system
March 27, 2005, 7:01pm
1
Hi,
I can’t perform a full scan of my system because system reboot automatically before the scanning process is finished. I tried several times and the result was the same. Please advice.
My system is a Pentium 2.4, FSB 800, HDD 20 and 120 Seagate, Motherboard Asus p4p800, Ram 512. I run Windows XP SP2.
Thanks for your time.
system
March 27, 2005, 7:25pm
3
Thanks for your answer.
The scan worked fine when in boot mode. Two viruses were detected and deleted.
Here you have the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 22:23:11, on 27.03.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liquidation-ro.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - E:\ws_ftp\wsbho2k0.dll
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{A7249609-E837-40A8-8548-D51FC2A2F16A}: NameServer = 194.102.255.2,194.102.255.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
If you run a full avast scanning (regular, not at boot time) with archive files scanning checked, is anything detected?
system
March 27, 2005, 7:50pm
6
I tried a thorough scan but it failed as usual. The system rebooted before scand finished.
I looked at the temperature: CPU = 41C and Motherboard = 39C.
system
March 27, 2005, 9:01pm
7
Thanks for your answer.
The scan worked fine when in boot mode. Two viruses were detected and deleted.
which names give avast to them, and where were they detected (full path/folder/filename) ?
the log looks fine to me; from your profile I assume you’re loated in romania, and so it’s OK that you’re connecting via
Kappa.ro ?
Try a full check with ESCAN: link → see “VirusRemoval” below in my sig
system
March 27, 2005, 9:12pm
8
The names of the viruses are:
VSB:Redlof found in file sysclean.exe
Saturday 14th-669 found in pagefile.sys
I am from Romania and connected thru Astral Telecom by cable. I have a good connection of 30Kb.
I’ll try the full check right now with escan.
Thanks again for your help.
system
March 27, 2005, 9:16pm
9
The names of the viruses are:
VSB:Redlof found in file sysclean.exe
Saturday 14th-669 found in pagefile.sys
the above sound very much like false positives; did you use Trendmicro/HouseCall (their SysClean package) previously ?
system
March 27, 2005, 9:27pm
11
I couldn’t find escan from your link.
system
March 27, 2005, 9:30pm
12
well, they renamed it:
go to microworld:
http://www.mwti.net/antivirus/mwav.asp
then choose DL-link 1,2 or 3
unpack/run the file, then set options according to this screenshot:
http://www.trojaner-info.de/hijacker/bilder/escan.jpg
system
March 27, 2005, 9:42pm
13
I already used mwav and problem was the same: system reboot. I’ve tried even in the safe mode but no result. I’ll try again now in safe mode…
system
March 27, 2005, 10:56pm
14
The scan stopped as usual in the middle of the job (though ran in safe mode). It didn’t finish. But have detected a file system virus named kapabout. What should I do next?