stubborn virus/spyware problem

L

Lenny

Hi,
I have an XP computer and am having loads of problems getting rid of some
malware.

I have run all the usual stuff including Adaware, spybot(took 3 hours), AVG,
Ewido, Windows Anti Spyware, Hijackthis (very little found), CCleaner,
Smitfraudfix (found nothing). I updated all these programs before running
them and then I also installed Symantec Corporate edition, updated that and
did a full system scan. Symantec found nothing and AVG found one virus that
is deleted. I spent all day working on this problem and was sure that the
computer was completly clean when I took it back and installed it, turned it
on and as an example run Ewido. It picked up the spyware Downloader.Agent.uj
straight away as you can see below. Just to make matters worse about 10
minutes in AVG found the following virus and is unable to delete it.
Trojan horse Generic XFV

Requested action is not available for this object. Access to the file has
been denied

While opening file:
C:\WINDOWS\system32\(3C791659-71E9-4002-9F88-9EA50E946F30).exe

Here is the part of the Ewido anti-spyware Scan report showing one problem
that I can't get rid of.

[1300] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning.
[1360] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning.
[1520] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
[1528] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning.
[1540] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[1556] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
[1604] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[396] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[424] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning.


I have also looked into System32 folder and can't find any files at all the
look like (3C791659-71E9-4002-9F88-9EA50E946F30).exe. There aren't any files
like this in brackets.

Please help as I am now stuck.

Cheers
Lenny
 
A

Art

Hi,
I have an XP computer and am having loads of problems getting rid of some
malware.

I have run all the usual stuff including Adaware, spybot(took 3 hours), AVG,
Ewido, Windows Anti Spyware, Hijackthis (very little found), CCleaner,
Smitfraudfix (found nothing). I updated all these programs before running
them and then I also installed Symantec Corporate edition, updated that and
did a full system scan. Symantec found nothing and AVG found one virus that
is deleted. I spent all day working on this problem and was sure that the
computer was completly clean when I took it back and installed it, turned it
on and as an example run Ewido. It picked up the spyware Downloader.Agent.uj
straight away as you can see below. Just to make matters worse about 10
minutes in AVG found the following virus and is unable to delete it.
Trojan horse Generic XFV

Requested action is not available for this object. Access to the file has
been denied

While opening file:
C:\WINDOWS\system32\(3C791659-71E9-4002-9F88-9EA50E946F30).exe

Here is the part of the Ewido anti-spyware Scan report showing one problem
that I can't get rid of.

[1300] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning.
[1360] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning.
[1520] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
[1528] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning.
[1540] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[1556] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
[1604] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[396] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[424] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning.


I have also looked into System32 folder and can't find any files at all the
look like (3C791659-71E9-4002-9F88-9EA50E946F30).exe. There aren't any files
like this in brackets.

Please help as I am now stuck.

You should be working in Safe mode.

Art
http://home.epix.net/~artnpeg
 
L

Lenny

I have run the programs in safemode and everything was clear. It is only
after starting in normal mode that these extra problems have occured.

Art said:
Hi,
I have an XP computer and am having loads of problems getting rid of some
malware.

I have run all the usual stuff including Adaware, spybot(took 3 hours),
AVG,
Ewido, Windows Anti Spyware, Hijackthis (very little found), CCleaner,
Smitfraudfix (found nothing). I updated all these programs before running
them and then I also installed Symantec Corporate edition, updated that
and
did a full system scan. Symantec found nothing and AVG found one virus
that
is deleted. I spent all day working on this problem and was sure that the
computer was completly clean when I took it back and installed it, turned
it
on and as an example run Ewido. It picked up the spyware
Downloader.Agent.uj
straight away as you can see below. Just to make matters worse about 10
minutes in AVG found the following virus and is unable to delete it.
Trojan horse Generic XFV

Requested action is not available for this object. Access to the file has
been denied

While opening file:
C:\WINDOWS\system32\(3C791659-71E9-4002-9F88-9EA50E946F30).exe

Here is the part of the Ewido anti-spyware Scan report showing one problem
that I can't get rid of.

[1300] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning.
[1360] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning.
[1520] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
[1528] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning.
[1540] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[1556] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
[1604] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[396] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[424] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning.


I have also looked into System32 folder and can't find any files at all
the
look like (3C791659-71E9-4002-9F88-9EA50E946F30).exe. There aren't any
files
like this in brackets.

Please help as I am now stuck.

You should be working in Safe mode.

Art
http://home.epix.net/~artnpeg
 
D

David H. Lipman

From: "Lenny" <[email protected]>

| Hi,
| I have an XP computer and am having loads of problems getting rid of some
| malware.
|
| I have run all the usual stuff including Adaware, spybot(took 3 hours), AVG,
| Ewido, Windows Anti Spyware, Hijackthis (very little found), CCleaner,
| Smitfraudfix (found nothing). I updated all these programs before running
| them and then I also installed Symantec Corporate edition, updated that and
| did a full system scan. Symantec found nothing and AVG found one virus that
| is deleted. I spent all day working on this problem and was sure that the
| computer was completly clean when I took it back and installed it, turned it
| on and as an example run Ewido. It picked up the spyware Downloader.Agent.uj
| straight away as you can see below. Just to make matters worse about 10
| minutes in AVG found the following virus and is unable to delete it.
| Trojan horse Generic XFV
|
| Requested action is not available for this object. Access to the file has
| been denied
|
| While opening file:
| C:\WINDOWS\system32\(3C791659-71E9-4002-9F88-9EA50E946F30).exe
|
| Here is the part of the Ewido anti-spyware Scan report showing one problem
| that I can't get rid of.
|
| [1300] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning.
| [1360] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning.
| [1520] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
| [1528] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning.
| [1540] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
| [1556] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
| [1604] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
| [396] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
| [424] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning.
|
| I have also looked into System32 folder and can't find any files at all the
| look like (3C791659-71E9-4002-9F88-9EA50E946F30).exe. There aren't any files
| like this in brackets.
|
| Please help as I am now stuck.
|
| Cheers
| Lenny
|

Use the following tool. Read the PDF Help File for information on how to create a Boot Disk
or a Boot Disk with NTFS4DOS and also the built-in Kill Process capability.

To use that capability just addd the the name...
(3C791659-71E9-4002-9F88-9EA50E946F30).exe

to the included file; C:\AV-CLS\killproc.txt


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
M

Max

Lenny AKA (e-mail address removed) in alt.comp.anti-virus on
7/27/2006 after much thought,came up with this jewel:
I have run the programs in safemode and everything was clear. It is
only after starting in normal mode that these extra problems have
occured.
My best advice-
Get a router with built-in firewall
Stop using Outlook Express
Stop using Internet Explorer
I have written some pages that might be of some help(see below)
max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.
 
D

Dustin

Hi,
I have an XP computer and am having loads of problems getting rid of
some malware.

I have run all the usual stuff including Adaware, spybot(took 3
hours), AVG, Ewido, Windows Anti Spyware, Hijackthis (very little
found), CCleaner, Smitfraudfix (found nothing). I updated all these
programs before running them and then I also installed Symantec
Corporate edition, updated that and did a full system scan. Symantec
found nothing and AVG found one virus that is deleted. I spent all day
working on this problem and was sure that the computer was completly
clean when I took it back and installed it, turned it on and as an
example run Ewido. It picked up the spyware Downloader.Agent.uj
straight away as you can see below. Just to make matters worse about
10 minutes in AVG found the following virus and is unable to delete
it. Trojan horse Generic XFV

Requested action is not available for this object. Access to the file
has been denied

While opening file:
C:\WINDOWS\system32\(3C791659-71E9-4002-9F88-9EA50E946F30).exe

Here is the part of the Ewido anti-spyware Scan report showing one
problem that I can't get rid of.

[1300] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning.
[1360] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning.
[1520] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
[1528] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning.
[1540] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[1556] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
[1604] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[396] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[424] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning.


I have also looked into System32 folder and can't find any files at
all the look like (3C791659-71E9-4002-9F88-9EA50E946F30).exe. There
aren't any files like this in brackets.

Please help as I am now stuck.

You can try giving BugHunter a shot at the files, I'm not sure if It
already detects them or not.


--
Dustin
Author of BugHunter - MalWare Removal Tool
Current Version: 1.9.1 Released July 28th, 2006
Last Pattern Update: July 22nd, 2006 - 793 known malware signatures
http://bughunter.it-mate.co.uk
 
L

Lenny

thanks Max,
The router is a Draytek Vigor, just about the best you can get when it comes
to a firewalled router in that price range. Outlook Express is only used for
newsgroups and as for not using Internet Explorer I guess about 90 percent
of the world probably can't be wrong :) and I prefer it. I am not trying to
cause a debate here about it's use though I am sure that IE debates are
happening 24/7 elsewhere in the net.
Thanks for the links to your pages I shall be reading them thoroughly.
Cheers
Lenny
 
R

Ron Lopshire

Lenny said:
The router is a Draytek Vigor, just about the best you can get when it comes
to a firewalled router in that price range. Outlook Express is only used for
newsgroups and as for not using Internet Explorer I guess about 90 percent
of the world probably can't be wrong :) and I prefer it. I am not trying to
cause a debate here about it's use though I am sure that IE debates are
happening 24/7 elsewhere in the net.

Actually, 80 percent and dropping.

(http://marketshare.hitslink.com/report.aspx?qprid=2)

And you are correct, Lenny. This has been beaten to death. If you like
IE, go for it. But then again, the 80 percent usage is as apropos to a
discussion of browser preferences as is the same discussion comparing
riding the bus to driving a Mercedes. :p

Ron :)
 
M

Max

Lenny AKA (e-mail address removed) in alt.comp.anti-virus on
7/30/2006 after much thought,came up with this jewel:
thanks Max,
The router is a Draytek Vigor, just about the best you can get when
it comes to a firewalled router in that price range. Outlook Express
is only used for newsgroups and as for not using Internet Explorer I
guess about 90 percent of the world probably can't be wrong :) and I
prefer it. I am not trying to cause a debate here about it's use
though I am sure that IE debates are happening 24/7 elsewhere in the
net. Thanks for the links to your pages I shall be reading them
thoroughly. Cheers Lenny
***********************************************************************
Well first I see that Outlook Express did not trim my sig from your
reply which a decent newsreader would have,being able to "see" the
delimiter. Perhaps you may want to try using XanaNews(it's what I use)
In your original post you stated that "I have an XP computer and am
having loads of problems getting rid of some malware." How did the
malware get in to begin with? Must have been because of firewall
failure? No,I doubt that.
I think I have it narrowed down to either Internet Explorer or Outlook
Express(unless you are using P2P file sharing or downloading programs
from unreliable sources).
So you want to keep using IE? OK,here goes-
1. Install a good popup blocker/stopper like SuperAdBlocker
2. Turn on Spybot's TeaTimer instead of Microsoft's WindowsDefender(at
least until it is out of beta)
3. Install SpywareBlaster(perhaps SpywareGuard too)
4. You may want to consider using a hosts file.
I have a question for you-what program do use for e-mail?
max

***********************************************************************
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.
 
L

Lenny

Hi Max,
Thanks for the further advice. I use Outlook 2003 for emails with spampal..
What do you mean by 4. You may want to consider using a hosts file.?
Cheers
Lenny
 
M

Max

Lenny AKA (e-mail address removed) in alt.comp.anti-virus on
7/31/2006 after much thought,came up with this jewel:
Hi Max,
Thanks for the further advice. I use Outlook 2003 for emails with
spampal.. What do you mean by 4. You may want to consider using a
hosts file.? Cheers
Lenny

Here ya go len-

http://www.mvps.org/winhelp2002/hosts.htm

google could be your friend.....

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.
 
D

David H. Lipman

From: "Befunge Sudoku" <[email protected]>


| Is it? At least 1 guy here has been running it for a while, rates it quite highly.

I have read numerous horror stories in the MS News Groups.
 
L

Lenny

Hi Max,
Thanks for that. Google already is my friend, some nights my only and best
friend!
 
Top