Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

PC crashes when I use Ewido scan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby CTN » October 10th, 2005, 5:39 am

Good morning Askey127

Ihave run the backlight beta rootkit finder and it scanned everthing but found no hidden files or processes. I think it might be easier for me to back up, and then reformat c drive.

CTN
CTN
Regular Member
 
Posts: 89
Joined: October 4th, 2005, 1:57 pm
Location: North East England
Advertisement
Register to Remove

Unread postby askey127 » October 10th, 2005, 7:15 am

CTN,
Can you boot your PC from a floppy drive?

This problem may originate from a defect in the Hard Drive or RAM
(After the tests we have done, this is still not certain, but even more likely).
If you re-format without checking both, you may just get the problem back after a lot of work.

Hard Drive:
---------------------------------------------------------------------------------------
Go to : Start, All Programs, Accessories, CommandPrompt
Type in chkdsk c:
Let it finish and read the summary for any errors or bad sectors.

To Test the PC's RAM:
IF YOU HAVE A FLOPPY DRIVE THAT WILL BOOT THE MACHINE:
------------------------------------------------------------------------------------------
Go to http://www.memtest86.com
scroll down the page to the download Download - Pre-Compiled Memtest86 v3.2 installable from Windows and DOS <memt32.zip>
Copy the download into a separate folder and unzip it.
Make sure all four unzipped files are in the same folder.
Double-click install.bat
It will prompt you to name the floppy drive letter a: and will install memtest86 on that floppy.
Label it Memtest86 because you will not be able to "see" any files on it.
The floppy will have only a tiny program in its boot system.
If you reboot the PC with that floppy in the drive, it should boot from the floppy and start Memtest.
Let it run until it completes all its tests thru #4.
If there are any errors listed, you have a defective RAM card.
Terminate the program with the Esc key, and eject the floppy to reboot normally.

If you have only a CD drive, you will have to download the Windows ISO file on the Memtest web page and use CD burner software to make a bootable Memtest CD

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby CTN » October 10th, 2005, 6:57 pm

Hi there Askey127

I have run the chkdsk in the command which found no bad sectors but it needed to fix a bad file sector by adding /f onto the chkdsk, but when I put in chkdsk c:/f it said that it cannot be performed because this volume is being used by another process. Reschedule on start up? y/n? I just hit n as I'm not sure.

The Memtest86 ran past #4 test onto #6, and I stopped after 45 mins with no errors being recorded. I hope this is OK, if not I will run it again.

Here is the latest hjt.

Logfile of HijackThis v1.99.1
Scan saved at 23:37:16, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Craig\Desktop\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\pcsync2.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars/cu ... gned42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


CTN
CTN
Regular Member
 
Posts: 89
Joined: October 4th, 2005, 1:57 pm
Location: North East England

Unread postby askey127 » October 10th, 2005, 8:00 pm

CTN,

Good job. The Memtest results mean that the RAM is almost certainly OK.
It would be quite rare for bad RAM to pass that test.

The hard drive result with a bad sector sitting under a file in use is not good.
I would be seriously looking at backing up everything I could with an eye to replacing the drive. Marked sectors during manufacturing are not uncommon, but bad sectors that develop later are an ominous sign to me. In any case I would be wary of that drive from now on. I'm very suspicious of it as the source of corruption, in the absence of other evidence.
You could consider doing a defragmentation, then running chkdsk again with the /f parameter, but even being lucky enough to "fix it" may only be a stop-gap prior to replacement.

Also have you looked at Control Panel, System, Hardware Tab, Device Manager? Any yellow Exclamation Marks announcing hardware problems?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby CTN » October 11th, 2005, 3:39 am

Good Morning Askey127

I've just checked the hardware devices, and there are no problems highlighted. I will go ahead and do a defrag and try a fix.

I will look for a new hard drive to replace this one. Would it be possible to temporarily make the current hard drive the slave drive and then copy files across to the new one, and if so, how do I go about doing it? The current one is partitioned C/D so I could back up all onto D initially.
Anyhow, thanks once again for all your time and advice. It's much appreciated.

CTN
CTN
Regular Member
 
Posts: 89
Joined: October 4th, 2005, 1:57 pm
Location: North East England

Unread postby askey127 » October 11th, 2005, 8:03 am

CTN,
Hello again.

New hard drives come with software to partition the new drive into two partitions if you wish, and also with complete instructions to transfer all the old drive software onto the new drive. Just be sure NOT to buy an "OEM" drive online. OEM drives come with no software CD.
Drives listed online as "Retail package" and those bought at computer, electronics, and office supply stores will have the software included.
(Just went through some of this myself with a new Maxtor drive. The software was superb).

I haven't been able to help as much as I wanted, but I hope you have success here.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby CTN » October 11th, 2005, 4:38 pm

Hello Askey127

You've helped me more than you realise, and I'm very grateful for it. At least I know what the problem is now, even if it means that I have to replace the hard drive. Without your perseverance I wouldn't have been any the wiser, and might well have lost all data in the future if the hardrive failed altogether.
I have learnt a lot about my PC, malware, where to get help, and also that the good people out there (like yourself) more than make up for the lowlife who like to highjack peoples systems. That's why I have joined the university to learn how to help others who are unfortunate enough to have their systems compromised.

Thankyou

CTN
CTN
Regular Member
 
Posts: 89
Joined: October 4th, 2005, 1:57 pm
Location: North East England

Unread postby NonSuch » October 19th, 2005, 2:39 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware