[panaceabeachbum]

picked up a bug labled mediaaccK.exe and mediaaccess.exe . Cant delete either, used add remove programs to remove now machine wont boot. First screen with system info pops up then machine shuts down. Cycles about every ten seconds continualy but never boots. This machine is also infected, afraid to try removal . Latest versions of adaware and spysubtract are unable to remove. Bug has disabled all text editing programs and has disabled access to control panel, start menu. Sytem restore has also been disabled. unable to switch users or shut down, have to physicaly unplug machine to initiate shutdown. main machine has aprox 20 gigs of cad files I need desperatly to recover, please help if possible.On this machine which is infected also I Ran latest version of hijackthis.exe located a number of problems, choosing the fix button brings up an error message and software shuts down. thanks richardT

[Advertisements]

ran adaware then spy subtract then hijack this. here is the log

Logfile of HijackThis v1.99.1
Scan saved at 11:34:52 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\mchcrt20.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msorcl32.exe
C:\Documents and Settings\RThompson\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT4 /ShowLegalNote=nonbranded /ForSupportedBrowsers /HideUninstall /HideDir
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [Zpv4RWY7O] mchcrt20.exe
O4 - HKCU\..\Run: [msorcl32] C:\WINDOWS\System32\msorcl32.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe

[panaceabeachbum]

ran adaware then spy subtract then hijack this. here is the log

Logfile of HijackThis v1.99.1
Scan saved at 11:34:52 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\mchcrt20.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msorcl32.exe
C:\Documents and Settings\RThompson\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT4 /ShowLegalNote=nonbranded /ForSupportedBrowsers /HideUninstall /HideDir
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [Zpv4RWY7O] mchcrt20.exe
O4 - HKCU\..\Run: [msorcl32] C:\WINDOWS\System32\msorcl32.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe

[webxican]

Hello,

The best way to deal with any spyware or virus problem is to go into safemode. Windows will not load the problem programs into memory & you will have a better chance of removing the problem files etc.

If you can't tell form the log the obvious problem appear to be.

C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT4 /ShowLegalNote=nonbranded /ForSupportedBrowsers /HideUninstall /HideDir
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe


Not positive what these files are associated to so I'd be curious about them if you do not know what they are associated with.
C:\WINDOWS\System32\mchcrt20.exe
C:\WINDOWS\System32\msorcl32.exe
O4 - HKCU\..\Run: [Zpv4RWY7O] mchcrt20.exe
O4 - HKCU\..\Run: [msorcl32] C:\WINDOWS\System32\msorcl32.exe

Just using Hijackthis to try to remove the files does not always work. If they are in you registry & files still exist then it will re-load itself. You could run your adaware in safe mode and see if the programs & files are removed.

Id run adaware in safe mode. Spybot search & destroy if you have it also in safe mode. Then check to see if the Media Access folder still exists. Also check out the common files folder & temp folders of all use names for this machine for any signs of the files. (common files folder is located under program folder). Search the hard drive for Media Access, or Media then access, then acck. A lot of things will be bogus when it comes to media & access as a search so be careful what you remove. Don't just remove any files be sure of the location & that they are not windows related files.

What I usually do before I tackle any spyware, adware, malware & viruses or trojans is to make an image or partition copy of either the entire disk (if for a client) or just important files for home users. I use Acronis Products & depending on the computer either external hard drive or just slap another hard drive to an available IDE cable.

This may be extreme in your case or not practical. But I would at least try to backup those important files you need to another folder on the C drive at least in case you would need to repair windows or dare I say it! Re-install windows? This is worst case scenerio but woth mentioning.

Sorry for the long reply but I hope some of it helps or puts you in the right direction.

Thanks

Webxican

PS

Others will probably ask that you choose a more detailed setting for you hijackthis logs.

[webxican]

I forgot to mention. When in safe mode after running adaware or spybot search & destroy. Just go to the location of the folders. Media Access & remove the folder. also as mentioned before search for anymore media access files & folders along with the MediaAccK files & folders. If hijackthis will not remove the the settings then go to start>run & type msconfig. Go to the startup tab & remove the startup items for media access & the acck files any of the other known files. Also look under services tab for any sign of the offending programs that may be running as a service.

Thanks

Webxican

[panaceabeachbum]

Thanks i will go thru the motions on this machine in a few minutes. Any thoughts on how to get the other machine up and running? tryed all the options wont start in safe mode or any other wy, just keeps shutting down after a the first screen at startup. this machine I am happy enough to format and start afresh but the other has aprox $8k in cad drawings that have taken aprox 3 months to create, bieng the idiot I am none are backed up and of course they are due monday or no paycheck for me. thanks RichardT

[webxican]

Hi,

You may have to run a repair on the other PC. It sounds extreme but in most cases when I get a pc that fails at the point you mention I have to do a repair. I'll give specifics in the next post. It is not always a complete wipe out but i'll explain.

[webxican]

Ok here is what you need to do. On the pc that won't boot make sure your PC is set to boot from the CD rom. The easiest way to check this is put in the XP cd and start your computer. Look for something like "press any key to boot from CD rom". If you see it hit any key and it will bring you into windows set up. If you do not see it let me know and we will have to get you into the setup mode or Cmos, Bios to change it to have your pc boot from CD.

Ok I don't remember the exact screens but windows will inspect your computer. pay attention to the screen when asked to continue. one of the first screens will ask to repair windows via recovery console. Don't choose that one just continue on to installing windows. The next screen should search for previous versions of windows & find your windows in more than likely the C: drive. From here you should have the option to repair windows or install a new copy. Choose repair windows.

Now things to remember are the install is going to look like it is re-installing windows form the beginning. But in fact it is just re-installing the Windows files to the windows folders. In almost all cases I have done this and all of the users and documents etc remained unchanged. But the important files needed to boot Windows was repaired.

You may be asked to re-enter your Product ID. Hopefully you have that. If not there is a work around but it will only get you in for 30 days. After that you need a new product key or need the original. Once windows is re-installed re-boot into safe mode and follow the other steps mentioned earlier to try and rid the PC of the offending files.

Let me know how your progress is going?

Thanks

Webxican

[panaceabeachbum]

entered bios and set cd as boot device, now after initial screen second screen pops up briefly listing pci devices then a black screen with single line reading disk boot failure, insert system disk and press enter. Same results if machine is started with disk in drive or disk is inserted after startup. Also no change after ejecting and reinserting disk. I have 2 versions of xp , pro and home same results with both

[webxican]

It sounds as if it's dumping out of the CD setup I don't know if you feel comfortable opening up your computer case? I'd pull the IDE cables to Cd rom drive & re-insert it after blowing out any dust Same to the motherboard side of the IDE cable.

If this doesn't work the next suggestion is a little more complicated. You could take the other CD rom from the other machine & try that one here. Or take this hard drive remove it and take the other hard drive from the other computer & put it aside. Put this hard drive in the other computer and try the repair install there.

This may seem like a lot. But these are steps I would take if I had the same problem & same equipment. I'd have to determine if it was the CD rom drive so that is why I'd start switching drives. All the while being careful with the drive with my Cad files. Leaving that disconnected while doing all of this as not to accidently re-install over that drive.

[panaceabeachbum]

I have not had any cd related problems before, I burned a cd just an hour or so before having problems. I should mention none of these problems occured until I used the remove software utility in control panel. Upon uninstalling the media access software from control panel I had an unusual restart button popup. Only one button The standard 2 button restart popup was present also. i used the alt+f4 comand to close both and reboot, not wanting to click on the new&unusual popup. I believe the act of uninstalling the malicious spyware initiated this problem and has corrupted some file used during initial startup. Also tryed the same procedure on this machine and oddly enough this disk drive is suffering the same problem , wont recognize either of my windows disk but seems to work fine viewing image files and playing audio disk etc.

[webxican]

Ok here is where I'm confused. you have 1 PC that doesn't boot into windows. You have another that can boot into windows & has important CAD files you need.

The PC that does not boot into windows is having a problem reading from your 2 CD's to repair windows. Windows XP Home & Pro.

This is all before the operating system loads not while windows is running?

The other PC with the CAD files boots into windows but not safe mode?

I would not think Media Access would be affecting your ability to repair windows from outside of the OS. The reason I mentioned the steps to remove the IDE cables is because from what you describe... it appears the CD rom does not read your CD's correctly to repair windows.

On the other PC with the CAD files. If you can not boot into safe mode and remove the files then you should be able to CTRL+ALT+DELETE bring up the task manager & end the process of any of the Media files that may be running. also checking to see if any services are running with the media access and stop them.


Thanks

Webxican

[panaceabeachbum]

my apologies for the confusion. the only computer I am concerned with(one with the cad files) will not run at all, It will only run thru the memory test then shut down, it also will not start in safe mode. That machine also does not recognize either of the windows cd's. I believe I will follow your advice and pull the hard drive and install it in another machine and attempt to retrieve the files. How should I protect the machine that will temp host the hard drive so as not to cause it any problems? Thanks

[webxican]

Hi sorry for the late reply. Went out for dinner.

Your best bet is to make sure th eother PC is temporarily disconnected from the internet. A lot of the Malware programs access the internet & also send requests etc. I would boot with minimal drivers loaded. You could boot into safe mode & copy your files over from one hard drive to another.

You could also go into msconfig on the other machine hosting the hard drive and before attaching the other hard drive. In msconfig general tab choose Diagnostic Startup. This will load only the basic drivers to start up.

Then just copy over the most important files that you need. What you could do & I use these products myself. Once the files are copied over.

download if you do not have from download.com
ad-aware personal se
spybot search & destroy
spywareblaster
AVG anti-virus (only if you do not have a anti virus program installed)

the adaware & spybot search & destroy should search for problem files. The first time you run ad-aware do a full scan or while the other drive is attached do custom & select both drives.

Spybot search & detroy has an immunize section & spywareblaster also will protect your system.

AVG or whatever anitvirus you have if possible should be run in safe mode (the other ones could be run in safe mode also but be sure to update each files definition files).

As far as the other computer not booting after the memory test. I would detach all connected devices. CD-roms, Floppy drive, sound cards, modems, nic cards, (if you are using a video card that is using agp or pci I would first see if there is a connection on your mother board to use. Then go into the bios and change video from agp, pci to onboard.) Then remove the video card & connect the monitor to the mother board video connection.

then try to boot the PC and see if it gets past the memory test. Then start connecting the devices back again. this will eliminate any of the devices causing the problem of not getting past memory.

If the pc is just rebooting cause it is not getting into windows then ignore the stuff above. Somehow you will have to re-install windows or repair windows. Of course you may need to do it on the other machine with just the problem drive attached. First try to get your cad files you need to the other drive. then while you have it open you could disconnect the other drive and attached the problem one & see if on that machine youcould repair windows.

Sorry for all the info at once. Just read the fisrt part to get your cad files to the good drive.

Thanks

webxican

[panaceabeachbum]

This should keep me busy tommorow, just cant think about it anymore tonight. Thank You for all your help.

[webxican]

No problem. I'll check in tomorrow to see how you made out.

Thanks

Webxican