Over 1 million tech questions and answers.

Problem with VirTool:WinNT/Cutwail.L

Q: Problem with VirTool:WinNT/Cutwail.L

My computer is infected.
The symptoms are that it has slowed down considerable while browsing any internet sites.

I use CA Anti-Virus.
I've updated CA Anti-Virus - the update function completes suspiciously quickly
**NOTE: the DDS report indicates that it is Outdated**
(can you recommend better virus protection SW?)


I've updated and run Ccleaner, Spybot, and Microsoft Windows Malicious Software Removal Tool (each have been run repeatedly).

The Microsoft Windows Malicious Software Removal Tool reported that detected and partially removed "VirTool:WinNT/Cutwail.L"

Googleing this virus name lead me to this forum.

My DDS.txt and Attach.zip are included.

Please let me know if there is anything else I can do to help you help me.

Thanks,
Morbrin


DDS (Ver_09-07-30.01) - NTFSx86
Run by Joey at 459.78 on Thu 09/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1265 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Rhapsody\rhaphlpr.exe
C:\Documents and Settings\Joey\Desktop\DF\FF Down Loads\windows-kb890830-v2.13.exe
c:\c69420499f8fe41e70db8f369e0651\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joey\Desktop\DF\Malware Removing\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {67e6dc64-d7f4-41c2-8305-5a6d17d06ed0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b33e4020-4ae7-4e83-ac87-b53b2cd5d0f2} - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [VetStart] "c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe" -r
dRun: [rundll32.exe] rundll32.exe "c:\documents and settings\joey\application data\macromedia\common\e03500ea1.dll""
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\documents and settings\joey\start menu\programs\startup\systemexplorerdisabled\ikowin32.exe
StartupFolder: c:\docume~1\joey\startm~1\programs\startup\system~1\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1\eventr~1.lnk - c:\program files\printmaster platinum 18\Remind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206464318108
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ysqmog.dll c:\windows\system32\pozimadu.dll c:\windows\system32\lovebise.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\pozimadu.dll mdfamuie.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joey\applic~1\mozilla\firefox\profiles\lgt0s1wx.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=pVzxerxKy7peOT6QkkuwEw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {140715ED-8165-4192-991E-7234B36D5247} - c:\documents and settings\joey\local settings\application data\{140715ED-8165-4192-991E-7234B36D5247}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-3-25 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-3-25 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-3-25 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-3-25 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-3-25 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-3-25 144696]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-3-25 255216]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-3-25 108368]
S3 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2009-4-24 11264]
S4 gupdate1c993f954914f5e;Google Update Service (gupdate1c993f954914f5e);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 msvdx86;msvdx86;c:\windows\system32\drivers\msvdx86.aqmgu [2009-8-23 0]
S4 Process Blocker;Process Blocker;c:\program files\process blocker\Process Blocker.exe [2008-11-21 142040]

=============== Created Last 30 ================

2009-09-03 04:03 <DIR> --d----- c:\docume~1\joey\applic~1\Office Genuine Advantage
2009-09-02 23:09 <DIR> --d----- C:\c69420499f8fe41e70db8f369e0651
2009-09-01 22:05 <DIR> --d----- c:\windows\system32\KB905474
2009-08-23 14:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12053284
2009-08-23 14:45 88,064 a------- c:\windows\system32\msvkx86.aqmgu
2009-08-23 14:45 1,982 a------- c:\windows\system32\msvpx86.aqmgu
2009-08-23 14:45 1,024 a------- c:\windows\system32\msvtx86.aqmgu
2009-08-23 14:45 9,728 a------- c:\windows\system32\msvdx86.aqmgu
2009-08-23 14:45 0 a------- c:\windows\system32\drivers\msvdx86.aqmgu
2009-08-23 14:45 29,506 a------- c:\documents and settings\joey\mset.exe
2009-08-23 14:45 29,506 a------- c:\windows\system32\mset.exe
2009-08-19 16:44 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-19 00:18 <DIR> --d----- C:\be342d7d6834ff23c004140254d4cf
2009-08-19 00:17 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-16 00:19 <DIR> --d----- c:\docume~1\joey\applic~1\PandoraRecovery
2009-08-16 00:19 <DIR> --d----- c:\program files\Pandora Recovery
2009-08-12 06:38 438,367 a------- c:\program files\Uninstall Fun Web Products.dll
2009-08-11 21:14 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 21:14 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:58 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-10 19:58 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-10 19:57 <DIR> --d----- c:\program files\iPod
2009-08-10 19:57 <DIR> --d----- c:\program files\iTunes
2009-08-10 19:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-10 19:57 <DIR> --d----- c:\program files\Bonjour
2009-08-10 19:55 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-10 19:55 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-08-07 03:48 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:03 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-08-24 13:01 626,336 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-23 14:48 5,173,844 a------- c:\windows\system32\drivers\RemoveAny.log
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 23:57 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 23:57 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2008-07-06 17:08 1,994 a------- c:\docume~1\joey\applic~1\SAS7_000.DAT
2009-03-09 17:59 2,713 ---sh--- c:\windows\system32\holiwaga.dll
2009-03-09 17:59 2,713 ---sh--- c:\windows\system32\midevebi.dll
2009-03-09 17:59 2,713 ---sh--- c:\windows\system32\vabekame.dll
2008-09-16 19:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 4:07:14.85 ===============

RELEVANCY SCORE 200
Preferred Solution: Problem with VirTool:WinNT/Cutwail.L

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Problem with VirTool:WinNT/Cutwail.L

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
Right click on CA Antivirus icon near the clock (a shield).
Click on CA Anti-Virus > Snooze Anti-Virus Protection.
When prompted, enter in 30 and click on Snooze.
Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

Read other 2 answers
RELEVANCY SCORE 118.4

Windows Live Care keeps detecting Trojans, malware, trojan downloaders, and after I remove them all, one is always left over called, VirTool:WinNT/Cutwail.gen!E.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Family at 12:42:26.42 on Sat 04/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.521 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Victor\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\Common F... Read more

A:VirTool:WinNT/Cutwail.gen!E ?

BUMP, please

I would also like to let you guys know, this is not my computer.

Read other 1 answers
RELEVANCY SCORE 117.2

I have Windows Onecare installed and it keeps popping up telling me that I have a threat VirTool:WinNT/cutwail.gen!E. I have spoke to Microsoft 4 times and they have unsuccessfully helped me! I can not get rid of this sucker. I am not computer savvy, but I can follow directions. I will be grateful for any help.

Am still able to access internet at this point.

Thanks!
Jennifer

Here is my DDS report:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 0:25:34.12 on Sat 03/28/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.354 [GMT -5:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcH... Read more

A:I am VirTool:WinNT/cutwail infected!

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTListIt2 ReportPlease download OTListIt2 from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the "Run Scan" button.The scan should take just a few minutes.Copy the log that opens up and paste it back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

Read other 1 answers
RELEVANCY SCORE 76

Hello People, I am having a problem with my PC and Windows Live one care keeps popping up a window with the above in it but it wont get rid of it. I have included a copy of my hijack this log. can you please advise how I can get rid of it.

Kind Regards

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:35 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program ... Read more

A:Virtool:winNT?maxer.a

Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 76

Can some one help me get rid of this program and also help me get rid of pop-up. If it is to much to ask show me how to avoid having a prblem computer in the furture? thank you.

A:Virtool:winnt/mader.e

I will move you to the correct forum

Read other 2 answers
RELEVANCY SCORE 76

Hello, I have Windows Live OneCare, and recently every time I do a scan I get that Quarantine Failed for VirTool:WinNT/Mader.E
How can I remove it, and I couldn't find a forum already answered to this question because I am super new to this, and it is kind of difficult to go through the forums looking for my problem that might have already been answered. Thank you.

A:Virtool:winnt/mader.e

Although I'm not familiar with the Windows Live One Care program, I'd suspect that there's a log file entry somewhere that will describe where the file containing this virus is located. Once you find the location(s), you can then directly delete the file yourself.

Read other 1 answers
RELEVANCY SCORE 76

I have ran several spyware programs, Spybot,Adaware Windows live onecare, Zone Alarm and Trend Micro and can not get rid of the above listed virus. It says that it can not be quarrantined. Trend Micro deletes it and it comes back everytime I open Internet. It causes numerous pop-ups which cannot be stopped by pop up blockers and slows overall machine performance down considerably. I notice that generally whatever I am opening in explorer is what the pop up references.
Can someone give me instructions on how to rid my computer of this and what measures to put into place to keep it from happening again. I have read a lot of blogs and microsoft says there is nothing they can do.

A:Virtool:winnt/mader.e

Did Trend Micro provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If the scan saved a log file, it should show exactly what and where the malware was found so post that instead.Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet. Please download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)Under the "Configuration and Preferences", click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in... Read more

Read other 11 answers
RELEVANCY SCORE 76

Would someone please tell me how to remove this damn thing from my conputer, and how did it get there in the first place? Thank y ou!!Edit: Moved topic from Introductions to the more appropriate forum. ~ Animal

A:VirTool:WinNT/mader

Welcome to BC.Please download Malwarebytes Anti-Malware and save it to your desktop.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.Ma... Read more

Read other 1 answers
RELEVANCY SCORE 75.2

My system has been running veeeery slow- ran LiveOneCare scan and it found the above named items. I have been unable to get rid of them. Conyacted Microsoft and they had me run MalWarebytes which found other stuff and removed them- I have run another scan and got rid of more stuff but it appears that the original culprits remain. I have backed up my important data and am ready to clean this thing out. Please advise me- I am not computer speak savvy however I am a very quick learner.
Janine Payton
DDS (Ver_09-02-01.01) - NTFSx86
Run by Janine at 15:26:02.96 on Wed 02/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.38 [GMT -8:00]

AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.e... Read more

A:VirTool:winNT and TrojanDropper:win32

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instruc... Read more

Read other 13 answers
RELEVANCY SCORE 75.2

I believe that I am infected with VirTool:WinNT/Mader.E I have Mcafee and Norton and neither will remove this. Can someone please help?!!? I have Win XP Prof. Service Pack 3. Thanks!!!

A:Removal Of Virtool:winnt/mader.e

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list ... Read more

Read other 1 answers
RELEVANCY SCORE 72.8

SpyBot freezes when it gets to the Zlob section in its scan... Prior to this it finds SmitFraud... It cannot remove this... Windows Live finds VirTool:WinNT/Mader.e Quarantine Failed...Malwarebytes Anti- Malware scan finds---Malware.Trace....It says the Problems are in C:\Windows\System32\drivers\core.cache.dsk.... It says I must reboot to remove the items but it does not fix it when I do.....Someone please help me!! I am a videographer and I have a ton of Avid Media files on here... I need to finish these projects I am working on and computer is running very funny... I do not know what to do... My work is dependent on this computer running well...Below you can find my DSS scanner results ...-Deckards System Scanner- -Main.txt-Deckard's System Scanner v20071014.68Run by Jacob on 2008-06-08 23:22:38Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --50: 2008-06-09 04:22:42 UTC - RP151 - Deckard's System Scanner Restore Point49: 2008-06-09 03:52:48 UTC - RP150 - Microsoft OneCare Protection Checkpoint48: 2008-06-09 00:03:20 UTC - RP149 - Microsoft OneCare Protection Checkpoint47: 2008-06-07 20:27:43 UTC - RP148 - System Checkpoint46: 2008-06-06 20:20:47 UTC - RP147 - Microsoft OneCare Protection Checkpoint-- First Restore Point ... Read more

A:Help! Smitfraud And Live Finds Virtool:winnt/mader.e Cannot Remove...plz Help!

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\wndcsumr.dll
C:\WINDOWS\system32\fqifptlf.dll
C:\WINDOWS\system32\gblmfsvx.ini2
C:\WINDOWS\system32\ilnXayay.ini2
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\ncntpkdm.exe
C:\WINDOWS\system32\drivers\redbookk.sys
C:\WINDOWS\system32\Vco1
C:\WINDOWS\system32\sTMP
C:\WINDOWS\system32\fIE
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\a053
C:\WINDOWS\system32\6026c
C:\WINDOWS\system32\vntiho18
C:\Program Files\uy.exe
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close ... Read more

Read other 11 answers
RELEVANCY SCORE 54.4

it wont go away and is only dected by CA anti spyware
 

A:cutwail t problem

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:14 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program ... Read more

Read other 3 answers
RELEVANCY SCORE 51.6

Hi,

Wondering if anyone can help me with the above listed virus problems/infections on one of my pcs. Running Win XP (home edition SP3). I previously had avira installed on the machine (which started throwing up random file infections mainly in system32, no solution or real specifics, so uninstalled and switched to MS Security Essentials, logs more specific problems (the three identifiers shown in the title) but again unsuccesful in the removal of. Not had the Netan.A error since removal but keep getting the other two (Mariofev.A more predominantly than the Cutwail.BA but both still on the system. A number of full scans and deletions/reboots etc but still no clean drive. Comp WAS networked too and I believe the Mariofev.A spreads over network, so I may have to tackle the other pcs later - will try sort out the main one first tho and see how it goes!!!

Any help at all would be much appreciated - any other info required I will be more than happy to assist.

Many thanks in advance,

Andy

PS I searched for associated files online, with a mind to manually removing both from the system and registry, a couple of which I found/removed, but many that were not there (although different sites list different files and reg entries!!)

A:Virus Problem: Possible/Probable Infections: Mariofev.a Cutwail.BA and Netan.A

Hello. I think it's best for your computer, to look for an infection. Just follow the steps on http://www.bleepingcomputer.com/forums/topic34773.html (Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help). When post your (Hijackthis log +) DDS Log: Be patient, it's very busy at this forum. A professional expert will view your logs and will help you with that problem. Do not use tools (like ComoFix) without professional experience/helper.Good luck.

Read other 2 answers
RELEVANCY SCORE 47.6

The following is a message I am getting when trying to submit a form. Frontpage extensions have been installed as well as configured to email with smtp. I am currently running WinNT 4.0 SP 5 + IIS

"FrontPage Run-Time Component Page
You have submitted a form or followed a link to a page that requires a web server and the FrontPage Server Extensions to function properly.

This form or other FrontPage component will work correctly if you publish this web to a web server that has the FrontPage Server Extensions installed.

Click the arrow to return to the previous page."

 

A:WinNT + IIS Problem

Since no one has responded yet, I thought this might be of some use at least:
The only reference to this error I could find on Microsoft's site was: http://support.microsoft.com/support/kb/articles/Q181/2/05.ASP
 

Read other 1 answers
RELEVANCY SCORE 46.8

Our file server has a mirrored drive; one of the drives seems to have gone bad. We had mirroring set up initially, but after one drive crashed, somehow the mirroring options all got disabled.

The "break mirroring" option in Disk Management is disabled. When I tried to remove one hard drive and restart the system, it threw an error about arrays (which I assume has something to do with mirroring). I have read many KB articles on Microsoft's website but they didnt help. Even "diskpart" does not seem to be recognized as a valid command.

Can someone help me figure out and replace the crashed hard drive ?

Thanks a lot !
 

A:Mirroring problem in WinNT

Try here,

http://support.microsoft.com/search...t=0&comm=1&ast=1&ast=2&ast=3&mode=a&x=11&y=12
 

Read other 1 answers
RELEVANCY SCORE 46.8

I have a Windows NT 4.0 workstation that I am having problems printing with.

He used to print to a printer that was shared off another Windows NT 4.0 workstation over our network. I have removed that printer and setup a local printer which is directly connected to his PC on the LPT1 port.

The problem I am having is any documents printed from email or word etc print to the printer on his desk but anything printed from IE5 prints to the shared printer that is no longer installed.

I have absolutely no idea what is causing it!
Any help would be appreciated.
 

A:Printing problem with Winnt 4.0

look here for some help
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q111734

printer help
 

Read other 1 answers
RELEVANCY SCORE 46.8

I need help in finding out reasons for different behaviour of an application on different nodes with identical system config.
I have a Server with Win2K and MS SQL SERVER 7 database installed on it and it has 6 nodes, all having WinNT Workstation 4.0. The application is using VB 6 (with True DB Grid 7).
The problem is one of the programs that updates data in database, works perfectly on all nodes except on one specific node where it gives an error message "Error occured". Nowhere in my program, such an error message exists.
There is another program which uloads data from ASCII text file into a database table. This program also fails only on one of the nodes.
Both the programs, update the data in database. The only difference is that the first program takes data from a form and the second one takes the data from file and updates database.
Since the error mesage is given by OS, I feel that this problem is OS related i.e. Win NT Workstation. 4.0.
Awaiting advice to resolve this problem.

A:WinNT related Problem

Not going to be possible to figure out the error based on that. Can you cause the error to occur at will?

If so add debugging routines into the programming as well. Add messagebox popups throughout the app so that you can tell how far the program gets before it craps out. Then keep inching the code up until the message box happens right before the error...look from there.

Read other 1 answers
RELEVANCY SCORE 46.8

Hi,

Hoping some one can help me with this. I have just received a number of old machines which have winnt 4 workstation installed on them. My problem is I have no NT disc and cannot login as they were originally on a net work, at this stage i dont have any login detail for them either.

From my understanding these machines can run as a stand alone workstation, if i am incorrect please advise me.

Any help would be appreciated.

Thanks
 

A:Winnt 4 login problem

hi... yes, you can use the machines as stand alone workstations. all you need to have is a login to the local machine which unfortunately you don't have. try downloading the Offline NT Password & Registry Editor, Bootdisk from http://home.eunet.no/~pnordahl/ntpasswd/ and follow the instructions indicated on how you can reset user / administrator password.
 

Read other 2 answers
RELEVANCY SCORE 46.8

Hiya

At work, we have a WindowsNT 4.0 service pack 5. Now, not a WinNT user, except when I have to use it for interpreting results. We could also use a Win98, just so you know at work OS's means nothing.

Now, the files were getting a bit large, and we usually backup using a Zip drive. The old one died, so we got a new one, which also happened to be USB. The old one wasn't.

Installed the SP, to bring us from 4 to 5. Rebooted, fine. Installed the software, rebooted. Went to log in, and the good old BSOD popped up.

We see these many times at work, and a simple restart solves these. Now, before you all say Why?, its because most are networked, and we're not alowed to touch them. This one is standalone.

Anyway, BSOD, restarted, clicked the mouse, BSOD. Removed the connection for the Zippy, and it still happened. It also mentioned ASPI32.SYS in the screen.

Searching, I came up with this one:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q161703

Now, it mentions:

To resolve this issue, use the appropriate method below:
Reinstall on another hard disk when disk space is low.
Remove the third-party video driver.
Upgrade the system BIOS.

Can't do the first, nor the second, and its not on the network so the third is out.

We don't have any other HD's, and the data is needed on this one. My question, at last, is this.

In WinNT, is it possible to remove the software we just installed for the zippy, so that we can manually remove t... Read more

A:{RESOLVED}WinNT 4.0 problem

Read other 9 answers
RELEVANCY SCORE 46.4

Hello All,

Merry Christmas!!!

I have a slight problem that has been racking my brain for two weeks now. My company recently added an NT print server in order to take some of the load of the main file server also NT. We are running a mix of workstations Win95, Win98, and WinNT. We also run a mix of HP and Ricoh printers. I have only added 7 of the printers so far. Anyway my problem is this. The main server and NT workstations see all 7 printers when I add a printer, however the win95 and 98 workstations are only seeing 4 of them. I have double and triple checked the sharing and securities and all are as they are supposed to be in other words they are shared and everyone has the rights to print. If anyone can help please feel free to do so. I have run out of solution ideas.
 

A:{Advice Given} - Printer Problem WinNT

Read other 6 answers
RELEVANCY SCORE 46.4

hi,.i think i have a problem,.........
exactly every 40 seconds my computer creates a temp file size 46k.
i only noticed when i ran a junk file delete !
now i have to clear it every day,..... usually there are hundreds of these temp files all 46k ! and all with the same title with consecutive numbers

eg. C:winnt med 10
C:winnt med 11 etc..........

why are they being created and is it a fault of a program i may have or is my pc dodgy ?

many thanks in anticipation
 

A:winnt temp files ! problem ?

Read other 6 answers
RELEVANCY SCORE 46

Hello, and thanks for helping a newbie out with this problem!

Whenever I launch Internet Explorer, the page comes up as: res://C:\WINNT\system32\shdoclc.dll/navcancl.htm and then it proceeds to go to my regular home page. I have ran many virus, adware, spyware programs but it didn't fix the problem until I heard about HiJackThis.

Thank you so much for your help!!

Here is my Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:36 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AMD\PowerNow!\GemServ.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\PELMICED.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ezSP_Px.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusche... Read more

A:Problem: res://C:\WINNT\system32\shdoclc.dll/navcancl.htm

bump

Not sure if this is the right place to help solve this problem. Please direct me to the correct forum if I posted this to the wrong place.

Thanks!

Read other 1 answers
RELEVANCY SCORE 44.8

I was trying to install NT to be set up in a dual boot configuration with windows 98 on a fat 32 partition. I was trying to install it on a new fat 16 partition. Whenever it finished copying the files and then prompting me to restart, it would always stop right after the POST. ntldr and all the other necessary files were there. I didn't get any message whatsoever. I know for a fact that this is not some simple problem, so those of you who don't have much experience, I would ask you not to guess.

I really need to figure this out!!!!
 

A:{Advice Offered} - WinNT not installing on top of Win98. Some sort of problem with the MBR

Greetings

Here is your problem:
The active partition is FAT32. So, NT can not read it's boot files to be able to boot up. You need to convert your active partition to FAT16.

What you could try doing (if your FAT32 partition is less then 8 Gigs big), is making the FAt16 partition you want to install NT onto as your Active partition.

Here are a few steps to make to try and get things to work:
1) Make a boot disk in Win98. Make sure that you can boot off it, and can run the sys and fdisk command.

2) Boot off the boot disk.

3) Run FDISK, and set the FAT16 partition as active

4) Reboot and boot off the disk again

5) Run the sys command on the new partition (so, id the FAT16 partition is the D: drive, the command will be sys d:)

6) Install NT.

That should work. For advice on how to set up a perfect dual booting machine, you can click on the link in my .SIG

Cheers

------------------
Reuel Miller
Windows NT Moderator (yes, that does make me biased )

[email protected]

Website: www.xperts.co.za/multiboot

Every morning is the dawn of a new error...
 

Read other 3 answers
RELEVANCY SCORE 43.2

Where to start?????
This virus seems to have got past my firewall and if I try to change any settings it appears to overwrite the registry so it appears to be not installed and therefore I can't make any changes. My antivirus software detected the virus, deleted the files but they immediately reinfected. After searching the internet I started to look for suspicious files with the aid of my little search dog. He certainly deserved his bone! I deleted the file and found several .temp files which appeared when the virus replicated. I also found a large .sys file in a strange place which I zipped incase I was horribly wrong.

In order to get my firewall functioning again I did a system restore but this evening when I went to check something on the firewall it changed to being "not installed". The following files appeared on my c: drive "Newtb1handler.log" and "TB2overwriteHandler.log" Obviously there is still something lurking in the maze of files but I have no idea what to look for. Also I have just realised that my DVD-cd rom is not working. I know I went mad zipping up anything I though to be a threat but I am pretty certain I didn't mess with any of those files. I focussed on files made/modified on the day (16.04.09)

I am having trouble uploading files to the internet but that may be because I need to make changes to my firewall but am too scared to try until I sort out the overwriting problem.

I'm sure there is more to tell but I... Read more

A:Cutwail.XR

Hi My name is Extremeboy (or EB for short), and I will be helping you with your log.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.If you do not make a reply in 5 days, we will need to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we... Read more

Read other 14 answers
RELEVANCY SCORE 43.2

Admin... you have closed both threads so please tell me 'continue where?'

http://forums.techguy.org/windows-xp/876361-cutwail-t.html
 

Read other answers
RELEVANCY SCORE 43.2

Hi,

Would anyone know whether Cutwail can kill the BIOS, please? Or, could it be just a coincidence that XP is corrupted by an infection of Cutwail and the BIOS has failed as separate incidents?.
 

A:Cutwail-T

Closing duplicate.

Please continue here:

http://forums.techguy.org/windows-xp/876361-cutwail-t.html
 

Read other 1 answers
RELEVANCY SCORE 43.2

Hi.

MSE on my moms computer gives a warning that it has detected two viruses, both members of cutwail.ba, supposedly a trojan downloader. After a little more research I have found it is a backdoor trojan... I removed it, restarted it like MSE recommended, and as soon as it booted, it popped up again. I unplugged the ethernet cable, removed and restarted again, and it did not detect the virus. This is very confusing to me. Is the computer safe to use? One more thing- the first warning popped up as soon as she signed in to her banking account. At first I thought the virus came from the bank website. Is it safe to change the password from another computer?

Please help me!

A:Cutwail.BA

Also, on a potentially related note- it received an error about freeing up virtual memory.
Task manager fails to open now.

Read other 12 answers
RELEVANCY SCORE 43.2

hi guys. my comp started to reboot on its own and i ran the usual checks but found nothing, couldnt reboot in safe mode so put comp back to factory settings and redid checks,found this little monster,followed previous instructions for sas mab and hjt. rebooted ,redid checks and found these others still here, any help would be appreciated.

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 2

08/03/2009 10:20:57
mbam-log-2009-03-08 (10-20-57).txt

Scan type: Quick Scan
Objects scanned: 64527
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\services.exe (Backdoor.Bot) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack... Read more

A:cutwail.gen!b and others

Read other 6 answers
RELEVANCY SCORE 43.2

I have followed your instructions the best I can. I have CA spyware protection that was installed after the infection of the computer and it could not remove this virus. I need some help to know what files to remove. Here is the logfile from hijack thisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:05:44 PM, on 11/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\eTrust Antivirus\InoRpc.exeC:\Program Files\CA\eTrust Antivirus\InoRT.exeC:\Program Files\CA\eTrust Antivirus\InoTask.exeC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exeC:\Program Files\Roxio\Easy CD Creator 6\AudioCen... Read more

A:Cutwail G

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

Read other 15 answers
RELEVANCY SCORE 42.8

I have Windows Onecare installed and it keeps popping up telling me that I have a threat VirTool:cutwail/gen.!E. I have spoke to Microsoft 4 times and they have unsuccessfully helped me! I can not get rid of this sucker. I am not computer savvy, but I can follow directions. I will be grateful for any help.Am still able to access internet at this point. Thanks!Jennifer(Moderator edit: moved post to more appropriate forum. jgw)

A:Infected with Cutwail

Hello bellacat1,I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/214588/i-am-virtoolwinntcutwail-infected/ We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.This leaves you with a choice:1) Have this thread reopened and the HiJack This log topic deletedOR2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.Please send a Private Message indicating your choice.Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possib... Read more

Read other 1 answers
RELEVANCY SCORE 42.8

Hi I'm kinda new to this and I found you guys after a google search of Spammer:Win32/Cutwail.gen!B so I figured this was the right place to post. I did everything you guys said and I came up with this.

Malwarebytes' Anti-Malware 1.26
Database version: 1116
Windows 5.1.2600 Service Pack 2

5/09/2008 4:45:17 PM
mbam-log-2008-09-05 (16-45-10).txt

Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 195365
Time elapsed: 2 hour(s), 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 71

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No ... Read more

A:Win32/Cutwail.gen!B

Hi,

Please make a new scan with MBAM, and post the logfile in your next reply.

Read other 1 answers
RELEVANCY SCORE 42.8

hey all. i hope everyone is well. ok here is the deal,i ran micrsoft windows malicious software removal tool, and it found the aforementioned baddy. tried to remove it with same and, it wont go away. also all of my programs are closed by windows"DEP". so i can't even open notepad, or use ctrl-alt-del. booooooooooooooo. i've run HJT and i get a wuauclt.ex ,(possible virus?)i know that this program is "supposed"to be windows update auto update but,i can't remove it either.i would really appreciate the effort of anyone who may feel compelled to help. thanks in advance,postcar.
 

A:win32\cutwail

bump
 

Read other 1 answers
RELEVANCY SCORE 42.8

You guys are great... I applaud your work and as soon as i get this cleaned up i am making a donation!

I apologize for any in coherency as it is 3 AM and i am trying to fix my issue with this virus. here is what i remember. I was wandering the web and then all of a sudden my CA caught a virus and cutwail.xr was the first. it said it was removed and i was going to do what was suggested in a previous post but then read that i should follow the proper protocols first. But before i did i broke a few rules (never having heard of this place before) tried to fix it on my own. I thought perhaps if i scan my pc i could get rid of it. but low and behold my CA security is not willing to scan anymore. So I uninstalled the CA suite and reinstalled and got a blue screen when it started to detect the viruses again. I tried PC doctor and the blue screen hit me again. It feels like every time i try to attack it, it shuts me down.

I am at a loss for what to do next and rather than try to blaze through and repair it myself i am going to try and post my issue with you here and hopefully get some education on how to deal with this one.

I really appreciate your help and would love to know what i need to do to resolve the issue so i can get my computer back.

THANK YOU SO MUCH FOR YOUR TIME AND EFFORTS!!!

Jason

A:trying to remove cutwail.xr and more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

Read other 2 answers
RELEVANCY SCORE 42.8

Hi there,

Currently having issues sending emails in looking at the bounceback message the IP has been blocked for participating in a botnet.

This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet. (abuseat.org)

Currently running scans by Eset antivirus, and nothing major has come up apart from one pc. Here are the logs, Gmer won't run as certain files are in use by another process.

Hijack this :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:35:32, on 14/04/2014
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\runonce.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\mobsync.exe
G:\AV\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx... Read more

A:Cutwail infection

Read other 6 answers
RELEVANCY SCORE 42.8

I, I'm not a expert in computers so I can't remove the next problem. I have the Etrust antivirus and pestpatrol instaled in my computer and and I'm always receiving the next mensage from the antivirus:The Win32/Cutwail.XR was detected in C:\WINDOWS\SYSTEM32\DRIVERS\I386SI.SYS.Machine: CPVITORA, User: FRULACTPRIV\VitorA.Status: File was cured; system cure performed.So I would like to have some held to remove these virus. Can you help me in this?There is my log:DDS (Ver_09-03-16.01) - NTFSx86 Run by VitorA at 16:33:14,21 on 16-04-2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.2038.1279 [GMT 1:00]AV: eTrust ITM *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Programas\Intel\WiFi\bin\S24EvMon.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Programas\Cisco Systems\VPN Client\cvpnd.exeC:\Programas\CA\SharedComponents\iTechnology\igateway.exeC:\Programas\CA\eTrustITM\InoRpc.exeC:\Programas\CA\eTrustITM\InoRT.exeC:\Programas\CA\eTrustITM\InoTask.exeC:\Programas\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exeC:\Programas\Java\jre6\bin... Read more

A:Infection with Cutwail.XR

I tried the next and until now (30 minutes) my computer is good.

A end-user had this virus, look under your document and settings/userprofile. The user login name was there with .exe (Example if abc was the login then it had abc.exe) I removed the file and the problem went away. Not sure if this common of the virus but it was a start. I had also scanned with Malwarebytes.

Good luck.

Read other 3 answers
RELEVANCY SCORE 42.4

I am trying to clear up some remaining problems from cutwail!rootkit trojan and some other trojans that I thought I had cleared off my PC. I used spybot S&D and a mcafee command line scan to get most everything and then used SDFix to get rid of cutwail. However, on some of the user accounts I am still seeing a window/system32 popup when I log in. Here is the latest HJT log file.The things that bother me in the log are the (no file) entrys and the Updreg.exe entry. Any help would be greatly appreciated.ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:53:00 PM, on 11/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\PROGRA~1\McAfee\MSC&#... Read more

A:Cleaning Up After cutwail virus

Hello! My name is Sam and I will be helping you. I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.Please download random's system information tool (RSIT) and save it to your desktop.Double click on RSIT.exe to run it.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Read other 12 answers
RELEVANCY SCORE 42.4

I have posted the requested attachments including DDS (which I ran several times because it kept shutting down. I did not read the sticky saying NOT to run this until I gave up on getting what I thought might be a 'full' report...)

I have been poking at this for several days, mucking about in the registry deleting items (listed below) and renaming a few files since I did not know how to replace them if I deleted them. All based on varius forums from sources I researched a bit and decided I could trust...

removed from registry {per symantec(dot)com writeup}:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ip6fw
*did not find the 'Runtime' reference in the same path

renamed:
c:\windows\system32\drivers\ip6fw(dot)sys
c:\windows\system32\drivers\secdrv(dot)sys
c:\windows\system32\lahwje(dot)dll

HISTORY:
first symptom was computer shutting down so I checked Microsoft and McAfee for updates. a Microsoft update came in and a window poped up saying "Cutwail " and some details I could not read and did not fully record what I could read. I have not been able to re-create this window since. I went on-line to find ways to deal with this and read about lots of frustrated folks with more computer skills than me.

I ran sdat5477 - a super virus scanner from McAfee, have had the System Restore off most of this week and had DCOM Process Server on and off {this seems to be the last window to show up before shutting down: Generic Host Process.. Win32 Ser... Read more

A:cutwail? Patched User32?

please bump -

i did update McAfee last night (1/3) and ran a scan, deleted and quarantined as directed. this is the only solution posted on their website, this is the only change I have made

Read other 2 answers
RELEVANCY SCORE 42.4

Got the dropper and didn't catch it... now have other malware problems with browser hijacked and popups. Search engine results are redirected, so have to enter specific address. I use FF 3.5.5 with noscript. Have installed avg but it appears to have been mostly disabled by the infection. Thank you in advance for any help.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Lynn at 21:23:08.70 on Sat 11/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.860 [GMT -5:00]

AV: Windows System Defender *On-access scanning enabled* (Updated) {24E1C530-438C-4B55-BC3E-19C0C470D56B}
FW: Windows System Defender *enabled* {5D924B25-48D1-4C0F-B73A-4585F6C2AE10}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k im... Read more

A:Infected with Win32:Cutwail-AA et al

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follo... Read more

Read other 2 answers
RELEVANCY SCORE 42.4

Looks like I got the following:

TrojanDownloader:Win32/cutwail.gen!B
TrojanDownloader:Win32/cutwail.gen!F

Hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:54 AM, on 5/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\reader_s.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Syst... Read more

A:need help removing cutwail virus

Hi Folks...any chance someone can help with this? The computer infected is for a single mother of three who could really use the help. Thanks in advance.
 

Read other 1 answers
RELEVANCY SCORE 42.4

Cant access any antivirus websites or windows sites or update malware bytes.

Many instances of svchost.exe running and constantly taking up 100%(even when closed a new one just takes over!).

When malware bytes gets rid of the trojans they just come back every time.

I ran the windows malicous software removal tool and it came up with these:

Backdoor:WinNT/Rustock.F
Virtool:WinNT/Cutwail.L
Virus:Win32/Cutwail.F
Trojan:Win32/Alureon.gen!J

Cant figure it out.
Any help much appreciated.

I've followed the 'First Steps' listed...and have combofix but haven't run it yet.

Here is the DDS.txt file.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Adrian at 18:12:43.03 on Wed 19/08/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2047.1422 [GMT 10:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Symantec\Norton Ghost\Agen... Read more

A:Cutwail trojan/svchost 100% help please

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

Read other 3 answers
RELEVANCY SCORE 42.4

I think it is a rootkit virus and no matter what I do I can't get rid of it. I am using PC Doctor Spyware protector and it catches when I reboot after "fixing the know threats" the program comes right back. I believe I isolated the threat to start with a file call gnngnugb.dll or gnngnub32.dll because these are the first threats to reappear after a reboot. I can only guess however that there is another file somewhere that I can't find. i have use Malwarebyte's antimalware, and spybot to scan and remove but never get it. I have manually deleted every file found by HijackThis and ever used KillBox to get that done. However, I am still not out of the woods.

Would appreciate any help or advise . . .

Logfile of random's system information tool 1.04 (written by random/random)
Run by Admin at 2008-11-08 11:31:50
Microsoft Windows XP Professional Service Pack 3
System drive C: has 24 GB (46%) free of 53 GB
Total RAM: 1526 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:57 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svcho... Read more

A:Cannot get rid of trojan-downloader.cutwail.w

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critica... Read more

Read other 2 answers
RELEVANCY SCORE 42.4

First off thanks a million to all the dedicated guy and agirls out there that can take the time to assist us lesser mortals with these problems. You're all amazing This PC got hit by a virus last week, the virus did it's thing then opened up the 'internet security 2010' program so i could remove it. How convienient! right away I knew it was a problem and started googling for solutions and came across you guys.in a nutshell this machine is sending out spam all the time, approx 8000 emails a day and of course we are now blacklisted by everyone. I keep the PC off of our LAN when I can but it's a 'working PC' and I have to use it too.I've checked the 'sent' mail folder on this PC it's pretty much empty, but if I check the exchange server logs then they are full of the same user sending multiple emails, mostly with the same subject line, to what i can gather are all the email addresses known to this users (kathyp) outlook profile.We use MSExchange server 2003 as part off our SBS2003 installation. the SMTP connector is now queuing up with legitimate business email that can't be delivered because of our RBL status. strangley enough I don't see any of the emails seen in the exchange log in the SMTP queues.At the time of writing I have already run combofix a few days ago, yes, I now know that probably wasn't a good idea but I've got to get this machine back onto our LAN asap. Combo fix found the cutwail.f virus and the ... Read more

A:I think I'm still infected with 'Cutwail.F' Virus

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 4 answers
RELEVANCY SCORE 42.4

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

A:infected with cutwail combofix log

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please start a new topic.

Read other 2 answers
RELEVANCY SCORE 42

Please be gentle with me as I'm no PC expert as I use a Mac, but my son's PC seems to be infected with something nasty! We have a home network where my Mac is hardwired into the router and 3 PCs have wireless connections. Recently our internet connection has been painfully slow and I can tell from the router next to me that there is lots of activity from one of the wireless connections. Basically 'something' seems to be continuously accessing the internet from my son's PC - to the extent that the only way that the rest of us in he house can use it is to disconnect him. All the PCs have PCguard (comes with our Virgin Broadband) protecting them and on his PC he frequently gets a message to say that 'cutwail' and 'anserin' cannot be deleted. In addition there was something called 'protector.exe' that was continually trying to get internet access and causing the hard drive to be continuously ticking away. When I blocked it trying to access the internet, the hard drive calmed down, but I could still tell that there was activity from wireless connection from the light flashing on the router and my connection slowed down to a stop. So far I have just cut him off so that at least I can try and figure out what's going on. I have a HijackThis log which is posted below. Apart from that I have no idea what to do next!! I can't really access stuff on the internet from his PC to try and sort this out, but I am able to download applications onto my Mac or one of ther other PCs i... Read more

A:Infected With Something Nasty?! Cutwail? Anserin?

Hello Frasz and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis Log.Thanks,Johannes

Read other 20 answers
RELEVANCY SCORE 42

Hi,Wondering if anyone can help me with the above listed virus problems/infections on one of my pcs. Running Win XP (home edition SP3). I previously had avira installed on the machine which started throwing up random file infections mainly in system32 - no solution or real specifics - so uninstalled and switched to MS Security Essentials, which logs more specific problems (the three identifiers shown in the title) but again unsuccesful in the removal of. Not had the Netan.A error since removal but keep getting the other two (Mariofev.A more predominantly than the Cutwail.BA but both still on the system.) A number of full scans and deletions/reboots etc but still no clean drive, although MS Security Essentials hasn't thrown up any errors since yesterday so not sure what's going on presently - still some strange behaviour though (certain progs not running as they should be!) Comp WAS networked too and I believe the Mariofev.A spreads over network, so I may have to tackle the other pcs later - will try sort out the main one first tho and see how it goes!!!Any help at all would be much appreciated - any other info required I will be more than happy to assist.Many thanks in advance,AndyDDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 16:45:45.04 on 06/09/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.296 [GMT 1:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118... Read more

A:Possible Infections: Mariofev.a Cutwail.BA and Netan.A

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

Read other 16 answers
RELEVANCY SCORE 42

Hello, my PC was infected with the braviax trojan after opening an email. I was able to remove the problem files with McAfee virus scan, which also had to remove the cutwail!rootkit virus. After multiple scans with McAfee, DSS, ComboFix and SUPERAntiSpyware programs, it seems to be gone. However, both ComboFix and DSS are showing names of files that were created at the exact time of downloading the email. I removed two copies of "karina.dat" because forums listed them as problem files related to braviax. But should I delete the others as well?Please note that DSS showed 9 files created at that time (including the 2 karina.dat files) and ComboFix showed a total of 14 files. I have pasted the HijackThis report from running DSS below. (Please note that there are now only 7 files because of deleting the 2 karina files.)Deckard's System Scanner v20071014.68Run by user on 2008-07-25 15:28:17Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as user.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:28, on 7/25/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS�... Read more

A:Infection By Braviax And Cutwail!rootkit

Hello sarahtek,We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.Upon completing the steps below, a staff member will review and take the steps necessary with you to get your machine back in working order, clean and free of malware.Thanks and again sorry for the delay. Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges... Read more

Read other 2 answers