Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus despite New HD


  • Please log in to reply

#16
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Oh, and I've just done a scan with AVG and it once again detected
Trojan horse Downloader.lstbar.4.AG

It said it couldnt be healed, and suggested i moved it to the virus vault, which i did. But I moved it there (or at least I think it was the same one) a few times in the last week already. I wonder is it the same one it detects each time, or a new one? And I wonder if it has anything to do with my pc problems!?

K
  • 0

Advertisements


#17
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What do you mean...the system 32 folder opens up? When you boot it on, the folder is on your desktop or it just opens up? If it opens up, what's in it?
  • 0

#18
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Hi again!

Lets see if I can describe this properly. When I boot up, everything is normal for a short while, desktop appears etc, but the cursor is still "dozing", ie working away.
Then the screen becomes explorer-like, with a long list of yellow folders. On the bar at the top left, it says "System32".

Funny thing is, this is a pretty new PC, but I sold my previous one (fairly new) to my nephew, and it did, and still does, the exact same thing!

KC
  • 0

#19
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. Go to www.moosoft.com and download the 30-day trial. It is great at getting rid of trojans. Make sure you update it. Clean out your disc and give me another log. <_<
  • 0

#20
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Is this "the cleaner" program? Its downloading at the moment!

And its 2.28am here in Ireland.....!

K
  • 0

#21
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
The luck o the Irish. Just give your computer a little of that, it'll work just fine!

-=jonnyrotten=- <_<

just playin.
  • 0

#22
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Downloaded it, updated it, and scanned. No trojans found!!!

Anyway heres the lastes Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 03:05:35, on 22/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Documents and Settings\Kevin Carroll\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BuildLabs] C:\WINDOWS\system\csrss.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095350570078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C8E272-58D2-443E-BA91-695EECC228C9}: NameServer = 194.145.128.1 194.125.2.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C8E272-58D2-443E-BA91-695EECC228C9}: NameServer = 194.145.128.1 194.125.2.206

KC
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
How is it running?
  • 0

#24
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Hi again!

Well, its actually running pretty ok, except AVG keeps detecting the trojan that it cant heal, and The Cleaner doesnt find anything!

Also of vourse the folder that opens up every time I boot up.
Today I kept going up one level to see its origins and basically it appears to be
C-Windows-System 32 thats opening up every time.

Apart from that I wouldnt at this stage think there was anything wrong; havent seen the CPU at 100% for a few days now. Just that annoying system32 !

Also I now have 2 new programs in the toolbar at startup; TCmonitor and TC Active, I think connected with the Cleaner. Do I need these or will i just leave them?

Many thanks again!

KC
  • 0

#25
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Those two items in the task bar are related to The Cleaner. When it runs out in 30 days and you decide not to buy it, just go to add/remove programs and uninstall the Cleaner and those icons will go away.

On the system 32 folder...Go to Start...Run...type in misconfig. Look in the startup folder and see if that folder is checked. If it is, uncheck it.

If not...I ran into a similar problem on my friend's comuter. Except, the C:/Programs or something or other came up at the start. I reinstalled the XP disc and it fixed it.

About the trojan...can you find the file manually and delete it? 'Where does AVG say it's located?

Edited by coachwife6, 22 September 2004 - 10:58 AM.

  • 0

Advertisements


#26
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Hi again and thanks for your prompt reply!

OK, I've done that and under the Startup tab all I can see that might be it is:

Startup Item: NvCpl and the Command is:

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

I wonder is this the culprit?

Now, the trojans location was C:\WINDOWS\TEMP\ICD8.TMP\ISTACT~I.DLL

Mind you, just now AVG didnt find anything. I d/loaded AVG while going through all the agony last week with viruses etc. I have Norton System Works 2003 on disc, and as this is a new HD I could install it and get the updates, and 1 year free updates. Should I do that or would you recommend I keep AVG?

Many thanks (Again!)

KC
  • 0

#27
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
That isn't the culprit. I'm going to have to call in the cavalry because this is beyond my scope of knowledge. Like I said, I did a fix with the XP disc on my friend's computer and that made it go away. It was either that or the sledgehammer.

Please find the temp. file that has that trojan in it and delete it. This is the way I do it. Right click on start...Click on Explore...Click on the C Drive...Click on Windows....Click on the Temp. File....and then find the file with that info. ....Delete it. Clean out your disc again. Reboot. See if you can find it again.

About the virus scan. I use AVG and it works for me. My brother is a computer programmer and he says he doesn't like the free virus scans, but he makes more money than me. I'm sure someone else has more thoughts on this who can add to it. Don't run both. It will play havoc with your system.
  • 0

#28
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
nvcpl.dll is a library file for NVIDIA display adapter. I wouldn't recommend deleting this. Coachwife is right about manually deleting the virus. I would recommend deleting everything in the Temp folder, empty it out. You will probably have to start in safe mode to actually empty out the folder though. Then reboot scan again and see if the virus is still there.

-=jonnyrotten=- <_<

Coachwife is probably gonna come back with more instructions too. Good luck!
  • 0

#29
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
First things first, Lets delete this file from the temp folder

C:\WINDOWS\TEMP\ICD8.TMP\ISTACT~I.DLL

Browse the folder, and post anyother strange looking files on here to be looked at.

Next run disk cleanup. My computer, right click hd, click disk cleanup.
Make sure the following are checked.

Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Actually check everything.

-=jonnyrotten=- <_<
  • 0

#30
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Hi Folks!

That file is no longer in the Temp folder so the trojan must be gone. The PC is running as well as it ever did I think (!), except for the famous C-Windows-system32 opening up every time! So Im nearly there!!!



KC
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP