firewall but it doesn't start anymore when my computer starts. I tried to reinstall it but something doesn't allow it. When I try to install some other firewall (zonealarm) it will not complete the installation.
-When I try to install an other antivirus program AVG, it encounters this problem
Local machine: installation failed
Installation:
Error: Action failed for file avgamsvr.exe: creating file....
No such file or directory
So the installation also failed.
-Without any antivirus and firewall, my computer is unprotected and this results in popups, even when my browser isn't open (celldorado.com etc). I thought my IE 7 was corrupted, so I uninstalled it. But when I tried to reinstall it, the installation failed. the error says that the system couln't locate the desired file. And now my media player won't start anymore.

I hope there is someone who can help me. This is the worst case I have ever encountered. I think there is one basic problem with my computer, which leads to all kinds of problems. I'll post my hijack this file now:

Logfile of HijackThis v1.99.1
Scan saved at 15:55:50, on 30-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WindowZones\WindowZones.sys
C:\Program Files\WindowZones\WindowZones.sys
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/ie6/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [WindowZones] C:\Program Files\WindowZones\WindowZones.exe -startminimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/.../GAME_UNO1.cab
O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomgames.com/activex...amesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EBD1837-6CFD-4E19-94EB-A53F86BF93CC}: NameServer = 213.51.129.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F04CF9C-D6D1-4225-BF90-D5DF86186DBF}: NameServer = 213.51.129.37
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys

So hopefully I have profided enough information for you guys to help me. If not, please ask which information you need. I will post them asap.

My computer has no protection anymore, so it's open for attack, please help me. I'm using adaware, cc-cleaner, pc tools firewall plus and Active security monitor, as a last resource. But these aren't enough.

I hope it's not too late, complete formattation would be complete hell.

JIM

[Jimklinker]

Please, is there someone out there who is willing and able to help me. My hero, and last bit of light in a world of darkness, please help.

[Sempurna]

Hi Jim,

Welcome to Tech Support Forum,

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:

• Open Windows Defender.
• Click on Tools -> General Settings.
• Scroll down and uncheck "Turn on real-time protection (recommended)".
• After you uncheck this, click on the "Save" button and close Windows Defender.

NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download Dr.Web CureIt and save it to your desktop:

• Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
• This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
• It could be possible it displays a pop up to buy Dr.Web, or to buy at a 50% discount. Just close that pop up.
• Once the short scan has finished, back at the main window, mark the drives that you want to scan.
• Select all drives; a red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
• Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files, and it will after this automatically fix what is found.
• Please do NOT cure/move/delete any files that were detected as suspicious or probably infected. These are just indications of possible infections and are not definitive infections.
• After the scan, go to the "View" menu -> "Report list".
• Then go to the "File" menu -> "Save report list".
• Save the report to your desktop. The report will be called DrWeb.csv.
• Close Dr.Web CureIt.
• If you receive the prompt "No operations performed with some objects in list. Exit program?", click "Yes".
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, please post the contents of the DrWeb.csv log in your next reply.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the ComboFix scan.
2. The log from the Dr.Web CureIt scan.
3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

~~~

[Jimklinker]

Yes almost all problems are solved. I'm able to install a firewall and antivirussoftware. My Active Security Monitor is now displaying a score of 100 percent. And no popups occur anymore.

I don't know what the problem was, but it is solved now. Thanks a lot.

At one moment, I did something stupid. And now, everytime my computer reboots, a problem pops up. My windows is Dutch, so I will translate the error message.

Warning

The ATI configuration screen could not initialise because the ATI driversoftware is not installed or is not working correctly. The ATI configuration screen will now close.

This is the only problem I have now. Perhaps you can help me with this one too. What is ATI, is that my graphics card? I don't know the source of this problem so I'm not sure which information I must give. Im using a NVIDIA GeForce 6800 GS.

Ok, again I thank you for your support. Perhaps you also know how to solve my ATI problem.

Jim

[Sempurna]

Hi Jim,

It appears that your ATI graphic software or drivers are corrupt, or some files are missing. You would have to reinstall them again. I'm not that familiar with this, but you could start a new thread at the video card support forum here at TSF and someone will come along to help you out eventually.

~~~

[Jimklinker]

Ok I will do that, thanks again. This topic can be closed if the mods prefere it.

[Sempurna]

You're most welcome.

This topic will now be marked as resolved.

~~~