you could unplug the hard drive and connect it to a pc with a working antivirus and do a scan that way....
My wife's cousin has asked me to help him with the family PC. He reported that it was going very slowly and was sure something was not right.
I thought this might have been an easy fix ... a virus or viruses of some sort ....but it is proving to be be a real challenge.
No matter what I try whenever I go and install anti virus/ anti spyware (or any program) error messages are displayed ("internal error" is a common message).
Also noticed that I am not able to connect to the internet. If I go to command prompt with IP config and sure enough another internal error message is displayed and no useful detail is supplied.
A mate of mine says this is likely the result of a bad virus or malware infection. It is stopping any new programs being installed and stopping access to the internet. This way it prevents anybody circumventing the infection.
I would like to do a clean OS install following a HDD format but he cousin says he has some kids education programs he would really like to keep (Yep he does not have the original software for these either... arrgh)
Ideas anyone ??
Look Here -> |
you could unplug the hard drive and connect it to a pc with a working antivirus and do a scan that way....
try going in safe mode, and maybe a system restore to a time where it worked fine, if not try installing trojan remover in safe mode and do a scan.
if none of that work for you, try a repair install.
login via safe mode otherwise you will need to plug into another pc to scan or via a bootable CD
Run hijackthis and post a logfile here to have a look at.
Have done a few in the last week
You need to boot the computer with a repair disk and do a system restore
I use Barte PE and a program called Registry Restore Wizard
and then install Malaware bytes and do a Update to get the latest definations and do a Full Scan and she will do a scan tell you need to reboot and then you need to run a registry cleaner and finally do a full scan with a Anti Virus program and you are ready to go
When you do things right, people won't be sure that you have done anything at all
I have done a few lately too,
I go into safe mode & try to do a system restore, if this works OK, I go & delete all other restore points because they may still contain the virus,
if having trouble getting into Safe mode to do a system restore, try Last known Good working configuration in safe mode & try again to get into safe mode to do system restore,
Then update & run all your Antivirus, Spyware malware scanners,
Become a Premium Member and support the Austech Forum
Thanks for the replies.
I have not used "HiJack This" before but I will download and run it today when I get home from work. The log will be posted later today.
It will be great to see if I can clean the machine without a rebuild.
I just ran my Antivirus/Antispam provider (CA) and spoke to some monkey over in India - (The quality of the phone call was also crap.. High side tone cracks and pos everywhere.. so much for VoiP)
The guy I was speaking to was constantly saying that my internet connection was the problem and I had to ring my ISP - I told him 10 times it was not not because I have like 6 other machines working fine !!
One thing I would like to ask again here is the current issue on the internet connection failure .... is it possible that the Windows OS may have corruption and it is not a Virus/Malware issue ??
The fact that IPconfig in command mode brings up no details and and an internal error message makes me feel suspicious that a windows OS repair may be the way to go...
try this.... open internet, go to tools/internet options/advanced tab then restore advanced settings and reset aswell. its worth a try aslong as the virus is gone.
Stop being so stupid.. it’s my turn!!
Here is the HiJack This log File
Let me know what you think.
----------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:11 PM, on 29/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK .EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Application Data\PC\agent.exe
C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dumps_startup
O4 - HKLM\..\Run: [OutpostMonitor] "C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [agent.exe] C:\Documents and Settings\Admin\Application Data\PC\agent.exe
O4 - HKCU\..\Run: [E06AXLRD_1685718] "C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9109 bytes
I had something similar a few months back....whatever the virus was it would not let me open m/b, trojan remover or avg, i even tried uninstalling these programs to no avail, I did manage to get m/bytes open, but whatever it was wouldn't let me up date, I was at the stage of a complete re-install and then tried scanned the drive with another pc using kaspersky 2010, whatever it was KIS nailed it completely and has been fine since. good luck with yours
Democracy & Ignorance = A Winning Combination
Does anyone have any feedback on the Hi Jack log??
FYI the problem has now got worse. Hanging on shutdown and startup -Blue Screen of death typically happenning as well.
Just managed to get it working again on safe mode - tried to do a restore to an earlier date .... got a blue screen of death again...
I give up...
He seems to have numerous AV apps installed...symantec , CA , outpost ? I dont think they would all run nicely together.
There is nothing in particular I can see...unless there is something really nasty thats impersonating something else. The best way is to Google the processes , ie , type CAP4SWK.EXE in to google and its usually easy to find out what it is.
I havent found anything so far.
Thanks Sanity.
I am trying to be patient with the thing.
Point taken about the multiple anti virus programs (some of this is my fault). If I manage to get back in to the system I will uninstall them anyway and keep hacking away at it.
did you try Last Known Good Configuration in the Safe mode menu ?
after this go into safe mode again & try system restore,
then delete all your other restore points (because may still contain the virus)
then install & run Malwarebytes & Spybot search & destroy, & Antivirus
you could also download Windows Malicious Software Removal Tool & run it.
So are you getting any reports of a virus or trojan ?
write down your error messages & put them into google it might show you what the problem is, if it is hardware or software related, (clean the ram, re-seat the cards)
Still no go, Next step would be to take the hard drive out & set it as a slave in another computer then you can run your Antivirus Scanners & backup (copy) the data.
you could then put it back in it's Computer & try to repair the Windows if you have a boot disc, or do a clean install.
Just some thoughts,
Good Luck
Edit: Internet connection failure & errors trying to run programs to fix it, are usual signs of a Virus or trojan or Malware Infection
Last edited by OSIRUS; 30-12-09 at 11:33 AM.
Become a Premium Member and support the Austech Forum
do lines there with Askbar - wont be the curse of your problems but get rid of them anyway
best4less - what error message did the blue screen give you? Was it when you booted up?
cheers
The fake BSOD came up when the computer was booting and when the desktop showed up it had reference to some web sites to get software from LOL
But boy it sure looked real until you really tried to read it, and any click of the mouse would remove it, The Russians are getting pretty good at them now LOL
When you do things right, people won't be sure that you have done anything at all
Bookmarks