Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Associates.exe removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Associates.exe removal

Unread postby Jonnysaxc » February 10th, 2006, 3:28 pm

Hi,
I have the associates.exe trojan. It's buried in the system32 folder and I can't remove it.
AVG identified it and after removal using avg it no longer finds it, but trojanhunter confirmed my suspician that it is still there.
Can I please ask for help, although I should warn that my ability is limited to downloading various anti-spyware programs and hoping they will remove for me.

Cheers!
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm
Advertisement
Register to Remove

Unread postby Linkmaster » February 10th, 2006, 7:56 pm

Hi Jonnysaxc, Welcome to MalWare Removal !!

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download a program to aide in our fix :

Please create a folder on your C:\ and give it a name (example:HJT)
Download HijackThis 1.99.1© by Merijn
Unzip it in the folder you just created

HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and malicious hijackers

Click on HijackThis.exe
Put a check in "Don't show this frame again when I start HijackThis" at the bottom
Click "None of the above, just start the program"
Click on the Scan button
It will scan your system Do Not remove anything with HiJackThis until instructed!
When finished, Click on Save Log button, save the log to the file you put HijackThis in.
Double-click the log and Copy then Paste the entire contents here

After the log is posted I can then help you more efficiently !!

Thank you !
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Jonnysaxc » February 11th, 2006, 7:50 am

Logfile of HijackThis v1.99.1
Scan saved at 11:48:19, on 11/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Roxanne\LOCALS~1\Temp\Rar$EX01.687\HijackThis.exe
C:\WINDOWS\System32\MsiExec.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra button: ±!’o2a?N - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?so ... n=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://catrade.kgieworld.com.tw/ca_cab/FSCAPIATL.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9341153600
O16 - DPF: {9DA9F061-B243-11D4-8B44-0000E88F2063} (XMSStockPen Class) - https://catrade.kgieworld.com.tw/ca_cab/MSSTOCK.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\ICDSPTSV.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Unknown owner - c:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - c:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Jonnysaxc » February 11th, 2006, 7:51 am

Thanks for your help with this, it's driving me mad!
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Jonnysaxc » February 11th, 2006, 7:55 am

Just to add, I booted the system in safe mode and showed all files- the associates exe isn't there
I notice from the hijack list it isnt either, but I guess that would be too simple!
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Linkmaster » February 11th, 2006, 10:56 am

I don't see it in the log, either !!

We can run a couple of things to see if we can draw it out !!

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Download and Install Ewido Anti-Malware© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via menu"


Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click Update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Close Ewido when updates finish

Please disable Microsoft Antispyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on :
Security Agents Status (Enabled)
Disable Real-time Protection

To re enable it, you follow the same steps but click on Enable Real-time Protection

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu

Run Ad-AwareSE
Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:

General Button :
Safety & Settings: Check (Green) all three.

Tweak Button :
Cleaning Engine : UNcheck "Always try to unload modules before deletion"

Click Proceed

Click "Scan Now" at left

Deselect : "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.

Select "Search for low-risk threats"

Select "Perform full system scan"

Click Next

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

Run Ewido Anti-Malware
Click on scanner
Click on Complete System Scan and the scan will begin.
When it finds the first infected item put a check next to "Perform action on all infections", then choose [ b]"remove"[/b]
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.

Close Ewido Anti-Malware

Reboot to Normal Mode

Please run ONE of these Online Virus Scans :

Run TrendMicro Housecall
Note: you must use Internet Explorer, other browsers will not work.
Under "Scan your PC", please click Scan now. It's free!
Select your location and click the Go button.
Click the red magnifying glass button.
Select Complete Scan.
Please be patient while Housecall downloads.
Please allow the ActiveX Control and when prompted click install
Put a check next to My Computer
Leave the following checked:

Scan for Spyware
Check security vulnerabilities


Click the Next button.
It will download the latest scan engine and pattern files.
When the definitions have been downloaded, the scan will start.
After it's done scanning it will take you to the summary page.
Click the Next button.
Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK
Click the Next button to move onto the recovery (final) portion of the scan.
After everything has been removed, please click the Show button on everything.
Highlight all the of text and press CTRL + C to copy the text.
Open Notepad, hit Ctrl + V to Paste
Save it to the desktop

OR

Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot, run HijackThis and post a fresh HijackThis Log, the Ewido Log, and the Virus Scan Log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Jonnysaxc » February 12th, 2006, 7:59 am

Thanks very much for your help, here's what has happened now.

The file is def not possible to see from windows explorer etc, no matter about safe mode or hidden files etc.

I loaded ewido and run it- not in safe mode, just to see if it found anything ( I got overexcited!)

Ewido found the trojan and deleted it. But, i think i screwed this bit up, because there is no report or anything. I remember it said it was the lineage trojan. V sorry on thsi bit.

In safe mode, ad aware found nothing.
In safe mode, after cleaning, ewido found nothing.
However, I wasn't able to find atf file cleaner in safe mode so did not run that. I did run it in normal mode though after I downloaded it.

I did disable m/soft antispyware

I have now run ewido again in safe mode and again in normal mode. It no longer finds the trojan.

However, a 2 squared trojan software shows these 2 entries:
C:\System Volume Information\_restore{D8F8F263-6508-4459-851E-1A214CE14794}RP227\A0228428.exe

(the 2 entries are identical)
Diagnosis is Trojan.Win32.Agent.jp



And Trojan Hunter lists it as:
C:\WINDOWS\system32\Associates.exe (Suspicious : UPX packed file in Windows system folder)


It seems to have also disabled AVG antivirus
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Linkmaster » February 12th, 2006, 9:28 am

Boot into Safe Mode again

Open Windows Explorer, locate and Delete the following folders or files in BOLD : (if present)

C:\WINDOWS\system32\Associates.exe

Empty your Recycle Bin

Boot into Normal Mode

**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

See if the file is showing itself again !!

Let me know !!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Jonnysaxc » February 12th, 2006, 1:34 pm

will do.
When I have turned off restore, do i thn run the trojan removal program(s) or not?
Does the act of just turning it off and on again do this?

Cheers!
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Jonnysaxc » February 12th, 2006, 3:34 pm

Hi,
Ok- all done
Sadly, trohanhunter still finds it in there
I'm running kaspersky now to see what happens

Do I need to enable safe mode, then run these programs?
Also, can I please ask if I need to use system restore to "go back" to a certain point in time?

Cheers and kind regards
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Linkmaster » February 12th, 2006, 9:45 pm

Where does Trojan Hunter say the file is located ??

When I have turned off restore, do i thn run the trojan removal program(s) or not?
Does the act of just turning it off and on again do this?

This clears the Restore Points so the scan wont pick them up!!
Yes, run the scan after clearing the points!!

Do I need to enable safe mode, then run these programs

Not on a regular basis, but for our fix Safe Mode is the best way !!

Also, can I please ask if I need to use system restore to "go back" to a certain point in time?

You can set a restore point to go back to !!
You can read here : How to Use System restore
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Jonnysaxc » February 13th, 2006, 5:02 am

C:WINDOWS\system32\Associates.exe
UPX packed file in windows system folder

So far, am now in position where a2 squared, kaspersky etc find nothing
But, Trojan Hunter still finds the file

I will now follow the link you kindly posted and update

Cheers and Kind Regards
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Linkmaster » February 13th, 2006, 8:48 am

Does Trojan Hunter find it and Delete it or just say its there ??

Press Control-Alt-Delete and end the following processes by clicking once on them and then clicking the End Process button: (if present)

associates.exe

Exit the Task Manager

Please disable Microsoft Antispyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on :
Security Agents Status (Enabled)
Disable Real-time Protection

To re enable it, you follow the same steps but click on Enable Real-time Protection

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a folder on your C:\ and give it a name (example:HJT), move HijackThis.exe to that folder. Run the program from that directory from now on

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run Trojan Hunter
If it has a log, please save it.

Post a fresh HijackThis log along with the Trojan Hunter log
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Jonnysaxc » February 14th, 2006, 5:08 am

Hiya!
Trojan Hunter does find it, but just says it is suspicious
I can't submit it to them , because I'm not registered (don't have £50!)
I can't zip it and send it anywhere, because it can't be found as a exe file no matter how hard i try to find it.
So, i have decided to re-install windows xp to make sure it goes.
I will let you know if and when this solves it!
Cheers
Jonnysaxc
Active Member
 
Posts: 11
Joined: February 10th, 2006, 3:05 pm

Unread postby Linkmaster » February 14th, 2006, 8:01 am

We can try a couple more things !

Have you removed the files in TrojanHunters Quarantine folder ??

Is your AVG running now ??
If so run a Full scan (make sure it has been updated first)

Can you post me another HijackThis log
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 284 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware