Recently my nephew was using my computer and now I have a problem with the computer. I have a dialog box (that you can't minimize or delete) with the following message on it:

C:\WINDOWS\SYSTEMS\WINCTRL64.EXE.F6 appears to be corrupt. Reinstall file and try again.


I have researched and found that this is a Trojan, but don't know how to remove from my computer. Last night I ran Ad-Ware and when finished rebooted my computer. This message is still there. Any suggestions on how to get rid of this??

Thanks
Suzanne

Ad-Ware (do you mean Ad-Aware?) is a spyware cleaner. You need an Anti-virus program to get rid of the trojan.

Download AVG Free Edition. It's a full featured antivirus for home use.

Yes, I meant Ad-Aware. Sometimes my brain gets ahead of my fingers.

Thanks for the info. Will try that

Thanks! Will download it when I get home from work this evening.

Last night I downloaded Xoftspy and ran the function. It located numerous items, some were a threat and some were not. However, in order for it to clean the files I was redirected to a site to order & pay for the download. Didn't do this, because I wasn't sure what kind of trojan this might be and didn't want to give out any financial info.

Will send you an update after I use the link you supplied above.

Thanks for your help

Here's another good FREE cleaner for spyware (not virus or trojans): www.ccleaner.com

Do some online scans to double-check:
Here are some links to free online Anti-Virus scans. They do take some time to load and run and in some cases you can only use Internet Explorer, with ActiveX enabled, to access them but they are an excellent support for your existing anti-virus program.

Trend Micro online scan "housecall" - http://housecall.antivirus.com/

Panda Active Scan online - http://www.pandasoftware.com/activescan/
Internet Explorer only. Requires email address. Requires Active-X components to be installed. Approx 12MB download.

BitDefender online scan - http://www.bitdefender.com/scan/licence.php
Internet Explorer only. Must agree to a EULA. Need to allow installation of an Active X component.Some of the options are not clearly explained.

McAfee online scan - http://www.pcpitstop.com/freescan/

Security Advisor (?) - http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Trend Micro Housecall - http://uk.trendmicro-europe.com/enterprise...call_launch.php
(European version, supports Netscape, Mozilla, Firefox and Opera)

hth

Hi - downloaded AVG last night. While creating the rescue disk the system shut down. When it rebooted, I had a dialog box (with a cartoon Boar ) stating that a virus had been found. Selected the button to heal - process never responded. Shut down computer and went to sleep.

Just ran the AVG scan again. 1st scan found 10 virus/trojans. Never given choice to heal. Ran scan a second time. 9 items had been removed. 1 still remains. Software doesn't give choice to heal or quarantine this item. This is the infected file that remains:

C:\WINDOWS\TEMP\alchem.cab:\alchem.exe
Trojan Horse Downloader.Alchemic.A
status: Infected, Embedded object.

Any suggestions on how to remove??

Thanks for your help.

Hi This file may be in your recycle bin. Right clik on the recycle bin icon and empty it. Run the scan once again.

If the files are found again, there is a link to download the removal tool here - http://securityresponse.symantec.com/av...chemy.html

Disable System Restore - there are instructions for Windows ME and XP here - http://www.pchell.com/virus/systemrestore.shtml .

Run the removal tool to be sure you are not infected.

Re-enable System Restore and set a new Restore Point. Your system should now be clean.

Let us know if it worked..

Hi - I emptied the recycle bin and ran the AVG scan again. The Trojan Horse Downloader.Alchemic.A is still there. On the scan log I now have this message: Boot sector of disk C - reading error. I see that Grisoft is aware of this boot sector message - so I'm not too concerned with it right now. The symantec link that you provided above does not work, it returns "Page not found". I am very apprehensive about using my credit card to download anything as I don't know what this Trojan is doing. On my way home tonight I'm going to stop and see what kind of removal software I can buy.

Thanks
Suzanne

Please use the Add Reply not the "Reply button, unless you need to quote a specific post.

So far as I know all of the anti-malware tools that are used here at BC are free so you should not need to use your credit card to purchase anything online and I would suggest, from personal experience, you will get a better outcome letting the people here assist you rather than buying an off-the-shelf software package. Sometimes getting the right solution will take a little while since everyone here is a volunteer and cannot always spend their time at BC.

Different packages specialise in removing different things, that is why we recommend "layered protection" on your PC. One firewall, one anti-virus program, many anti-spyware programs. Supplemented by occassional online scans. (And if you do get infected we have the HJT Team to help you!)

Before we point you in the direction of the HJT team though there are other simple things to try:
Download Ewido and A-Squared Free:

Ewido Security Suite complements anti-virus software by detecting Trojans, Dialers and Spyware and lots of other stuff. It is free for private use.
Ewido download
When installing it untick 'Install Background Guard' and 'Install Scan via Context Menu'.

A-squared Free complements anti-virus software by specializing in detecting Trojans, Dialers and Spyware. It is free for private use but registration via email is required.
A-squared

Install them and update them online. Update AVG as well.

Show hidden and system files:
Open your My Computer icon (Either from your desktop or the Start Menu)
Click the Tools menu and select Folder Options(on older systems it may be in the View menu)
Select the View tab and scroll through the Advanced settings
Enable or disable the following (using a checkmark to enable)

enable - Show hidden files and folders
disable - Hide extentions for known file types
disable - Hide protected operating system files (WinME and WinXP only)

Now click Apply and Ok.

Reboot in Safe Mode and run AVG, Ewido and A-squared Free scans.
Get back to us.

hth

Go to this link and follow the instruction. It is going to walk you thru running AVG from the command line. This may delete (remove) the file before it can start.
Print this article and then boot into safe mode with command prompt. This will put you in DOS mode. I think it would be better to boot from a floppy ('98 start up disk) but safe mode should do it.

http://forum.grisoft.cz/freeforum/read.php?4,40796,sv=

Thanks for all of the info. Will try your suggestions from yesterday.

I now have a new scenario with this problem. Day before yesterday I emptied the recycle bin as suggested and ran the scan again. Last night I was trying to save a word document to a floppy and the A drive wouldn't work, however, I can open a file that was previously saved on disk. When I ran the scan I received a message for the A drive and the D drive - "not accessible". Does this mean that both of these drives have died?

I really appreciate all of your help, because I'm really illiterate on the technical side of the computer.

Thanks,
Suzanne

If you think you have viruses or trojans on your PC then you should not be saving anything to floppy disks because you may well be copying the virus which could then be spread to another PC or come back to your own machine later.


No. (I'm guessing 'D' is your CDROM or DVD drive?) That most likely means you did not have any discs in those drives and had run a "System" scan. The system scan tries to read every drive - it found drives with nothing in them so reported back they were "not accessible". That's quite normal.

Floppy drives are vulnerable to dust and floppies can be damaged by heat, damp and contact with metal objects (particularly magnetised ones). Your problem could be just a damaged floppy. You could buy a floppy cleaning disk for the drive but its probably cheaper to replace the drive if it's faulty.

I'd suggest when your PC is clean put in all the floppies and virus scan them (select the A: drive only for the scan).

Not able to install Ewido, needs Windows 2000, I have 98. Downloaded and installed A-squared, but need to update tonight. Couldn't last night as their instructions said not to use your email address from AOL, Yahoo or Hotmail, so I used my work email. Have my password now, so I can update tonight.

While attempting to loggin into BleepingComputer last night, something tried to download on my computer:

PC BugDoctor from freedownloadtools.com, I din't request it. Cancelled the action, but then couldn't log into BleepingComputer.

When I finished with A-squared I ran AVG again. Test found 8 viruses. 5 were healed, 3 remain. 2 are associated with my original Trojan Horse Dowmloader. Alchemic.A-
Alchem.cab and alchem.exe

New one is: Trojan Horse Downloader.Agent.SH
File: Popcorn72.exe
Path: C:\WINDOWS\SYSTEM\popcorn72

Also, last night when I started up the computer, the original dialog box C:\WINDOWS\SYSTEMS\WINCTRL64.exe.F6 appears to be corrupt was not on my computer.

I'm ready to try the computer out my livingroom window

there are instructions here at BC to remove the popcorn file which was added by another Trojan.

http://www.bleepingcomputer.com/startups/p....exe-11510.html

I forgot about Ewido being designed for Win2000 and XP only, sorry.

This is what I think you should do (some things you may already have available, check you have the latest version) -

• register A-squared Free and update it
  
• download and update all of the following:
  • Ad-Aware SE from http://www.lavasoft.de/
    There is a tutorial on how to run this here: Ad-Aware Tutorial
  • Spybot Search & Destroy from http://www.safer-networking.org/index.php?page=download
    There is a tutorial on how to run this here: SpyBot S&D Tutorial
  • SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html
    There is a tutorial on how to run this here: SpywareBlaster Tutorial
• Update AVG.
  
• Download Autoruns from here and extract it to a new folder C:\Autoruns.
  
• Reboot your computer in Safe Mode and run the anti-virus scan and anti-spyware scans there.
  If you are not sure how to boot in Safe Mode there is a tutorial here: Safe Mode

Reboot normally and see if there is any improvement.

The scans may have removed the popcorn trojan automatically. If it is still present the (general) removal instructions are here - Malware Removal
- under the heading "How to remove these infections"

Thanks. Will try these new instructions when I get home.

Suzanne

Hi Rimmer,

Last night I updated A-squared and AVG. Then rebooted in safe mode. I ran Ad-Aware, AVG and a-squared.
All infected files were identified and quarratined. I then ran a 2nd time, all scans were clear of infected files.

Logged out of Safe mode and rebooted computer. Had a problem with the mouse, it wouldn't work. Tried to use the CTL+ALT+DEL to get to task manager to shut down, but keyboard wouldn't work either, so I just killed the power to the computer.

Will try again tonight. I want to install the Norton's Anti-Virus that I bought. This computer was given to me, and obviously by my infection, had no anti-virus software on it.

This has been a very educational experience for me. I no longer feel completely computer illiterate, and now know of resources to contact for help. It's a great feeling when you are able to fix a problem on your own.

Thanks for all of your help

If the problem continues, you can also try downloading and scanning with the free trial of TrojanHunter.
Setup & Configuration.

Once the program is installed it automatically configures to protect the system and All files. You should not need to change anything.
With the trial version of TrojanHunter you need to manually update the rule files before you can start scanning. Instructions.

To do a full scan be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan.

Thanks!!

That's good news! (provided your mouse and keyboard are working.)

Quietman7's advice is worth following.

I strongly suggest you use Spybot S&D as part of you malware protection kit, you didn't say if you scanned with this when you were in safe mode. May I also suggest you get everything cleaned up before you switch off AVG and install NAV? AVG will protect you well enough in the meantime (some reviewers rank AVG as good as NAV anyway). Remember 1 antivirus, 1 firewall, many anti-spyware.

Let us know how you get on.

Hi Rimmer,

No, I don't have SpyBot yet. Will install, if and when computer is up a running.

Mouse and keyboard are still not working. They are both functional while in Safe Mode, but when I finish with safe mode and reboot, the mouse is functional long enough to make a selection and then the whole thing freezes, and the only way to get out is to turn off the power. Do you have any idea as to why the mouse and keyboard would work in safe mode, but not when out of safe mode??

Suzanne

I don't think your mouse and keyboard are the problem, I think you have drivers or files that have been damaged by the malware, which are loaded during normal startup and are causing your PC to freeze.

Boot in Safe Mode and set up a clean boot using the msconfig tool as described here:
http://service1.symantec.com/SUPPORT/tsgen...id/199869145548
- then reboot normally and see if your PC runs OK. It will look strange but does it function without locking up?
If so run msconfig again and still with 'Selective Startup' selected, tick 'Process Config.sys', 'Process Autoexec.bat', 'Process System.ini' and 'Process Win.ini'. Do NOT tick 'Load startup group items'.
Reboot normally and let us know how the PC behaves.

Good Morning Rimmer,

I will try your instructions tonight when I get home from work.

Thanks! Have a great day!!

Hi Rimmer,

Followed your last instructions. Mouse and keyboard are working great. Thanks!!

Still can't get the CD-Rom drive to work. Get message "not accessible". I don't have the sustem disk to re-install the drivers for this drive. Can drivers be downloaded and would that solve this problem. Or do you think that my virus problem killed the CD-ROM drive? Computer is a PackardBell.

Thanks.
HAve a great day.

Suzanne

You don't need drivers for the CDROM drive, Windows should find it on its own. Don't worry about that for the moment 'cause we're part way through finding out what the problem is when you boot.
Your booting OK with 'Selective Startup' selected? ( 'Process Config.sys', 'Process Autoexec.bat', 'Process System.ini' and 'Process Win.ini') But 'Load startup group items' is not ticked. Is that right?

I want you to run msconfig again and tick 'Load startup group items'. Then go to the 'Startup' tab, count how many items are listed and, if they are all ticked, untick the 2nd half of them. Reboot and see if the system runs OK or locks up. Let me know.

If you follow what I'm doing, you can do the next steps as well, trying to isolate the item in the startup group that's causing the problem. Hopefully we'll nail it to one item then we can make some inquireys how to fix it.

Boot w/ "Selective Startup" no "load Startup Group" selected - Boots fine, mouse and keyboard functional, no CD-ROM.

Last night booted in Safe Mode, added "Load Startup Group" and unselected bottom 10 items - keyboard & mouse froze. Then unselected top 11 items and selected bottom 10 - mouse and keyboard functional, no CD-ROM. Tried 2 additional combinations - no keyboard/mouse.

This is the combination that produces a working keyboard and mouse but no CD-ROM:

Ticked item:
System Tray, LoadPowerProfile, csgng.exe, WebRebates, WinModem, LoadPowerProfile, Office Startup, Microsoft FastFind, CompuServe2000, AOL online Tray Icon

Unticked items:
Yahoo Pager, RegistryCleaner, a-squared, RealTray, My WebSearch Email Plugin, AOL FastStart, AVG7-CC, AVG7-Emc, AVG7-Amsvr, ScanRegistry, TaskMonitor.

The csgng.exe changed to csddy.exe and cscjl.exe when unselected.

csgng.exe is most likely some type of malware/trojan running in the background.

SystemTray.exe, depending on location it is running from, could be a trojan.
http://www.bleepingcomputer.com/startups/

LoadPowerProfile, depending on the associated .exe or .dll, could be a trojan or worm.

webrebates.exe is an advertising program
http://securityresponse.symantec.com/avcen...webrebates.html

My WebSearch Email Plugin is part of an Internet Explorer toolbar that third party software vendors bundle with their "free" software. MyWebSearch is part of the FunWeb Products suite of utilities such as Smiley Central. The toolbar allows easy access to search engine results and a 404 Error Redirector called My Total Search. MyWebSearch is not technically malware but it can introduce malware along with it and slow down your computer.
http://www3.ca.com/securityadvisor/pest/pe...px?id=453096424

These are not necessary to run at startup and are safe to disable:
Microsoft FastFind, AOL online Tray Icon and RealTray

However, it is time for you to seek expert help. I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Forum for assistance by the experts.

I agree with quietman7, you've still got some nasties in your system and need to post an HJT log. Go to the Preparation Guide link he gave you. The HJT team will be able to give you step-by-step instructions to clean your PC.

Good luck!

I'll work on these new instructions this evening when I get home from work.

Rimmer & Quietman7 - THANKS for all of your help. You guys have saved my sanity where this computer is concerned. I'm am so glad that I found this website. I've been so impressed with this site that I have told all of my friends about this wonderful place to go to for help. Again, a thousand thanks for all of your help.

I'm working thru the Preparation Guide for Use Before Posting A Hijackthis Log and am having a problem with the Windows update. Per the instructions I downloaded ZoneLabs Zone Alarm and then proceeded to the Windows update. Started the download for installation, but the process never finishes. When I look at the update log, the status shows that the process failed. Is it possible that the Zone Alarm is blocking the download? Can HijackThis be downloaded without completing the Windows Updates?

Yes it is possible Zone Alarm is blocking the update. It should warn you something is trying to connect to the internet and give you the chance to allow it, but perhaps the defaults have changed. I'd turn off zone alarm while you run the updates. Turn it on again afterward!

To answer your other question - NO you do not need the Windows updates to download or run HJT, but if for some reason you were not able to complete the updates put that info in your post when you post the HJT log.

hth

Thanks Rimmer.

Happy Holidays!!

Downloaded HiJackThis. Followed all instructions but have run into a problem. Saved to desktop - unzipped file - returned back to desktop - tried to start HiJackThis but received this message:
Required .DLL file MSVBVM60.DLL was not found.

Need help as I don't have a clue what this is and how to find it.

Thanks

That's a Microsoft Visual Basic runtime set v6. Here's a download link:
http://www.softwarepatch.com/windows/vbrun6.html

Happy holidays to you too!

hth