Trojan removed but still having problems

I found and removed a trojan on my PC by following the instructions in the "READ & RUN ME FIRST Before Asking for Support" thread. (Out of interest, the trojan was picked up by the Trend Micro scanner but none of the others.)

However I now get a message like the one attached as a screenshot jpeg whenever I have Microsoft Antispyware or Panda Antivirus running.

In this case it says gcasServ.eve, which I believe is part od MS Antispyware, but it sometimes says APVXDWIN.EXE, which I believe is part of Panda AV.

Panda AV is reporting the firewall is on error.

Can anyone help me understand what's going on and how to correct the problem?

I have also discovered that my son and a friend have been on the Runescape online game and have installed software from that, which I fear may be the source of the problem.

Thanks,

Wiffypoo

 

Your HijackTHis log shows no signs of malware.

The version of Java you are using in out of date. Visit Sun Microsystems web site and get the latest version of the Java Runtime.

Sensapi.dll is a valid Windows Dll, http://www.processlibrary.com/directory/files/sensapi/. MSAS has flagged the file as not being valid. You need to replace the file.

Start -> Run
sfc /scannow
OK

You may be prompted, for your Windows installation CD; and may need to run Windows Update after completion.

Runscape is a legit on-line RPG.

 

Your HijackTHis log shows no signs of malware.

Thanks for confirming that.

The version of Java you are using in out of date. Visit Sun Microsystems web site and get the latest version of the Java Runtime.

Done. Thanks.

Sensapi.dll is a valid Windows Dll, http://www.processlibrary.com/directory/files/sensapi/. MSAS has flagged the file as not being valid. You need to replace the file.

Start -> Run
sfc /scannow
OK

Supurb! That sorted out that problem.

Runscape is a legit on-line RPG.

Perhaps I was a little hasty in my conclusion, but Googling for Runescape finds plenty of discussions about Malware associated with it. Not to worry, really. The main thing is that my PC now seems to be clean rather than knowing where the infection came from in the first place!

I've also reinstalled Panda, and so far the firewall is not reporting itself on error, though I guess if it happens again I should probably start with the Panda tech support guys for help.

Thanks for your help



Wiffypoo

 

Still having problems...

A few days ago I posted this and thought I had the problem fixed:

http://forums.majorgeeks.com/showthread.php?t=84005

However, yesterday my internet connection started running extremely slow. I spoke to my ISP to check whether there was a problem at their end. They said there wasn't and asked me to run netstat. Based on the netstat output they said that because port 445 was open when it shouldn't be I had the Nimda virus. Now, from some Googling, I think what they told me may be true but isn't necessarily - perhaps someone can confirm?

I went through the READ & RUN ME FIRST steps again and cwshredder picked up and eliminated cws.myconfig.

No other scanner picked up anything other than the odd tracking cookie.

When I run netstat, port 445 is still showing as open on LISTENING connection. It shows this as soon as I boot (safe mode) before I've opened any browser or other software.

I attach my netstat output and HJT log.

Do I still have a problem? I feel uneasy having thought I sorted the problem once, but found it back again.

Thanks in advance,

Wiffypoo

 

Your HijackThis log is from Safe Mode, it must be from Normal Mode.

 

Your HijackThis log is from Safe Mode, it must be from Normal Mode.

Sorry. Here it is again. I have rebooted and run netstat and HJT before launching anything else. Both logs are attached.

 

You may want to take a look at this:

http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm

It evens explains how to block port 445

I've done that and attach another netstat run. There are still some LISTENING states. Is that normal?

 

Yes! It's normal. Even the port 445 was normal. If you have a firewall, installed it was more than likely blocking incoming NetBIOS on port 445 by default anyway.

Thanks! I'm trying to find out form Panda whether their firewall blocks that port and if not how I can change the settings.

I don't think your ISP's assessment that you had a Nimda virus was valid.
I'm beginning to wonder that myself, though something was undoubtedly causing my internet connection to grind to a halt.

I've run some of the other scans recommended here. Kaspersky thought it found Trojan.Win32.Agent.on in file C:\WINDOWS\$NtServicePackUninstall$\logonui.exe so I have renamed the file (being reluctant to delete it) and the scan did not identify it again.

Spy Sweeper found virtual bouncer, which it fixed.

I also ran Microworld MWAV (http://www.mwti.net/products/download_center.asp) came up with limewire, but I could find no other evidence of it.

All other scans were clean - I deceided to go to town and run a lot:

- Panda Titanium 2005 as installed on my PC
- Adaware
- Spybot
- Microsoft Antispyware
- cwshredder
- Bitdefender
- Panda Online scanner
- Trend Micro online scanner
- a-squared (a²) Free edition
- avast! Virus Cleaner Tool
- Ewido

As a matter of interest, Windows has just popped up a message saying that the Virtual Memory Minimum is too low. I am running another Spy Sweeper scan as well as IE, Pegasus Mail and Panda AV (not scanning but sitting in the background). Should I be concerned that this is a sign that something is still there or is it just a function of the scan? I'm running XP Home Edition with SP2 on an AMD Athlon4 950 MHz 224MB RAM.

I may now be getting paranoid, but it's very hard to know whether the PC is clean of nasties and properly protected from reinfection.

 

I've just re-run the four scans that found problems earlier.

Kaspersky, Spy Sweeper and Cwshredder all came back clean.

Microworld AntiVirus identified the following:

Object "virtual bouncer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.

It didn't take action because I only have the free download, not the full paid-for version.

I attach the full log.

I am a bit surprised because I thought that Spy Sweeper had eliminated virtual bouncer earlier and it no longer picks it up on its scan.

Can anyone advise whether I still have a problem?

(Though I'm going to bed now - it's geting late here in the UK!)

Thanks,

Wiffypoo

 

Noted (as you can see!)

It ground to a complete halt earlier today. I phoned my ISP again and told them that I was certain my PC was clean. They suggested turning the modem off, disconnecting it from the PC, then turning it back on and reconnecting it, which seems to have got rid of the problem for the moment. However, having had the same problem twice in 48 hours I wouldn't be surprised if it returns!

I will leave Microsoft Antispyware and remove the others as I don't have a license for Spy Sweeper (I'm using the 14 day free trial). However, the problem seems to be with the internet connection speed rather than the PC itself (though it's always good to keep the PC running at an optimum speed).

How do I go about that? Do I need to alter the setting in each of those programs (which I guess are Real Player, iTunes and Quick Time) or do I do it some other way?

I deleted the file identified as limewire and that has now disappeared from the scan, which leaves virtual bouncer. I think the virtual bouncer was a false positive because I went through the removal process here:

http://www.spywareremove.com/removeVirtualBouncer.html

I had none of the files listed except chilkatzip.dll, as already identified by MWAV. I then found this:

http://www.chilkatsoft.com/faq/Norton-Anti-Virus.html

I don't recall ever installing any Chilkat saftware, so I guess it's a third party add on to something I have installed. I am assuming for the moment that the file is legit and have not deleted it for fear of messing up something I use.

So, in summary, I don't think I have any malware on my PC now. I think I may have been led up the garden path by my ISP a bit and I'm not fully convinced that I have completely solved the connection speed problems permanently.

Thanks for your help. It's a great forum. I find it fascinating that the internet seems to bring out the extremes of good and bad in people - people like you are prepared to spend time helping the likes of me sort out malware for nothing more an expression of thanks!

Wiffypoo