Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello all!
I saw that someone else has had this same problem.
I took the advice of one of the posters here and ran Housecall and it did not find anything. I ran AVG before that and AVG did not find anything either.
I went into System 32 and as soon as I clicked on the ATPartners.dll a window popped up and told me that there was a virus detected.
Can someone please tell me how to get rid of this stubborn one??
Thanks to anyone that replies...
--Viv :)
Unfortunatley, if a virus or trojan infects a computer with this operating system (XP) the virus or trojan can be backed up in the System Restore folder.
Turn off System Restore as follows:
Start>My Computer>View System Information
Click the System Restore tab.
Check: Turn off System Restore.
Click Apply, and then click OK.
Reboot.Then, suggest running the following programs:
1. AdAware
Download the latest version of AdAware from: http://www.lavasoft.de
Before scanning with AdAware, use the Check for updates button to obtain the latest version of its reference file. Must do!!-To scan, click the Start button in the main window.
-In the next window, select: Activate in-depth scan, and proceed to establish the following settings:
-Click on: Use custom scanning options, to select the scan mode.
-Select: Customize, and make sure the following options are turned on in addition to any default settings:In Drives and Folders:
Scan within archivesIn Memory and Registry:
Scan active processes
Scan registry
Deep scan Registry
Scan my IE Favorites for banned URL
Scan my host-files-Click on: Proceed to save settings
-Now, click on the gear on top of AdAware (Settings), and select the Tweak button
-Under Expert Settings, leave whatever default settings are there, and add the following:
-Under Scanning engine, check: Unload recognized processes during scanning
-Under Cleaning Engine, check: Let Windows remove files in use at next reboot
-Click on: Proceed to save settings-Select: Next to perform the scan
-When the scan completes, it will find a number of undesirable files and registry keys.
-Right-click in the pane and choose: Select all
-Remove all items.Once Ad-Aware has removed the items, close the program and restart the computer.
(Ad-Aware makes a backup of everything deleted, so if there is reason to undo something, there is a backup to restore from).2. Spybot Search and Destroy
Download from: http://www.safer-networking.org/index.php?page=downloadCreate a Spybot S&D folder, and download the program to it.
To install Spybot S&D, double click the downloaded executable file and follow its prompts.
Before actually using the program, the database that Spybot uses must be updated. This works just like antivirus software, as new spyware is discovered every day.
To start the scanning process, close all running programs, including Internet Explorer, and select Check for Problems.
Use the: Fix selected problems button to remove all the checked entries.
After all entries are deleted, restart the computer even if not prompted to do so.
3. Then, run HijackThis!
Download from: http://mjc1.com/mirror/hjt/Create a folder for this program. Do not download to the Desktop or to removable media.
Double click on the HijackThis.exe file for the program to launch.
Click on the Scan button. When the scan is done, a listing of all items found by HijackThis! is presented.
Click on the Save Log button to keep a record of the items listed saved in NotePad.
DO NOT use the FIX option of this program without knowing what to do!! There are items on the log that are required for the computer to operate effectively.
Post the HJT information listed and saved previously for someone to check it.
0 
P.S. Close Internet Explorer or any windows (other than the program) while running the above programs.
0
hi viv,
lets try this:
disable your system restore to flush out all impurities to your system, go online and get your latest anti-virus defs. if you don't have an anti-trojan, go to www.thepublicworks.com, go to payware section and link to trojan hunter, download free 30 day trial of trojan hunter, get latest defs. the reason we need an anti-trojan is that an anti-virus software does not have an anti-trojan engine, save for kapersky labs. also make sure you have latest defs of adaware and spybot. once done reboot your computer and go to safe mode and scan your computer. delete all files that these programs come up with. when done, clean your cache, temp files, history folder, cookies folder and recycle bin.
reboot into normal mode, re-enable your system restore.
all the best,
murve
0
Hello all!
Thanks for the replies, but I have spybot, adaware, Trojan remover, AVG, Nortons AV, spywareblaster, and ZA. I always run them all on a daily basis and update them all.
I retried AVG last night and it finally detected it and I was able to get rid of it.
I ran Norton's AV today and it found nothing, so I think all is clean.
Thanks for all your advice, but I am completely aware of running all the above mentioned programs and updating them...
Again, thanks for your help anyway, it was nice of you.
--Viv :)
0
Viv,
Glad you have the 'artillery' to get rid of the pervasive spyware! ;-)
The reason for requesting you install/run and post a HijackThis! log is the concern that atpartners.dll seems to be tied up to an sysupd.exe file which reproduces like gerbils!!
Hope that is not the case!!!!
Good luck.
0
Hi
I just done a virus scan.....and it says i have the followin viruses/trojans:
Downloader:Rameh.E
PSW.Briss.E
I used AVG Anti-virus scanner to do the scan, howveer when i use the Trojan Hunter scanner, these viruses are not picked up...any one got ne suggestions on what i could do?
If any one has any ideas could they put the solutions in simple terms as i do not no much about computers.
Thanx
0
What operating system is installed on your PC?
You might want to follow the instructions for running AdAware and Spybot (Responses one and three).
As an alternative, try using Trojan Defense Suite (TDS). It also has a 30 day free trial.www.thepublicworks.com
Scroll down on the website to the bottom right hand side, under Payware AntiTrojan.
Create a TDS folder, place it in there, and then update it as follows:
1. Close TDS if it is running.2. Download the latest RADIUS database from:
http://tds.diamondcs.com.au/index.php?page=update
(Important: Right-click and choose Save Target As)3. Save the downloaded radius.td3 file to your TDS folder, over-writing the older radius.td3
You can then start TDS and it will load the new database.
Unlike set and forget anti-virus programs, TDS does not auto delete anything but puts a list of found suspect files in the bottom window. Right click any file it finds and it gives options for dealing with it.
Select "save as text". This action creates a log file of all the found suspect files and put it in the TDS directory called scandump.txt.
Then you can post the entries from scandump.txt for review.
0
Here is my HJT log file. I thank you for helping me.
Logfile of HijackThis v1.97.7
Scan saved at 2:15:19 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vivie\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://soapnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
0
Sorry, thought I did copy the entire log...here it is complete...
--Viv :)
Logfile of HijackThis v1.97.7
Scan saved at 12:44:38 AM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Documents and Settings\Vivie\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://soapnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38078.5329861111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
0
Viv,
Found out that this forum only allows certain members to comment on HJT logs. Sorry for any inconvenience caused.
Had read about the problem you had on your initial posts (ATPartners.dll) etc.
There is a file: Sysupd.exe
that seems to associated with the problem and is responsible for its perpetuation.If you wish, search for Sysupd.exe, and see if you find any instances of it.
If you do, let us know.
Hope you do not find it!! ;-)
0
FZWG,
Thanks for the info.
I did a complete search and did not find it at all.
I gather all is clear on this one.
Sorry if I bothered anyone, just was concerned about it.
I only had a virus once before and that was a while back.
Anyway, thanks for all the help...
Have a goodnight.
--Viv :)
0
I did a virus scan and deleted all the files infected by the trojan. I also did an ad-aware scan and deleted all the spyware on my computer. When I rebooted, I did not turn off system restore and now I can't load windows-I get to the opening screen which says loading your settings and then it immediately goes to logging off, saving your setting. How can I load windows to correct the problem? Thanks for any help you can give me. I am sending this e-mail on a relatives computer since I can't start mine. Thank you and please respond as soon as possible.
0
Hi
I as well have the dreaded Rameh. E Trojan Downloader. I am running Win 2000 pro and for some reason I can not find where you sent the system restore off.
I am running AVG, Ad-Aware and Sygate and the only program that is picking up this virus is HouseCall but it won't remove it for some reason.
Any help would be appricated
0  |
 problem after deleting vi...
|
problems with my IE
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
