Solve : Some nasty virus resident memory! Need help!!?

1.	Solve : Some nasty virus resident memory! Need help!!?
Answer» Hi everyone, I got a virus in the resident memory And all my efforts to clean it had come flat. First, it killed my firewall (sygate firewall) and my antivirus (AVG Pro). Now, everytime I try to put a firewall or an antivirus, I got a pop up saying that It can't find the .exe files to put the software on the computer. I was able to put escan (for virus) and trojanhunter on the computer, but not real good help. The virus had corrupt the files wshcon.dll. That I manage to fix it (download a new one and put it back instead of the other) I can't see anything when I open the add-remove programs in the control panel. So I can't go there to find a way to put a firewall and an antivirus that could eleminate the treat. When I start the computer in save mode, it CRASH and say to check for virus. When I start the computer (regular) 3 time, the escan program told me that a file name program could hurt the computer and ask to rename it so it is safe Also, when I used trojanhunter, it said: c:\pagefile.sys not scanned (in use by another application)...I can't found this file. I found that folders had been put on the computer those are: $WIN_NT$.~BT, FOUND.003 and FOUND.004. Could someone that have a clue to correct this can give me a hand? I thank you in advance Prulon Being unable to scan pagefile.sys is normal, it's your paging file and as such always in use. You won't be able to see it unless you enable it to show hidden files and folders. The folders there are normal - the first is a temporary folder left over from Windows installation, and the others are folders with recovered files in, usually from scandisk. You say you can't boot into safe mode - what exactly happens when you try to? What antivirus programs do you have on the C, and which ones work? Can a mod please move this to viruses? Thanks. Blackberry: done Cheers - CalumHi, everyone and thanks to answer me Blackberry. I found that I have the mitglieder.q. I find it with stopzilla. Problem is I can't remove it for the program is a TRIAL and it does not remove virus with the trial. Do you know a free program that would do the job? the only av that would installed was escan. I tried many top av but all didn't work. It's late so I'll go to sleep. Tomorrow, I'll try again in safe mode and write down what the message is, then I'll post it. Thanks again Prulon thanos...... Just so we know, will your pc boot up in normal mode ? You say the trojan Killed* the anti-virus ....... I suspect it just disabled it and hopefully you can restart it. Will it start up in safe mode ? dl65 Hi, Thank to post dl65... The stopzilla free tiral 4.4 just found and block the virus, not remove it. Need the registred version for that. I still can't start the computer in safe mode, but it start in the 'normal mode'. The safe mode start well until I see : 'Loading SPTD.SYS'...It stay on the bottom of the screen for a couple of second then a blue sceen appear. Here is a trancript of what it is writting on the blue screen in the safe mode: '' **stop:0x0000007B (0xEB41B84C, 0xC0000043, 0,00000000, 0,00000000) INACCESSIBLE_BOOT_DEVICE Check for viruse on your computer, check you hard drive to see if it is proprely configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.'' I did the latter a couple of time. The hard drive have corrupt string and was repaired, but it come back. I know that my hard drive is fine, and I know that I have the MITGLIEDER.Q. (At least, it is what stopzilla said) Now, need to found a way to remove it. Also if someone know a firewall and an AV that won't be 'killed' by virus or other thing, I'll appreciate your input on the best of both. Thanks again Prulon thanos ........ ok....... you didnt really say if AVG pro will open ...... But in any event ....how about d/L hijackthis....... get it from .... http://www.majorgeeks.com/download3155.html once you have it D/L ...... to your desktop , close up everything else , install and run a scan , save the log and post it here so we can see whats going on. Use as many posts as necessary to get it all posted . dl65 Hello Here is the hijackthis.log...And by the way, thanks for your fast help... Logfile of HijackThis v1.99.1 Scan saved at 4:41:56 PM, on 2/13/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\hldrrr.exe C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\PROGRA~1\eScan\TRAYSSER.EXE C:\WINNT\System32\svchost.exe C:\PROGRA~1\eScan\TRAYICOS.EXE C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globetrotter.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm N3 - Netscape 7: user_pref("browser.startup.homepage", "http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=938d72bb6586a89e5f02f3daae11ebb5020085e5c909ae61b1b31c788889826e&fti=yes"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js) O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: GOOGLE Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [STOPzillaInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STOPzilla\SZSetup.exe product_install=STOPzillaFULL.msi sz_install=finish O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Outpost Firewall\outpost.exe" /waitservice O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\STOPzilla.exe" /autorun O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll Part 2 follow...Here is part two of the hijackthis log file: O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O20 - Winlogon Notify: WgaLogon - C:\WINNT\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: BvrpKrnl - Unknown owner - C:\Program Files\WinFax eXPert\BVRPKrnl.exe O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe Hope this help to solve the problem...You will see that I tried a lot of software to try to fix it. Thanks again Prulonthanos..... ok....lets see what we can do. [highlight]C:\WINNT\system32\hldrrr.exe [/highlight]this is not good and must be removed. Use the task manager to shut it down........ then download Prevx1 to remove it completely http://info.prevx.com/downloadremove.asp . Once this has been done let us know what was found and that it was removed. dl65 Hello, I try Prevx1. It find malware, but didn't want to put them in the jail, so I couldn't delete them. I try avg anti-spyware, and it found 332 files that it quarantine and delete. But that seem not to do the thing because my pc still had problem after. I figure that it would be because Prevx1 didn't put the malware to the jail to be delete, but hold them to do no harm. So I just uninstall Prevx1 and redo a scan with avg anti-spyware...Will see... The avg software found those at the first scan (in the 332 files): dropper.delf.vt hijacker.vb.ku worm.bagle.ht worm.bagle.hx worm.bagle.hw dropper.agent.bct Have a clue of what thoses are? There is two other things: When windows start, it open a window from program files\common. And in it is a file name vsovprev.ax...What's that? Also, a pop up appear that say: winnt\csc\00000002 is corrupt and unreadable. do chkdsk /f. I did it a couple of time (the chkdsk /f) and everytime computer reboot itself like forever then when it start windows WITHOUT rebooting, the same thing appear again. (both thing above) By the way, I tried to open in safe mode, but still boging... Anyway...With the help I have from you and the thing I read on the net, I'm sure I'll manage to fix it... Thanks again Prulon thanos .... what dl65 says is right. That process is from the W32/Bagle-KF worm infection. However .... you have many other problems. Your java is well out of date, you have a CWS infection and, probably most importantly, a Trojan that allows a remote intruder to gain access and control over your computer through IRC channels. Please print this out to help you follow the advice. This is in the log .... O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe* We must stop & disable this added service. 1. To stop the service and set to 'disabled' ..... Go to Start > Run and type in "Services.msc" (without the quotes) then click OK Click the Extended tab Scroll down until you find the service O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe Click once on the service to highlight it Click Stop Right-Click on the service Click on 'Properties' Select the 'General' tab Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box From the drop-down menu, click on 'Disabled' Click the 'Apply' tab, then click 'OK' The service is now stopped and disabled. ********* Download Ewido/AVG Anti Spyware from here …. http://www.ewido.net/en/ It has a fully working 30 day trial period. Install it and update it to the latest definitions. Do NOT use it yet. ******* Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ******* Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ******* Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (IF it still exists) ........... C:\WINNT\system32\hldrrr.exe ******* Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (IF they still exist; make sure you do not miss any) ......... R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe Remember to close ALL open windows & browsers, including this one, then click "Fix Checked" at the foot of the HJT window. ******* Delete the following Files indicated in BOLD IF they are still present .... C:\WINNT\system32\hldrrr.exe C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe C:\winnt\system32\directx.exe ******* Still in safe mode run a full system scan with AVGAS and let it fix what it wants to. REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it. [FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time]. ******* Reboot your system in Normal Mode. ******* Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6*. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"….. Click the "Download" button to the right. Check the box that says: "Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version. *********** Please post the results of the AVGAS scan and a fresh HJT log. Please also say how your computer is operating now. OJI was working on the above fix whilst you were posting your most recent comments. As you can see you have multiple problems but please proceed with the fix I posted. That should clean you up quite a bit. We can move on from there. OJNice Work, oddjob !Hi, And thanks OJ for your advice. I just got a 'little' problem with what you wrote...I can't reboot in safe mode. On the net I found this (below) for I taught I may have the Win32.Agent.zf. It suppose to help me reboot clean...Remember that I have win2k pro pack4. I would appreciate if you can tell me if it is a good thing to do or not. Here here goes: '' Manual removal: 1. Create a c:\rescue.bat file which contains the following strings: @echo off :try del C:\WINDOWS\SERVICES.EXE if exist C:\WINDOWS\SERVICES.EXE goto try 2. Modify the following system registry entry: from [HKLM\System\CurrentControlSet\Services\Eventlog] "ImagePath"="%SystemRoot%\system32\services.exe" to "ImagePath"="C:\rescue.bat" Doing this ensures that rescue.bat will be launched instead of the Event Log system servcie. 3. Reboot the computer. The Trojan will be deleted once the system has been rebooted. 4. Restore the original ImagePath value: [HKLM\System\CurrentControlSet\Services\Eventlog] "ImagePath"="%SystemRoot%\system32\services.exe" 5. Delete the following keys from the system registry: [HKLM\Software\Microsoft\Serenta] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "SERVICES.EXE"="%Windir%\SERVICES.EXE" 6. Modify the following parameters: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe %Windir%\SERVICES.EXE" to: "Shell"="Explorer.exe" "Userinit"="C:\WINDOWS\system32\userinit.exe,,%Windir%\SERVICES.EXE" to: "Userinit"="C:\WINDOWS\system32\userinit.exe" 7. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus). '' I won't do nothing till I hear from you. Prulon Hi again, I just post not so long ago. A pop up always come that say that winmgmt.exe had generated an error and will be closed by windows you will need to restart the program. No program seem to work at the time. Here the log file: (Thu Sep 22 15:20:02 2005) : core was asked if ok to unload and returned 0x1(Thu Sep 22 15:23:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 15:53:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:21:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:37:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:40:37 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:16:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:25:57 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:23:30 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:33:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:35:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:02:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:05:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:22:51 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:47:20 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:53:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 08:14:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 11:51:21 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:01:59 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:07:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 14:44:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:02:09 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:05:40 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:21:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:43:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 17:34:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:04:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:37:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:44:47 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 08:24:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:25:53 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:45:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 23:38:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 00:14:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 10:38:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 23:16:01 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Sep 26 23:29:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 14:50:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 18:40:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 08:06:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:00:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:57:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 29 08:08:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 30 22:39:28 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 01 22:48:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 03 02:17:39 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 12:40:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 13:11:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 05 12:55:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 06 23:00:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 07 19:53:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 08 22:42:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 08:15:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 22:27:17 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 10 21:31:32 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 11 22:01:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 07:49:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 23:51:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 13 20:26:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 14 23:36:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 17 22:27:31 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 18 21:47:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 19 Next I'll post the last hijackthis log. Prulon

Answer»

Hi everyone,

I got a virus in the resident memory And all my efforts to clean it had come flat.

First, it killed my firewall (sygate firewall) and my antivirus (AVG Pro). Now, everytime I try to put a firewall or an antivirus, I got a pop up saying that It can't find the *.exe files to put the software on the computer. I was able to put escan (for virus) and trojanhunter on the computer, but not real good help.

The virus had corrupt the files wshcon.dll. That I manage to fix it (download a new one and put it back instead of the other)

I can't see anything when I open the add-remove programs in the control panel. So I can't go there to find a way to put a firewall and an antivirus that could eleminate the treat.

When I start the computer in save mode, it CRASH and say to check for virus.

When I start the computer (regular) 3 time, the escan program told me that a file name program could hurt the computer and ask to rename it so it is safe

Also, when I used trojanhunter, it said: c:\pagefile.sys not scanned (in use by another application)...I can't found this file.

I found that folders had been put on the computer those are: $WIN_NT$.~BT, FOUND.003 and FOUND.004.

Could someone that have a clue to correct this can give me a hand?

I thank you in advance

Prulon
Being unable to scan pagefile.sys is normal, it's your paging file and as such always in use. You won't be able to see it unless you enable it to show hidden files and folders.
The folders there are normal - the first is a temporary folder left over from Windows installation, and the others are folders with recovered files in, usually from scandisk.
You say you can't boot into safe mode - what exactly happens when you try to?
What antivirus programs do you have on the C, and which ones work?

Can a mod please move this to viruses?
Thanks.

Blackberry: done
Cheers - CalumHi, everyone and thanks to answer me Blackberry.

I found that I have the mitglieder.q.

I find it with stopzilla. Problem is I can't remove it for the program is a TRIAL and it does not remove virus with the trial.

Do you know a free program that would do the job?

the only av that would installed was escan. I tried many top av but all didn't work.

It's late so I'll go to sleep. Tomorrow, I'll try again in safe mode and write down what the message is, then I'll post it.

Thanks again

Prulon thanos...... Just so we know, will your pc boot up in normal mode ?
You say the trojan Killed the anti-virus ....... I suspect it just disabled it and hopefully you can restart it.

Will it start up in safe mode ?

dl65 Hi,

Thank to post dl65...

The stopzilla free tiral 4.4 just found and block the virus, not remove it. Need the registred version for that.

I still can't start the computer in safe mode, but it start in the 'normal mode'.

The safe mode start well until I see : 'Loading SPTD.SYS'...It stay on the bottom of the screen for a couple of second then a blue sceen appear.

Here is a trancript of what it is writting on the blue screen in the safe mode:

'' ***stop:0x0000007B (0xEB41B84C, 0xC0000043, 0,00000000, 0,00000000) INACCESSIBLE_BOOT_DEVICE

Check for viruse on your computer, check you hard drive to see if it is proprely configured and terminated.

Run CHKDSK /F to check for hard drive corruption, and then restart your computer.''

I did the latter a couple of time. The hard drive have corrupt string and was repaired, but it come back.

I know that my hard drive is fine, and I know that I have the MITGLIEDER.Q. (At least, it is what stopzilla said)

Now, need to found a way to remove it.

Also if someone know a firewall and an AV that won't be 'killed' by virus or other thing, I'll appreciate your input on the best of both.

Thanks again

Prulon thanos ........ ok....... you didnt really say if AVG pro will open ......
But in any event ....how about d/L hijackthis....... get it from ....
http://www.majorgeeks.com/download3155.html once you have it D/L ...... to your desktop , close up everything else , install and run a scan , save the log and post it here so we can see whats going on.
Use as many posts as necessary to get it all posted .

dl65
Hello

Here is the hijackthis.log...And by the way, thanks for your fast help...

Logfile of HijackThis v1.99.1
Scan saved at 4:41:56 PM, on 2/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hldrrr.exe
C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globetrotter.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=938d72bb6586a89e5f02f3daae11ebb5020085e5c909ae61b1b31c788889826e&fti=yes"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: GOOGLE Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STOPzillaInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STOPzilla\SZSetup.exe product_install=STOPzillaFULL.msi sz_install=finish
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\STOPzilla.exe" /autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

Part 2 follow...Here is part two of the hijackthis log file:

O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BvrpKrnl - Unknown owner - C:\Program Files\WinFax eXPert\BVRPKrnl.exe
O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

Hope this help to solve the problem...You will see that I tried a lot of software to try to fix it.

Thanks again

Prulonthanos.....
ok....lets see what we can do.
[highlight]C:\WINNT\system32\hldrrr.exe [/highlight]this is not good and must be removed.
Use the task manager to shut it down........ then download Prevx1 to remove it completely http://info.prevx.com/downloadremove.asp .

Once this has been done let us know what was found and that it was removed.

dl65 Hello,

I try Prevx1. It find malware, but didn't want to put them in the jail, so I couldn't delete them.

I try avg anti-spyware, and it found 332 files that it quarantine and delete.

But that seem not to do the thing because my pc still had problem after.

I figure that it would be because Prevx1 didn't put the malware to the jail to be delete, but hold them to do no harm. So I just uninstall Prevx1 and redo a scan with avg anti-spyware...Will see...

The avg software found those at the first scan (in the 332 files):

dropper.delf.vt
hijacker.vb.ku
worm.bagle.ht
worm.bagle.hx
worm.bagle.hw
dropper.agent.bct

Have a clue of what thoses are?

There is two other things:

When windows start, it open a window from program files\common. And in it is a file name vsovprev.ax...What's that?

Also, a pop up appear that say: winnt\csc\00000002 is corrupt and unreadable. do chkdsk /f.

I did it a couple of time (the chkdsk /f) and everytime computer reboot itself like forever then when it start windows WITHOUT rebooting, the same thing appear again. (both thing above)

By the way, I tried to open in safe mode, but still boging...

Anyway...With the help I have from you and the thing I read on the net, I'm sure I'll manage to fix it...

Thanks again

Prulon thanos .... what dl65 says is right. That process is from the W32/Bagle-KF worm infection.

However .... you have many other problems. Your java is well out of date, you have a CWS infection and, probably most importantly, a Trojan that allows a remote intruder to gain access and control over your computer through IRC channels.

Please print this out to help you follow the advice.

This is in the log ....

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

We must stop & disable this added service.

1. To stop the service and set to 'disabled' .....

Go to Start > Run and type in "Services.msc" (without the quotes) then click OK

Click the Extended tab

Scroll down until you find the service

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

Click once on the service to highlight it

Click Stop

Right-Click on the service

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.

***********

Download Ewido/AVG Anti Spyware from here ….

http://www.ewido.net/en/

It has a fully working 30 day trial period.

Install it and update it to the latest definitions.

Do NOT use it yet.

***********

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

***********

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

***********

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (IF it still exists) ...........

C:\WINNT\system32\hldrrr.exe

***********

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (IF they still exist; make sure you do not miss any) .........

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm

O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

Remember to close ALL open windows & browsers, including this one, then click "Fix Checked" at the foot of the HJT window.

***********

Delete the following Files indicated in BOLD IF they are still present ....

C:\WINNT\system32\hldrrr.exe

C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm

C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe

C:\winnt\system32\directx.exe

***********

Still in safe mode run a full system scan with AVGAS and let it fix what it wants to.

REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it.

[FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time].

***********

Reboot your system in Normal Mode.

***********

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"…..
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

***********

Please post the results of the AVGAS scan and a fresh HJT log.

Please also say how your computer is operating now.

OJI was working on the above fix whilst you were posting your most recent comments. As you can see you have multiple problems but please proceed with the fix I posted. That should clean you up quite a bit.

We can move on from there.

OJNice Work, oddjob !Hi,

And thanks OJ for your advice.

I just got a 'little' problem with what you wrote...I can't reboot in safe mode.

On the net I found this (below) for I taught I may have the Win32.Agent.zf.

It suppose to help me reboot clean...Remember that I have win2k pro pack4.

I would appreciate if you can tell me if it is a good thing to do or not.

Here here goes:

'' Manual removal:

1. Create a c:\rescue.bat file which contains the following strings:
@echo off
:try
del C:\WINDOWS\SERVICES.EXE
if exist C:\WINDOWS\SERVICES.EXE goto try
2. Modify the following system registry entry: from
[HKLM\System\CurrentControlSet\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
to
"ImagePath"="C:\rescue.bat"

Doing this ensures that rescue.bat will be launched instead of the Event Log system servcie.
3. Reboot the computer. The Trojan will be deleted once the system has been rebooted.
4. Restore the original ImagePath value:
[HKLM\System\CurrentControlSet\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
5. Delete the following keys from the system registry:

[HKLM\Software\Microsoft\Serenta]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"SERVICES.EXE"="%Windir%\SERVICES.EXE"
6. Modify the following parameters:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %Windir%\SERVICES.EXE"
to:
"Shell"="Explorer.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,,%Windir%\SERVICES.EXE"
to:
"Userinit"="C:\WINDOWS\system32\userinit.exe"
7. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus). ''

I won't do nothing till I hear from you.

Prulon Hi again,

I just post not so long ago.

A pop up always come that say that winmgmt.exe had generated an error and will be closed by windows you will need to restart the program.

No program seem to work at the time. Here the log file:

(Thu Sep 22 15:20:02 2005) : core was asked if ok to unload and returned 0x1(Thu Sep 22 15:23:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 15:53:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:21:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:37:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:40:37 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:16:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:25:57 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:23:30 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:33:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:35:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:02:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:05:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:22:51 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:47:20 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:53:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 08:14:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 11:51:21 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:01:59 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:07:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 14:44:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:02:09 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:05:40 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:21:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:43:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 17:34:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:04:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:37:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:44:47 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 08:24:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:25:53 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:45:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 23:38:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 00:14:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 10:38:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 23:16:01 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Sep 26 23:29:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 14:50:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 18:40:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 08:06:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:00:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:57:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 29 08:08:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 30 22:39:28 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 01 22:48:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 03 02:17:39 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 12:40:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 13:11:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 05 12:55:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 06 23:00:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 07 19:53:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 08 22:42:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 08:15:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 22:27:17 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 10 21:31:32 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 11 22:01:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 07:49:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 23:51:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 13 20:26:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 14 23:36:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 17 22:27:31 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 18 21:47:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 19

Next I'll post the last hijackthis log.

Prulon

Solve : Some nasty virus resident memory! Need help!!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment