Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

virus WIN32.ATAK.B, NEW POLYWIN 32 viruses, can't update anti-virus software

This is a discussion on virus WIN32.ATAK.B, NEW POLYWIN 32 viruses, can't update anti-virus software within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi. I am new here. I have had constant problems with my computer crashing for over two weeks. Also I


 
 
Thread Tools Search this Thread
Old 06-19-2006, 01:49 PM   #1
Guest
 
Join Date: Jun 2006
Posts: 48
OS:



Hi. I am new here. I have had constant problems with my computer crashing for over two weeks. Also I have noticed that I haven't been able to update my anti virus software...both ad aware se personal and avg 7 free have not been able to update for some 16 days now.
I have run your recommended online scanners, pandasoftware, housecall, and macafee. I believe macafee discovered the WIN32.ATAK.B and NEW POLYWIN 32 viruses, but said it could not remove them.
something seems to be eating up my ram, simple rendering tasks cause my computer to crash now.

I have updated to windows sp1a. I am running windows xp pro. I would appreciate any help.

here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 18:47:14, on 19/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\adaware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=???
??? ???
?
? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - https://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/0999f55f...p/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - https://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1150456352313
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - https://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - https://download.mcafee.com/molbin/is...84/mcfscan.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - https://66.117.37.13/dba1402.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
cliche guevara is offline  
Sponsored Links
Advertisement
 
Old 06-19-2006, 04:38 PM   #2
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
F3 - REG:win.ini: load=???
??? ???
?
? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - https://66.117.37.13/dba1402.exe

Please remember to close all other windows, including browsers then click Fix checked.


Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.
  • At the end of the scan click on see report. Then click Save report
Please post that log in your next reply.

In your next post please include:
  • Panda Activescan Log
  • A new Hijackthis! Log
__________________
Vikesrock8411 is offline  
Old 06-20-2006, 07:41 AM   #3
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


ok. I did it. here are the results.

panda activescan log:




Incident Status Location

Adware:adware/cydoor Not disinfected c:\windows\cdmxtras
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\cliche guevara\Cookies\cliche [email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\cliche guevara\Cookies\cliche [email protected][1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\cliche guevara\Cookies\cliche [email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\cliche guevara\Cookies\cliche [email protected][1].txt
and a new hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 14:35:35, on 20/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\adaware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - https://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/0999f55f...p/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - https://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1150456352313
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - https://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - https://download.mcafee.com/molbin/is...84/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

thanks.
cliche guevara is offline  
Sponsored Links
Advertisement
 
Old 06-20-2006, 11:23 AM   #4
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Okay, that didn't really show what we needed to see.

Delete this folder:
c:\windows\cdmxtras

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot
  • In the popup box that appears, type in C:\Windows\System32\svrhost.exe
  • Click the Open button.
  • Click YES when prompted to restart your computer.

Run an online scan at McAfee, when it is complete, highlight everything inside the box and copy/paste it into Notepad. Then post those results here.
__________________
Vikesrock8411 is offline  
Old 06-20-2006, 12:16 PM   #5
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


ok. i'll try this. back soon.
cliche guevara is offline  
Old 06-20-2006, 04:02 PM   #6
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


I am not having much luck with running macafee online scanner.
My computer has crashed while scanning 5 times now.

I will keep trying until you suggest some other angle.
cliche guevara is offline  
Old 06-20-2006, 04:34 PM   #7
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Dr. Web is known for it's ability to detect Polymorphic viruses. Let's see if it digs anything up.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
__________________
Vikesrock8411 is offline  
Old 06-21-2006, 07:01 AM   #8
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


ok. i've done this. Dr. Web discovered a trojan downloader and crashed soon after. It crashed twice more before i got it to complete the scan, but seems to have deleted this problem. It has found other potential trojans. here is the report.

Windows Registry Repair Pro2006611.reg;C:\Program Files\3B Software\Windows Registry Repair Pro\backup;Probably SCRIPT.Virus;Incurable.Moved.;
MAILSCAN.EXE;C:\Program Files\eScan;Probably BACKDOOR.Trojan;Incurable.Moved.;


I have just noticed that it has left a problem off of this report. It also spotted this - Object: A0010502.EXE
Path: C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AEOE146F7F89}\RP24

Status: Probably Backdoor.Trojan
i am not sure why this got left off the report, because it also claimed it was incurable.
cliche guevara is offline  
Old 06-21-2006, 12:18 PM   #9
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Looks like Dr. Web got a little carried away.

Please navigate to this folder:
%userprofile%\DoctorWeb\quarantaine-folder

Move mailscan.exe from inside it back to this folder:
C:\Program Files\eScan

Download GMER to your desktop.
  • Right Click the Zip and Select Extract All.
  • Open GMER and Click the Tab labeled RootKit.
  • Now Click Scan, it will take a while for the scan to complete.
  • Once done, Copy the results to Notepad and post them in the next reply.


Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
Vikesrock8411 is offline  
Old 06-21-2006, 02:11 PM   #10
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


Ok. I tried the gmer test, and it crashed, i then tried the kaspersky and managed to save something, but I still haven't got it to complete the test. it crashed as well. I will try the gmer scan again and get back to you. In the meantime, here is the result from a partial kaspersky scan..

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, June 21, 2006 8:38:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/06/2006
Kaspersky Anti-Virus database records: 201853
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65
Number of viruses found: 1
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:02:35

Infected Object Name / Virus Name / Last Action
C:\adaware\RegCureSetup_43.exe/stream/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\RegCureSetup_43.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\RegCureSetup_43.exe NSIS: infected - 2 skipped
C:\adaware\XoftSpy415_103.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\XoftSpy415_103.exe NSIS: infected - 1 skipped

Scan was interrupted by user!

hope it is of some use.
cliche guevara is offline  
Old 06-21-2006, 02:45 PM   #11
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


unfortunately that Kaspersky report discovered the installer for two legit applications.

Try unchecking the Registry box on the GMER scan, it should complete much quicker and hopefully not cause a crash.
__________________
Vikesrock8411 is offline  
Old 06-21-2006, 02:52 PM   #12
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


ok. here is a copy of a partial scan if it is any use. i will try again.

GMER 1.0.10.10122 - https://www.gmer.net
Rootkit 2006-06-21 21:47:57
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE EECF33DF

---- EOF - GMER 1.0.10 ----
cliche guevara is offline  
Old 06-21-2006, 02:57 PM   #13
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


Yes that was very fast. here it is. I will try kaspersky again.

GMER 1.0.10.10122 - https://www.gmer.net
Rootkit 2006-06-21 21:54:28
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8BC685A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File C:\d4d46aeaece68f7581ee89dc688a1137\download\1394bus.sys._p
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\asr_pfu.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\battery.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\hiddigi.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\hscmui.cab
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\irbus.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\login.cmd
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\medctroc.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\medctroc.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\netfxocm.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\netfxocm.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spiisupd.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0401.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0402.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0404.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0405.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0406.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0407.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0408.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra040b.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra040c.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra040d.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra040e.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0410.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0411.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0412.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0413.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0414.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0415.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0416.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0418.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0419.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra041a.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra041b.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra041d.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra041e.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra041f.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0424.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0425.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0426.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0427.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0804.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0816.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\spra0c0a.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\tabletoc.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\tabletpc.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\ip\termcap
File C:\d4d46aeaece68f7581ee89dc688a1137\new\apph_sp.sdb
File C:\d4d46aeaece68f7581ee89dc688a1137\new\apps_sp.chm
File C:\d4d46aeaece68f7581ee89dc688a1137\new\ati2dvaa.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\ati2mtaa.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atiixpaa.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atiixpag.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinbtxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinmdxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinpdxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinraxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinrvxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinsnxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinttxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atintuxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinxbxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atinxsxx.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\ativdaxx.ax
File C:\d4d46aeaece68f7581ee89dc688a1137\new\ativmvxx.ax
File C:\d4d46aeaece68f7581ee89dc688a1137\new\atixpwdm.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\c_28603.nls
File C:\d4d46aeaece68f7581ee89dc688a1137\new\dsprpres.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\encdec.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\faxpatch.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\new\hccoin.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\hidir.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\hscupd.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\new\hscxpsp1.cab
File C:\d4d46aeaece68f7581ee89dc688a1137\new\irbus.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\logo.gif
File C:\d4d46aeaece68f7581ee89dc688a1137\new\logowin.gif
File C:\d4d46aeaece68f7581ee89dc688a1137\new\medctrro.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\new\msctfime.ime
File C:\d4d46aeaece68f7581ee89dc688a1137\new\msftedit.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\mssap.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\mutohpen.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\netbeac.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\nettun.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\nv4_disp.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\nvct.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\nvdm.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\nvts.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\oeaccess.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\ramdisk.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\rtcimsp.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\sbe.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\sbeio.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\snchk.exe
File C:\d4d46aeaece68f7581ee89dc688a1137\new\spgrmr.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\usbehci.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wacompen.sys
File C:\d4d46aeaece68f7581ee89dc688a1137\new\winbrand.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\winhttp.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wmaccess.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wmpocm.inf
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wmvcore2.dll
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wuau.adm
File C:\d4d46aeaece68f7581ee89dc688a1137\new\wuauhelp.chm
File C:\d4d46aeaece68f7581ee89dc688a1137\new\xpsp1res.dll
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{AD676D0C-5676-4BC6-B3BC-296716AE4681}(2)
File C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}

---- EOF - GMER 1.0.10 ----
cliche guevara is offline  
Old 06-21-2006, 04:22 PM   #14
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


and here is the kaspersky scan.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, June 21, 2006 11:19:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/06/2006
Kaspersky Anti-Virus database records: 201853
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41910
Number of viruses found: 2
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 01:14:42

Infected Object Name / Virus Name / Last Action
C:\adaware\RegCureSetup_43.exe/stream/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\RegCureSetup_43.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\RegCureSetup_43.exe NSIS: infected - 2 skipped
C:\adaware\XoftSpy415_103.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\adaware\XoftSpy415_103.exe NSIS: infected - 1 skipped
C:\soulseek\BitTorrent-4.0.4.exe/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\BitTorrent-4.0.4.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\BitTorrent-4.0.4.exe NSIS: infected - 2 skipped
C:\soulseek\BitTorrent-Stable.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\BitTorrent-Stable.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\BitTorrent-Stable.exe NSIS: infected - 2 skipped
C:\soulseek\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\soulseek\ccsetup128.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009907.msi/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009907.msi/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009907.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009908.MSI/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009908.MSI/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP19\A0009908.MSI Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP20\A0009987.MSI/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP20\A0009987.MSI/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP20\A0009987.MSI Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP21\A0009989.msi/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP21\A0009989.msi/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP21\A0009989.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP22\A0010013.MSI/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP22\A0010013.MSI/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP22\A0010013.MSI Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP23\A0010017.msi/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP23\A0010017.msi/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP23\A0010017.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP24\A0010041.MSI/Cabs.w1.cab/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP24\A0010041.MSI/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{B46F70D3-EFF9-488A-A2D8-AE0E146F7F89}\RP24\A0010041.MSI Embedded: infected - 2 skipped

Scan process completed.
cliche guevara is offline  
Old 06-21-2006, 08:02 PM   #15
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Click Start>Run and type in eventvwr.msc

What we're looking for are the Errors from the System and Application viewers. You'll see something like this: Application Error...

Locate the ones with a big red X that say error. Double click to open it. Hit the Tablet (Says Copy to Clipboard if you hover mouse over it) and then CTRL+V to paste the info into the post.
__________________
Vikesrock8411 is offline  
Old 06-22-2006, 08:06 AM   #16
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


ok. there are dozens if not hundreds of errors in each file.

this is from the system file. the first file error occurs about 500 times yesterday.


Event Type: Error
Event Source: ACPIEC
Event Category: None
Event ID: 1
Date: 22/06/2006
Time: 04:50:38
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
\Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 68 00 01 00 be 00 ..h....
0008: 00 00 00 00 01 00 05 c0 .......
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 99 9e 36 00 12 09 ff ff ™ž6...
0030: 72 00 40 00 12 08 09 00 [email protected]
0038: 82 00 7c 00 a2 03 9d 00 ‚.|...
0040: 12 0a 77 00 a2 05 d4 00 ..w...
0048: 12 2a 11 00 32 84 04 00 .*..2„..
0050: 10 28 08 00 22 26 07 00 .(.."&..
0058: 12 29 10 00 62 00 03 00 .)..b...
0060: 52 00 56 34 72 00 03 00 R.V4r...
0068: 12 2a 09 00 82 00 11 01 .*..‚...
0070: a2 09 91 03 12 2a 11 00 .‘..*..
0078: 32 84 06 00 10 28 12 00 2„...(..
0080: 60 00 02 00 50 00 ff ff `...P.
0088: 70 00 04 00 10 08 09 00 p.......



Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 22/06/2006
Time: 00:33:51
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
The following boot-start or system-start driver(s) failed to load:
Aspi32
Avg7Core
Avg7RsW
Avg7RsXP
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 22/06/2006
Time: 00:33:51
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 22/06/2006
Time: 00:33:14
User: FRANK-T77Y80ZWF\cliche guevara
Computer: FRANK-T77Y80ZWF
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 22/06/2006
Time: 00:32:53
User: NT AUTHORITY\SYSTEM
Computer: FRANK-T77Y80ZWF
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 21/06/2006
Time: 21:36:57
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
The Remote Procedure Call (RPC) Locator service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

and here are the application errors:




Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date: 22/06/2006
Time: 00:32:26
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 52 54 57 52 54 49 43 WRTWRTIC
0008: 32 31 31 33 00 00 00 00 2113....
0010: 57 52 54 57 52 54 49 43 WRTWRTIC
0018: 32 30 37 38 00 00 00 00 2078....
Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 22/06/2006
Time: 00:32:26
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 490
Date: 21/06/2006
Time: 21:35:32
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
svchost (1016) An attempt to open the file "C:\WINDOWS\System32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 490
Date: 21/06/2006
Time: 17:31:29
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
svchost (1072) An attempt to open the file "C:\WINDOWS\System32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 21/06/2006
Time: 16:14:13
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 21/06/2006
Time: 13:47:55
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
Hanging application , version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 20 30 2e 30 2e 30 0.0.0
0018: 2e 30 20 69 6e 20 68 75 .0 in hu
0020: 6e 67 61 70 70 20 30 2e ngapp 0.
0028: 30 2e 30 2e 30 20 61 74 0.0.0 at
0030: 20 6f 66 66 73 65 74 20 offset
0038: 30 30 30 30 30 30 30 30 00000000
Event Type: Information
Event Source: ESENT
Event Category: General
Event ID: 103
Date: 16/06/2006
Time: 00:46:41
User: N/A
Computer: FRANK-T77Y80ZWF
Description:
wuaueng.dll (2836) SUS20ClientDataStore: The database engine stopped the instance (0).

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.


there are many more files than this that say error. but they seem to be clustered around the last few days and they seem to repeat these problems. I assume you don't need me to send every single one?
cliche guevara is offline  
Old 06-22-2006, 09:47 AM   #17
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


I also found when running bit defender online scan again, two macafee pop-ups occurred. claiming once again that I had the new poly win32 virus.

this time instead of trying to delete them, which caused it to crash before, i asked for more information. it claimed they were both in a local settings temp file...but i could only find one. i have removed this one into my rubbish but i await your word on what to do with it.
cliche guevara is offline  
Old 06-23-2006, 12:23 AM   #18
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


I want to see it

Pull it out of your trash and onto your desktop. Then Right-click on it and select
"Send to"->"Compressed Zipped folder". Upload that zip file here using the "manage attatchments" button when submitting a reply.

I am still looking into a couple of your posted errors, they take a while to research and I am trying to still help others at the same time. I will be back with some things for you to try as soon as I can.
__________________
Vikesrock8411 is offline  
Old 06-23-2006, 08:51 AM   #19
Guest
 
Join Date: Jun 2006
Posts: 48
OS:


i am unable to attach it. it failed twice saying...upload failed
cliche guevara is offline  
Old 06-23-2006, 01:38 PM   #20
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Strange, can you try emailing the file to me at vikesrockATgmail.com (replace the AT with @)
__________________
Vikesrock8411 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:30 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts