Everything seems to be running well on my computer. The AVG6 scan says there are no infections, but the Housecall (Trend Micro) scan reports possible, non-cleanable infections in the following files:
C:\Windows\System32\sp1fix.exe
C:\Windows\System32\wincheck.exe
C:\Windows\System32\Lebload.dat
C:\Documents & Settings\Hel.....

I tried to run AVG6 in MS-DOS following these instructions: http://www.grisoft.com/faq/us_faqtext.php?id=53&sid=25 up to Step 3, where I got the message
“AVG Resident is active in Memory. This may affect behavior of running tests. We recommend you to run AVG for Windows Program.” Below this message, the choices were Continue and Run AVG for Windows. There was a cursor with an arrow, but when I clicked on either of these choices, nothing happened. In addition, the instructions lost me at Step 4.

I also tried to use AVG Rescue Disk in MS-DOS according to these instructions:
http://www.computing.net/security/wwwboard/forum/13351.html
I inserted the disks as directed. After Disk 4, I was again asked to insert Disk 1, which I did.
Then I got this message:
“A:\AVG.EXE
An application has attempted to directly access the hard drive, which cannot be supported. This may cause the application to function incorrectly. Choose ‘close’ to terminate the application.”
The choices below the message were Close or Ignore. I closed because I didn’t want to risk gumming up my system by clicking on Ignore.

Can someone please advise me on what to do next about these possibly infected files? I've always believed that an ounce of prevention is worth a pound of cure, so am I overly worried about this situation?

Windows 2000
IE 6.0.2800.1106IS, SP 1
AVG 6.0.759, 09/09/04
Trend Micro with latest definitions
Ad-Aware SE Personal—Build 1.02. shows 0 infections
Spybot—S&D 1.3, 08/30/04 shows 0 infections
Zone Alarm—Version 5.0.590.043

Hi diderot,

Welcome to CastleCops!

Try this: Open Task Manager>Processes tab. End the task of the processes that you noted as infected file if you'll find them in the list. Close Task Manager when done.
Next, run online scan again and let it disinfect the system.

See if that helps

Greetings,

Diderot
Welcome!

For details on the files you mentioned and removal instructions, see the following:

SP1FIX.EXE - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.U
WINCHECK.EXE - http://vil.nai.com/vil/content/v_98807.htm

I can't find anything for the "Lebload.dat" file.

By the way, Ad Aware SE is at 1.04 now!

Kindest regards,

Dragan Glas

Donna, Only wincheck.exe was running under Processes. I disabled and did not restart in Normal Startup as instructed in the dialogue box because if I do that the Wincheck comes back at Startup. So I ran Housecall while in Selective Startup. Unfortunately, Housecall shows the same four possible, non-cleanable viruses.

Dragan_Glas, SP1FIX.EXE is not listed under the running processes, and I can’t find it in my registry either, so I couldn’t follow those instructions. For the Wincheck.exe, I don’t fully understand the Removal Instructions to which you directed me. First, is my virus memory or non-memory? I couldn’t download the Engine and DAT Files (and I wouldn’t know what to do with them if I could) since I don’t have McAfee. Is the cleanup tool available elsewhere and, if so, where do I install it?

Donna and Dragan_Glas,
I did find four registry entries for Wincheck.exe. Can I just delete them from the registry and, if so, how do I do that? Can I just right click on the wincheck.exe file and then click Delete?

Can all these viruses be connected to wincheck.exe? My system was clean just before installing a program from Microsoft. Somewhere in my searches, I found a reference to wincheck.exe as a Microsoft synchronization tool. Does this make any sense?

I also found this http://www.trendmicro.com/ftp/products/tsc/readme.txt
Should I try it? If so, can you please explain parameters and how I enter them?

I appreciate your responses, and I hope you will keep them coming.

Hi diderot!

It is pretty obvious to me that you need help via something more than an antivirus. Please post a HijackThis Log here in this thread (not in the usual forum) so we can help you further. Here are the instructions:

HijackThis is a tool we use to detect spywares, adwares, trojans and many other kinds of malicious programs on your computer. It takes an expert or a person with pc security experience (who is on Staff here) to interpret what it finds as it lists the good stuff along with the bad.

Please follow these directions:

From Computer Cops get the Direct-Download of HijackThis. It's zipped.

Save it to your download folder first.
Unzip the download (using a piece of software like Winzip). Create a folder in My Documents and unzip HijackThis into the new folder and run it from there. Do not run HijackThis from your desktop or a Temp folder as these do not allow HijackThis to save the changes it makes.

Doubleclick on HijackThis.exe from the unzipped archive and press the "Scan" button.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press this button, and save the log to the same folder as HijackThis.

IMPORTANT NOTE: Most of what HijackThis lists will be harmless or even required, so do NOT fix anything yet.

Copy and paste the contents of your entire HijackThis log into your post here.

Open the Log with Wordpad/Notepad (for example), Press Ctrl + A to highlight all, then Press Ctrl + C to copy it. To put it in your post, position the cursor on the page and press Ctrl + V.


Best regards

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Thanks for your help, Prince_Serendip. Here's my log:

Logfile of HijackThis v1.98.2
Scan saved at 10:44:32 AM, on 09/11/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [messenger.exe] Hell.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] wincheck.exe
O4 - HKLM\..\RunServices: [messenger.exe] Hell.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .asf: C:\Program Files\Windows Media Player\npdsplay.dll
O12 - Plugin for .ASX: C:\Program Files\Windows Media Player\npdsplay.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .MID: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .PDF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.aaii.com
O15 - Trusted Zone: http://www.adviseronline.com
O15 - Trusted Zone: http://*.medved.net
O15 - Trusted Zone: http://moneycentral.msn.com
O15 - Trusted Zone: http://www.netscapecard.com
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://www.tvguide.com
O15 - Trusted Zone: iltgserv.ucd.ie
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://fi.intuit.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lipper.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

Hi diderot!

I am glad you put up this log. Your wincheck.exe is okay. It really is part of the Microsoft Synchronization Manager. The problem with a lot of scanners is they do not notice the font case differences between files. File names are case-sensitive. So WinCheck.exe is bad but wincheck.exe is good. So Housecall found a false positive this time.

I see you do have two problems.

First, never ever run two antivirus applications at the same time! You run them seperately, one at a time. Two AV apps running together "trip over each other." Norton is also highly intolerant of other AV apps. Remove one of them from your Startup folder/list. If you want to use one as a backup AV, that's fine, as long as it does not run at the same time as your primary. More is less with antiviruses.

The second is TrojanDownloader.Win32.Firehell. To fix this do the following:

Show Hidden Files and Folders on Windows 2000

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Kill these running processes with Task Manager:

editor.exe
hell.exe

Boot into Safemode. Full instructions are here: http://www.pchell.com/support/safemode.shtml

Remove these files (if present) with Windows Explorer:

editor.exe
fire_hell.ocx
hell.exe


REBOOT to normal mode. Run HijackThis and post a fresh log here.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Some history is needed to explain the situation with Norton AntiVirus. Several months ago I took the computer to an “expert” to update the video driver and to install Norton AntiVirus 2002. I was running Windows 98 FE at that time. The video wasn’t working after this work was done, so I did a system restore to a time before NAV was installed. NAV was no longer in Add/Remove, so I put the stray files I found in a folder in case I needed them. When things seemed to be going well, I sent them to the Recycle Bin. I did look at the Registry, but was too intimidated to try deleting anything there and everything seemed to working fine. Then about the beginning of August, I needed to upgrade Windows in order to install a new version of MS Portfolio Manager, now called MS Investment Toolbox, one of my most used programs. So again, I sent the computer to an “expert” (a different one this time) to upgrade from W98 FE to Windows 2000 and from Office 97 to Office 2000 and to install an antivirus and a firewall. The day after these changes, I installed my program. The next day I ran AVG and Housecall, and that was the beginning of the troubles. I did try to uninstall the Investment Toolbox through Add/Remove, but all that happened was the name disappeared from the Add/Remove list; the program is still there, even accessible through my old link. I assumed this was an issue for a separate post, but I ask you to be the judge of that.

In response to your very clear and most appreciated instructions:
NAV is not in the startup list under Processes in Task Manager, nor is it listed under Startup in the System Configuration Utility. (I found instructions somewhere to download and install the Windows XP SCU in Windows 2000, and it seems to be working well. Or am I kidding myself?) I did find some stray NAV files in Drive C. Can I just delete them? However, doing a Find and Find Next in regedit, I found 43 entries for Symantec which I have laboriously copied out in longhand. There must be an easier way to record these! Do you need to see them or can I just right click on the highlighted entry and then click Delete?

Should wincheck.exe (the good one) be running at startup? I end it in Task Manager and SCU startup and if I use Selective Startup on reboot it is not listed in Processes nor checked in SCU. When I follow the on-screen directions and revert to Normal Startup and reboot, it is back in Processes and a checked item in SCU.

The files and folders in Windows 2000 are unhidden. Editor.exe is listed in Startup in neither Processes nor System Configuration Utility. Hell.exe was not listed under Processes but was checked in the SCU. I unchecked it but, on reboot in Normal Startup, it is again checked.

In Safe Mode, Find Files and Folders did not find editor.exe, fire_hell.ocx, nor hell.exe.

It seems I wasn’t too successful in following your directions. This is what I’ve been up against all week. Nothing seems to be where it’s supposed to be. I don’t know if a new HijackThis log will be of any help, but here it is anyway.

Logfile of HijackThis v1.98.2
Scan saved at 7:18:58 PM, on 09/11/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wincheck.exe
C:\WINDOWS\system32\wincheck.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] wincheck.exe
O4 - HKLM\..\Run: [messenger.exe] Hell.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] wincheck.exe
O4 - HKLM\..\RunServices: [messenger.exe] Hell.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] wincheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .asf: C:\Program Files\Windows Media Player\npdsplay.dll
O12 - Plugin for .ASX: C:\Program Files\Windows Media Player\npdsplay.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .MID: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .PDF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.aaii.com
O15 - Trusted Zone: http://www.adviseronline.com
O15 - Trusted Zone: http://*.medved.net
O15 - Trusted Zone: http://moneycentral.msn.com
O15 - Trusted Zone: http://www.netscapecard.com
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://www.tvguide.com
O15 - Trusted Zone: iltgserv.ucd.ie
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://fi.intuit.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lipper.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab