Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojans

Unread postby wasp » February 14th, 2006, 9:25 am

"A squared" has found trojans in the registry autoruns, causing the computer to crash regularly and generally misbehave :evil: what is the best way to deal with them?
Some of them are ANTIMCA-A, SDBOT-AVX, SPYBOT-WI, AGOBOT-OW, RBOT, COOLWEBSEARCH, D LOADER-Y, LEGMIR-BN. The "A squared" software only gives me a link to the Sophos website and requires purchase of their software to remove them. :?:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:40, on 14/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SensorsView\drv\svsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\a-squared\a2start.exe
C:\Program Files\a-squared\a2sys.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.barbie.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG2
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5373977107
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE562A63-BF0C-454D-A596-5D691DBF4A52}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sensor View Service (sviewsvc) - Unknown owner - C:\Program Files\SensorsView\drv\svsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am
Advertisement
Register to Remove

Unread postby askey127 » February 14th, 2006, 3:31 pm

wasp,
Print this out or save it as a notepad file on your desktop, since you will not have Internet access in Safe Mode.
-----------------------------------------------------------
Disable Microsoft Anti-Spyware
In the system tray in the lower right, locate the MS Anti-Spy red Bullseye.
Right click it.
Highlight Security Agents Status(Enabled) and click Disable Real Time Protection.
Right click the Bullseye again to be sure it now shows Security Agents Status (Disabled).
-----------------------------------------------------------
Disable A-Squared Guard
- Open a-square
- Click on "Configure Background-Guard"
- Deselect "Enable background guard on system startup"
- Close window
- Close a-square
- Reboot your machine for the changes to take effect.
-----------------------------------------------------------
Download F-Secure's trial Blacklight program :
http://www.f-secure.com/blacklight/try.shtml
Print out the help page for guidance.
Ok the license.
Check scan through Windows Explorer
Click Scan
When animated graphics disappears, click Next
Note any files and their locations that appear in the output summary.
-----------------------------------------------------------
Please download, install, and update the free trial version of Ewido trojan scanner: from here : http://www.ewido.net/en/download/
An Unofficial quick guide is here: http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
* Install ewido security suite
* When installing, under "Additional Options", Uncheck "Install background guard" and Uncheck "Install scan via context menu".
* Launch ewido, there should now be an icon on your desktop. Double-click it.
* The program will go to its main screen
* On the left hand side of the main screen click Update.
* Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can also use the same download link http://www.ewido.net/en/download/ to manually update ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
-----------------------------------------------------------
Close all open windows/programs/folders. Have Nothing else open while ewido performs its scan!.
It's extremely important not to open any windows while the scan is in progress.
Now Run Ewido
* Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
* Let it fix whatever it finds
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
When you compose your reply, paste the contents of the report into it, along with Blacklight results.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 14th, 2006, 5:29 pm

Have run the Blacklight, this didn't pick anything up.
Have also run the Ewido scanner in safe mode, the computer crashed a couple of times mid-scan but before it did, it picked up a few cookies but nothing else.
Will try again tomorrow and hopefully post something back.
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby wasp » February 15th, 2006, 9:06 am

Unfortunately I have been unable to complete the Ewido scan as it keeps crashing. the last time this happened I had to reactivate windows. HELP!
In case anything has changed I have included another hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 13:03:55, on 15/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SensorsView\drv\svsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.barbie.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG2
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-30.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5373977107
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE562A63-BF0C-454D-A596-5D691DBF4A52}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sensor View Service (sviewsvc) - Unknown owner - C:\Program Files\SensorsView\drv\svsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 15th, 2006, 10:15 am

wasp,
-----------------------------------------------------------
Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main, choose Select All
Click Empty Selected

If you use Firefox browser,
Click Firefox at the top and choose Select All
Click on Empty Selected
NOTE: If you would like to keep any saved passwords, please click No at the prompt.
Click Exit to close.
-----------------------------------------------------------
Download Avert Stinger from here, and let it scan your system:
http://vil.nai.com/vil/stinger/
Note names of any infections it discovers that it cannot remove
-----------------------------------------------------------
Run Online Scans.
Let them remove whatever they wish
Please visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/products/activescan.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/hou.../start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
-----------------------------------------------------------
Please post back with your notes on results and a new HJT log.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 15th, 2006, 1:16 pm

Tried all those scans - nothing revealed :(

The only thing that might help is the a squared findings, which I have pasted below.


Name: RealTray
Good: 3
Bad: 3

Status Name Command Description
N
RealDownload RealPlay.exe Download manager. Available via Start -> Programs
N
realplay realplay.exe System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences
X
realplay lptt01 realplay.exe Variant of the RapidBlaster parasite (in a "RealPlay" folder in Program Files). It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see here. Note - this is not RealPlayer which can have the same executable name
X
realplay ml097e realplay.exe Variant of the RapidBlaster parasite (in a "RealPlay" folder in Program Files). It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see here. Note - this is not RealPlayer which can have the same executable name
X
Realplayer One realplay.exe Added by the RBOT-NK WORM!

N
RealTray RealPlay.exe System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences
Name: QuickTime Task
Good: 3
Bad: 2

Status Name Command Description
N
qttask Qttask.exe System Tray access to Apple's "Quick Time" viewer from version 5 onwards
N
Quick Time Task qttask.exe System Tray access to Apple's "Quick Time" viewer from version 5 onwards
N
QuickTime Task Qttask.exe System Tray access to Apple's "Quick Time" viewer from version 5 onwards
X
QuickTime Task qttasks.exe CoolWebSearch parasite variant

X
Quicktime Task [random filename] NetVision dialer

Name: nwiz
Good: 1
Bad: 2

Status Name Command Description
X
csrss nwiz.exe Added by the CHODE-J WORM!

X
Norton Wizzard nwiz.exe Added by the GAOBOT.ZX or GAOBOT.ADV WORMS! Note - this is not the valid nVidia application that shares the same name
N
nwiz nwiz.exe Associated with the newer versions of nVidia graphics cards drivers. Allows you to immensely improve desktop layouts by setting preferences and optimizations. However, this isn't necessary for the operation of your system
Name: KernelFaultCheck
Good: 3
Bad: 1

Status Name Command Description
N
dumprep 0 -k dumprep 0 -k Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out
N
kernelfaultcheck dumprep 0 -k Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out
N
kernelfaultcheck dumprep 0 -u Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out
X
KernelFaultCheck ptool32.exe Added by the LEGMIR-BN TROJAN!

Name: MCUpdateExe
Good: 1
Bad: 2

Status Name Command Description
U
McUpdateExe mcupdate.exe From McAfee VirusScan On-line. Automatically updates your virus definitions. Leave enabled unless you regularly update these definitions
X
MCUpdateExe mcagent.exe Added by the ANTIMCA-A TROJAN! - do NOT confuse with the McAfee VirusScan executable as described here

X
Microsoft Update mcupdate.exe Added by a variant of the RBOT WORM! Note - this file is located in the Windows\System32 or Winnt\System32 folder, and should not be confused with the McAfee antivirus executable as described here

Name: MPFExe
Good: 3
Bad: 1

Status Name Command Description
Y
MPFExe mpf.exe McAfee Personal Firewall
Y
MPFExe MpfTray.exe McAfee Personal Firewall
X
MPFExe mcagent.exe Added by the ANTIMCA-A TROJAN! - do NOT confuse with the McAfee VirusScan executable as described here

Y
MPFTray MpfTray.exe McAfee Personal Firewall
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 15th, 2006, 1:49 pm

wasp,

A-Squared is only giving the good and bad possibilities of files with certain names. Based on the other scans, there is no malware present.
I don't see anything wrong with your log, either.

If you can give me any other hints, I will follow up.
It is always possible you are being annoyed by results of some hardware problem.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 15th, 2006, 3:04 pm

Many thanks, I really appreciate the trouble you have gone to.

I was assuming that the trojans that were listed on A squared were actually on my computer - not that they were just possibilities!

I suppose that's good news in that respect but my computer is still crashing and freezing, time for a re-install perhaps.
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 15th, 2006, 4:27 pm

wasp
A couple suggestions.

If your PC has a floppy drive, test RAM like this:
Make a Memtest Floppy from here : http://www.memtest86.com/#install
scroll down the page to Download - Pre-Compiled Memtest86 v3.2 installable from Windows and DOS. Click to get the download.
Save the memt32.zip file to a folder on your PC.

Then go find the memt32.zip file and unzip it. It will produce 4 files.

With windows explorer, go to the folder that has the install.bat, rawrite.exe and memtest.bin files.
Insert a formatted floppy into the A: drive and double-click install.bat.

It will ask what is the drive letter for the floppy. Just type a with no colon. If your antivirus asks if it's OK to run a script, say Yes.
It should write to the floppy drive for 5-10 seconds. Check for the light to come on if there is one.
-------------------------------------------
Leave the floppy in the machine and reboot.
If your PC will boot from the floppy, you will see the MemTest screen.
( If your machine won't boot from the floppy, you will have to change the BIOS boot sequence so it will. I will generate some general instructions if you need them).

Let it run the Memory test completely through test sequence #4. It may take a while. Note whether it finds any errors.
--------------------------------------------
To test the Hard Drive system:
Go to Start, Programs, Accessories, Command Prompt
type in the box at the cursor:
chkdsk C:

wait till it finishes, and see whether it finds any errors.
If it does, run again only this time type chkdsk c: /F
It will scan, then reboot to make the corrections.
If you get disk errors, check again every day and see if you get any more.
If you do, it will be soon time for a new Hard drive, so back up your stuff before it crashes permanently.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 15th, 2006, 5:59 pm

Thankyou.

Chkdsk c: - errors found, chkdsk cannot continue in read only mode.

chkdsk c:/f cannot run because the volume is in use by another process. Do I just restart the computer?

Should I back up my hd before running the chkdsk c:/f?
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 15th, 2006, 6:26 pm

wasp,
Yes, restart the computer.
No, it won't likely corrupt anything not already busted.

Be sure to run it again REAL SOON.
Maybe your HD is in a bit of trouble.
askey127

Backup important files as soon as you can after chkdsk finishes
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 17th, 2006, 2:45 pm

When I run chkdsk c:/f it resets part way through, afterwards when I run chkdsk c: errors are still there :cry:
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 18th, 2006, 2:28 pm

wasp,

Your hard drive system appears to have a major problem.
I would check first by having the IDE cable(attached to the hard drive) replaced. Then if the chkdsk errors persist, plan on replacement of the hard drive.
In any case backup all your important data right away, and locate all your installation CDs.
Once a drive behaves like this it isn't usually very long before the PC won't boot.

Good Luck,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby wasp » February 22nd, 2006, 11:04 am

New hard drive and windows installed, still got problems...

Am still getting freezes and errors, not always but usually on startup. Often it says a device driver is at fault but the error can be pretty random.

I have only installed the basic drivers on the new install.

I have tested the ram but have had no errors found.

Anything else you could suggest to pinpoint the problem? :roll:
wasp
Active Member
 
Posts: 9
Joined: February 14th, 2006, 9:10 am

Unread postby askey127 » February 22nd, 2006, 8:06 pm

wasp,
I'm pretty close to the end of my tether as far as diagnosing the issue remotely. It may take someone with hands on.
I still think it's most likely involved with the IDE and hard drive system, especially where you are not getting consistent errors on one driver at bootup.
From what you relate, the processor/RAM seems to be OK. The IDE controller could go bad on the motherboard, but the IDE cable/sockets and HD are much more susceptible, since they are mechanical.

Are you sure the IDE cable got changed? Are the jumpers correct for the IDE cable used? Have you tried the second IDE socket? Maybe these things are too obvious.

Are you sure your system does not use a custom driver for the IDE controller? If it does, you need to find it online, download it to a floppy or CD and restart, looking for a prompt at the bottom of the text boot screen that asks whether you use a storage device that has a custom driver.
Looking up your PC model online would reveal that.

Some of the best online systems people on the net are at : http://www.pcpitstop.com
They might have an additional idea on the solution short of going to a local PC shop.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware