Problem

Hey guys just a little something to pick your brains.. Just scanned my comp on trendmicro and it found a file irc mineh.a
Its says on the blurb on the site to either:

Open Windows Task Manager. press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.

(its not here)

or

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the registry value:
WindowsNTDebug
Close Registry Editor

And its not here either! Its described as BKDR_MINEH.A but i can find it either place or by looking for files the same size as the one described.. Basically im cooked.. If this helps iv used startuplist

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Super X Studios\Desktop Dreamscapes\DesktopDreamscapes.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SmartPopupKiller\PopupKillerTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Mart\LOCALS~1\Temp\Rar$EX00.640\StartupList.exe

If you could point out any other things that shouldnt be here id love ya extra!

Oooooh last poser i recently had a virus through msn messenger and i was randomly looking through internet exploror, tools, internet options,content, my profile and in the choose a profile from a list there is someone i knows email address... He knows loads about computers unlike me Iv never sent him an email and iv never used outlook express. Hes never even been to my house! Even if it was saved on my computer id have more addresses than that on there.. Has he been remotely looking at my computer? Should i be sharpening up the baseball bats?! Much respect.

Martin.

 

Martin - welcome to the forum.

In the future it will really help things along if you
- specify your OS (so the "fix" information is correct for your PC)
- make the thread title mention the specific problem (so others searching for help will find your thread).

. Do you find a WindowsNTDebug on your PC?
. Do you have a list of the infected files Housecall found?
. Did you find any mention of WindowsNTDebug in your registry?
. After a reboot, does Housecall still show you as infected?

As to the virus - probably your friend knows nothing about it. And probably he had nothing to do with it. The usual with this is for an infected PC to pull a random "from" address from their address book and use that. So if your friend has an infected friend and that infected friend also has your information, you'll get the thing.

Do you run any sort of installed AV software on your PC? If not you really should.

This particular critter is interesting in that only Trend Micro seems to know about it. From the fact that their pattern file 590 will find it, the thing isn't brand new. Were it me I'd run another AV app and get a second opinion.

 

tedruxspin--BKDR_MINEH.A is part of the Swen.A worm.
Symantec offers a removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

 

Welshjim - good catch. I tried for nearly a half hour to get that sort of information and totally struck out.

 

Newt--I think I may be embarrassed.
I entered BKDR_MINEH.A into Search on www.google.com and thought I saw that it was connected to Swen.A. A closer reading suggests that is not correct. However, I did find two pages that may offer a removal tool.
http://es.trendmicro-europe.com/consumer/security_info/ve_detail.php?VName=BKDR_MINEH.A
http://es.trendmicro-europe.com/consumer/security_info/ve_detail.php?VName=IRC_MINEH.A
Maybe all is not lost.

 

Jim - that's pretty much what I came up with as well.

I still have trouble believing that Trend has tools for dealing with a virus the other major AV companies have never heard of. It has to be a naming thing of some sort and I'd sure love to know what Norton, AVG, and a few others call it.

 

Thanks for the help guys, sorry had a few modem problems so havent got on the net for a while. Managed to remove it with trendmicro.. Laters fellas!

Martin.