# Can't get rid of Adware



## Robert the Bruce (Aug 16, 2006)

Within the last couple of hours I have removed/uninstalled McAfee Total Protection from my computer and replaced it with Microsoft Security Essentials. After installing Microsoft Security I ran a scan. Several 'threats' were picked up and I was given a choice whether to remove, quarantine or allow. I chose 'remove' for all of them. However, one of these threats will not go away even after selecting 'remove' and restarting several times. This annoying adware is Win32/OpenCandy and is a low level threat. Why can't Microsoft Essentials remove this annoyance ?


----------



## Cheeseball81 (Mar 3, 2004)

Does it give the filename? 

Just wanna be sure it isn't flagging a false positive.


----------



## Robert the Bruce (Aug 16, 2006)

I don't know. How would I know that ? Please tell.


----------



## Cheeseball81 (Mar 3, 2004)

Does it show in the History tab of Microsoft Security Essentials?


----------



## Robert the Bruce (Aug 16, 2006)

Yes it does. It says it's already been quarantined. So I chose to remove it but my Microsoft Essentials Icon on my Taskbar is STILL a bronze colour instead of Green despite the removal. ???


----------



## Cheeseball81 (Mar 3, 2004)

Normally when it's yellow, it means some action needs to be taken. Whether something got turned off, etc.

Under the Home tab, it should indicate the reason why it's yellow. For example: if real time protection has been turned off.


----------



## Robert the Bruce (Aug 16, 2006)

No, it's Yellow because of this Adware/OpenCandy thing which I can't get rid of. HELP.


----------



## Cheeseball81 (Mar 3, 2004)

Okay just trying to follow here....wasn't it Quarantined? But you can't remove it from the Quarantine?

In History, if you click on "all detected items" - will it let you remove it there?


----------



## Cheeseball81 (Mar 3, 2004)

I should add that a lot of what I've been reading online about this has been an error on MSE's side. 

That's why getting the filename would be really helpful.


----------



## Robert the Bruce (Aug 16, 2006)

When downloading Microsoft Essentials I think it may come as part of it. It can be removed using the History option but after rebooting it's there again. As for the file name I simply don't know how to find out what the file name is or where the file name is. I can only tell you what I see which is described in a previous post.


----------



## Cheeseball81 (Mar 3, 2004)

I think it's best we dig deeper then.

Please download *DDS* by sUBs to your desktop from one of the following locations:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Disable any script blocker you may have, as they may interfere and then double-click the DDS.scr to run the tool.

When DDS has finished scanning, it will open two logs named as follows:

*DDS.txt
Attach.txt*

Save them both to your desktop and then proceed on to the next step.

Please download *GMER* from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the PC during the scan as it may cause it to freeze.*

Please post the requested logs/reports, as follows:

*Copy and paste* the contents of the DDS.txt file.
*Upload as an attachment* the Attach.txt file.
*Copy and paste* the contents of the ark.txt file.


----------



## Robert the Bruce (Aug 16, 2006)

What on Earth are you talking about ? Please don't assume that I know as much about computers as you do. DDS ? sUBs ? GMER ???? What is that ? Almost everything you've said in your last post may as well be in a different language. In laymans terms please or are you just trying to be smart ? I'm looking for a simple solution not something out of NASA.


----------



## Snagglegaster (Sep 12, 2006)

I hope that I can inject a short and relevant post into the discussion. OpenCandy is generally detected as malware by most scanners. Its status as malware is open to some debate, but that isn't relevant to the thread. If OpenCandy is detected as a threat and marked for removal by any antimalware app, but still shows up on subsequent scans, I'd take that to be evidence of rootkit activity. It seems to me the thread needs to be moved to Malware Removal. Apparently the OP is not technically proficient and needs guidance. Lucky for me, it's all above my pay grade.


----------



## lunarlander (Sep 22, 2007)

DDS and Gmer are tools that detect malware and rootkits, Cheeseball is a seasoned malware remover, she has gold sheild beside her name. Just follow her directions.


----------



## Snagglegaster (Sep 12, 2006)

lunarlander said:


> DDS and Gmer are tools that detect malware and rootkits, Cheeseball is a seasoned malware remover, she has gold sheild beside her name. Just follow her directions.


I'm not disputing Cheeseball's credentials at all. I just don't think this is the proper forum for a removal that is likely to be protracted and difficult. Of course, that decision is up to the moderators. Again, it's all above my pay grade. Lunar, I've been an IT professional for 15 years, and I know DDS and Gmer.


----------



## Cheeseball81 (Mar 3, 2004)

Ummm....wow.

First of all, if you had an issue understanding instructions....then you can properly say so politely instead of lashing out at me.

Second, I would move the thread if I saw evidence of a rootkit. I wanted to rule out a false positive first.

I will let someone else take over this thread as I am done here.


----------



## Elvandil (Aug 1, 2003)

Robert the Bruce said:


> What on Earth are you talking about ? Please don't assume that I know as much about computers as you do. DDS ? sUBs ? GMER ???? What is that ? Almost everything you've said in your last post may as well be in a different language. In laymans terms please or are you just trying to be smart ? I'm looking for a simple solution not something out of NASA.


These selfsame directions have been followed by many others before you. A knowledge of the meaning of an acronym is not needed to follow the directions and download what is specified. One step at a time will get you there. It is very sytematic.

You say that it is "quarantined". How do you know that if it has no name? What was quarantined?


----------



## Robert the Bruce (Aug 16, 2006)

Right, can we start again but in simpler terms. What do I need to do ? The 'OP' is not proficient ?? What is OP ?


----------



## valis (Sep 24, 2004)

OP equals Original Poster, in this case you. 

All you need to do is follow the instructions in Post 11 by Cheeseball; she has laid them out very clearly and linearly. If you have any questions regarding how to follow those questions, please post those questions and we can assist. There is no reason to attack those who are trying to assist.

Remember, we ALL get paid the same here.


----------



## Robert the Bruce (Aug 16, 2006)

Elvandil said:


> These selfsame directions have been followed by many others before you. A knowledge of the meaning of an acronym is not needed to follow the directions and download what is specified. One step at a time will get you there. It is very sytematic.
> 
> You say that it is "quarantined". How do you know that if it has no name? What was quarantined?


 Adware:Win32/OpenCandy has been removed and quarantined on several occasions but once I reboot the computer it's back again.


----------



## valis (Sep 24, 2004)

Snagglegaster said:


> I'm not disputing Cheeseball's credentials at all. I just don't think this is the proper forum for a removal that is likely to be protracted and difficult. Of course, that decision is up to the moderators. Again, it's all above my pay grade. Lunar, I've been an IT professional for 15 years, and I know DDS and Gmer.


If it's determined that something needs removal, at that point it will be moved to the malware forum (where only the OP and the assistant can post).

Regardless, it's not our call to make. It's up to Cheeseball, or a similarly shielded expert.


----------



## Robert the Bruce (Aug 16, 2006)

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by Rowe at 11:57:14 on 2012-05-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1450 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SM1BG.EXE
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Rowe\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Panasonic\VideoCam Suite AutoStart\VideoCamSuiteAutoStart.exe
C:\Documents and Settings\Rowe\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - No File
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Raptr] c:\progra~1\raptr\raptrstub.exe --startup
uRun: [MediaGet2] c:\documents and settings\rowe\local settings\application data\mediaget2\mediaget.exe --minimized
uRun: [Akamai NetSession Interface] "c:\documents and settings\rowe\local settings\application data\akamai\netsession_win.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [EPSON Stylus Photo R800] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9YE.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\videoc~1.lnk - c:\program files\common files\panasonic\videocam suite autostart\VideoCamSuiteAutoStart.exe
IE: &Search - http://edits.mywebsearch.com/toolba...YGB&si=&a=.8z5vXhEgFioY.a5GBoWfQ&n=2010071010
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295294052265
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{792F0106-E28C-431E-89B4-B25B098F1F28} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{E0443CD0-C39D-42ED-A111-9B254004ABB1} : DhcpNameServer = 194.168.4.100 194.168.8.100
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-2-21 2348352]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2010-6-2 372480]
S1 bhjavovc;bhjavovc;\??\c:\windows\system32\drivers\bhjavovc.sys --> c:\windows\system32\drivers\bhjavovc.sys [?]
S1 enrdtbrw;enrdtbrw;\??\c:\windows\system32\drivers\enrdtbrw.sys --> c:\windows\system32\drivers\enrdtbrw.sys [?]
S1 fctzjrqs;fctzjrqs;\??\c:\windows\system32\drivers\fctzjrqs.sys --> c:\windows\system32\drivers\fctzjrqs.sys [?]
S1 fejhjcvg;fejhjcvg;\??\c:\windows\system32\drivers\fejhjcvg.sys --> c:\windows\system32\drivers\fejhjcvg.sys [?]
S1 jmusqmwj;jmusqmwj;\??\c:\windows\system32\drivers\jmusqmwj.sys --> c:\windows\system32\drivers\jmusqmwj.sys [?]
S1 nxkrioic;nxkrioic;\??\c:\windows\system32\drivers\nxkrioic.sys --> c:\windows\system32\drivers\nxkrioic.sys [?]
S2 bwcdrv;bwcdrv;c:\windows\system32\drivers\BWCDRV.SYS [2003-12-21 19840]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-3 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
UnknownUnknown genbkkau;genbkkau; [x]
.
=============== Created Last 30 ================
.
2012-05-05 10:41:14	56200	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f61b246c-219a-401d-bec4-f826bac14d01}\offreg.dll
2012-05-04 17:45:59	6734704 ----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f61b246c-219a-401d-bec4-f826bac14d01}\mpengine.dll
2012-05-04 10:21:51	6734704	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-02 14:39:39	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-05-02 14:37:43	--------	d-----w-	c:\program files\Microsoft Security Client
2012-05-02 14:26:33	10288512	----a-w-	c:\program files\mseinstall.exe
2012-05-02 14:17:25	--------	dc----w-	c:\documents and settings\all users\Uniblue
2012-04-26 18:50:05	--------	d-----w-	c:\documents and settings\rowe\application data\ElevatedDiagnostics
2012-04-16 18:18:15	--------	d-----w-	c:\documents and settings\rowe\local settings\application data\LogMeIn Rescue Applet
.
==================== Find3M ====================
.
2012-05-04 19:47:29	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 19:47:29	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-02 15:47:43	293992	----a-w-	c:\windows\system32\nvdrsdb0.bin
2012-05-02 15:47:43	1	----a-w-	c:\windows\system32\nvdrssel.bin
2012-05-02 15:47:40	293992	----a-w-	c:\windows\system32\nvdrsdb1.bin
2012-05-02 15:20:29	103784	----a-w-	c:\documents and settings\rowe\GoToAssistDownloadHelper.exe
2012-04-02 20:47:49	25685128	----a-w-	c:\program files\wordview_en-us.exe
2012-03-20 19:44:12	171064	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-03-02 17:33:32	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-03-02 17:33:31	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-01 11:01:32	916992	----a-w-	c:\windows\system32\wininet.dll
2012-03-01 11:01:32	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-02-29 23:58:00	881984	----a-w-	c:\windows\system32\nvgenco32.dll
2012-02-29 23:58:00	65536	----a-w-	c:\windows\system32\OpenCL.dll
2012-02-29 23:58:00	5918720	----a-w-	c:\windows\system32\nvcuda.dll
2012-02-29 23:58:00	4309760	----a-w-	c:\windows\system32\nv4_disp.dll
2012-02-29 23:58:00	2522944	----a-w-	c:\windows\system32\nvcuvid.dll
2012-02-29 23:58:00	2437440	----a-w-	c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58:00	2291712	----a-w-	c:\windows\system32\nvapi.dll
2012-02-29 23:58:00	18624512	----a-w-	c:\windows\system32\nvoglnt.dll
2012-02-29 23:58:00	17534976	----a-w-	c:\windows\system32\nvcompiler.dll
2012-02-29 23:58:00	13417632	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 23:58:00	1000256	----a-w-	c:\windows\system32\nvdispco32.dll
2012-02-29 20:30:31	54272	----a-w-	c:\windows\system32\nvwddi.dll
2012-02-29 20:30:24	15494464	----a-w-	c:\windows\system32\nvcpl.dll
2012-02-29 20:30:24	143680	----a-w-	c:\windows\system32\nvcolor.exe
2012-02-29 20:30:23	164160	----a-w-	c:\windows\system32\nvsvc32.exe
2012-02-29 20:30:23	108352	----a-w-	c:\windows\system32\nvmctray.dll
2012-02-29 14:10:16	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-02-29 14:10:16	148480	----a-w-	c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40	385024	----a-w-	c:\windows\system32\html.iec
2003-08-27 13:19:18	36963	----a-r-	c:\program files\common files\SM1updtr.dll
.
============= FINISH: 11:58:22.31 ===============


----------



## valis (Sep 24, 2004)

perfect.......now just be patient and wait for a malware expert to parse it......


----------



## Glaswegian (Dec 5, 2004)

Hi

My name is Iain and I will be helping you clean your system.

You may wish to *Subscribe* to this thread *(Thread Tools > Subscribe to this thread)* so that you are notified when you receive a reply.

*Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.*

*Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.*

*If there is anything you don't understand, please ask BEFORE proceeding with the fixes.*

*Please ensure that you follow the instructions in the order I have them listed. Note that if you do not respond within 5 days I shall no longer check this thread for replies.*

*Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.*

*IMPORTANT - for Windows Vista and Windows 7 start all tools by using right click > Run as Administrator.*

*Combofix*
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Please read all the information carefully! If using Windows XP you should ensure you install the Recovery Console.*

*You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.*

Please include the log *C:\ComboFix.txt* in your next reply for further review.


----------



## Robert the Bruce (Aug 16, 2006)

I clicked on the link for combo-fix but can't see where I can download the program from. I've read through the instructions but do not see anywhere a download for it. Where is it ?


----------



## Robert the Bruce (Aug 16, 2006)

Can't understand why experts like yourselves don't know or have never heard of this Adware which I described at the start and don't seem to know how to completely remove it without all this long drawn out saga. Please understand my point of view. I'm no expert on computers, I have no doubt I have knowledge of certain subjects which you do not just as you have knowledge of computers which I do not. But I'm supposed to leave my computer completely open and vulnerable to people I don't know 'from Adam.' So please allow for a certain amount of paranoia.


----------



## Robert the Bruce (Aug 16, 2006)

Sorry, found the link.


----------



## valis (Sep 24, 2004)

moved to virus and malware.


----------



## valis (Sep 24, 2004)

Robert the Bruce said:


> Can't understand why experts like yourselves don't know or have never heard of this Adware which I described at the start and don't seem to know how to completely remove it without all this long drawn out saga. Please understand my point of view. I'm no expert on computers, I have no doubt I have knowledge of certain subjects which you do not just as you have knowledge of computers which I do not. But I'm supposed to leave my computer completely open and vulnerable to people I don't know 'from Adam.' So please allow for a certain amount of paranoia.


Robert, please understand that computers are not simple machines, nor viruses one shot removal items. There can (and likely are) more issues than just what you describe wrong with your system. Sorta like building a rocket. One small failure and the entire thing goes boom.

I will personally vouch for all the malware experts here at TSG.......Cheeseball is the one who GOT me onto TSG. Glaswegian I've known for quite some time as well.

If I trust my rig to them, well, I reckon I would trust anyone's rig to them.


----------



## Glaswegian (Dec 5, 2004)

Hi

Just for info, you have more than just adware on your system - looks like a variety of Trojans have set up camp as well. 

Valis put it rather well - malware removal can be a tricky business - I'm sure you do not want to end up with a large door stop.


----------



## Robert the Bruce (Aug 16, 2006)

Right, before I go any further I'd like to point something out. While I was waiting on a reply I had a look around my Microsoft Essentials. I decided to change my settings in the Default Actions section. I changed my Severe, High, Medium and Low level alerts to 'remove' rather than 'quarantine.' After restart my Microsoft Essentials was, lo and behold, Green instead of (previously) Yellow. But the Adware:Win32/OpenCandy was still showing up in History, so I checked the box and clicked 'remove.' After restart Micro Essentials was Green but this time in History there was 3 Adware:Win32/IOpenCandy. I checked the 3 boxes and clicked 'remove.' This time, after restart there was NO sign of the Adware:Win32/OpenCandy. So, do you think that I may have solved this problem on my own ? Do you think I should still go ahead with combofix to get rid of the Trojans ?


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Can't understand why experts like yourselves don't know or have never heard of this Adware which I described at the start and don't seem to know how to completely remove it without all this long drawn out saga. Please understand my point of view. I'm no expert on computers, I have no doubt I have knowledge of certain subjects which you do not just as you have knowledge of computers which I do not. But I'm supposed to leave my computer completely open and vulnerable to people I don't know 'from Adam.' So please allow for a certain amount of paranoia.


OpenCandy is only the name given to the detection by the anti-virus program. Most, if not all, Malware Removal Specialists have heard of it but these names can vary from one company to the next. See the following link for an example of something that MSE has detected as OpenCandy. As you can see at the top, the actual file name is CheatEngine56.exe and other companies have given it a different name.

https://www.virustotal.com/file/89d...e682bc2be20b446334410a9e2ae92f87ead/analysis/

The name given to the detection (i.e. OpenCandy in this instance) does not isolate exactly what was detected and you can't remove something if you can't see what it is. This type of anti-virus detection is either a file or a registry entry. That's why it's important to get the name of the file or the location of the registry entry that's being flagged.

All anti-virus software will have a way to show the name of the file or registry entry that was detected. Now I don't use MSE but from what I've been able to find out, it seems you have to view History but then you should also select the Quarantine radio button to see the names of the files that are in quarantine.

In any event, as Glaswegian pointed out, there are signs of infection in the DDS log and it will all come out in the wash. Our instructions are always detailed and geared to the beginner user and although it may look daunting at first, if you follow them carefully step by step you will find that you shouldn't have any problems performing the requested tasks.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Right, before I go any further I'd like to point something out. While I was waiting on a reply I had a look around my Microsoft Essentials. I decided to change my settings in the Default Actions section. I changed my Severe, High, Medium and Low level alerts to 'remove' rather than 'quarantine.' After restart my Microsoft Essentials was, lo and behold, Green instead of (previously) Yellow. But the Adware:Win32/OpenCandy was still showing up in History, so I checked the box and clicked 'remove.' After restart Micro Essentials was Green but this time in History there was 3 Adware:Win32/IOpenCandy. I checked the 3 boxes and clicked 'remove.' This time, after restart there was NO sign of the Adware:Win32/OpenCandy. So, do you think that I may have solved this problem on my own ? Do you think I should still go ahead with combofix to get rid of the Trojans ?


We were posting at the same time so I hadn't yet seen this post of yours before submitting mine.

First, let me say that it's not a good idea to have your anti-virus program "remove" things as the default action. It should always be set to "quarantine" because false detections do occur and if it's removed then it's gone and can't be restored. Removing things from quarantine should not change the status of MSE from yellow to green (unless it was detecting a malicious file in its own quarantine folder, which we would have known if we had been provided with the file and path). Yellow indicates some action is necessary but it may have been something else. But yes, you should run ComboFix and continue on with Glaswegian and from this point forward please don't make any changes (other than resetting that "remove" back to "quarantine" as the default action in MSE) or run anything on your own.


----------



## Robert the Bruce (Aug 16, 2006)

Quarantine 'radio' button ??
OK, I'll go ahead with this, but with reservations.


----------



## Robert the Bruce (Aug 16, 2006)

OK, I have the Combo-fix set-up Icon and I'm ready to go. After I disable Windows Firewall and Microsoft Essentials Real-Time Protection and then allow Combo-Fix to do it's thing, do I re-enable Windows Firewall and Microsoft Essentials Real-Time Protection BEFORE coming back on to TSG ? Also, is there anything else I should disable before allowing Combo to do what it does ?


----------



## Glaswegian (Dec 5, 2004)

Let's just concentrate on cleaning your system for now - we can always return to look at MSE once we are finished.


----------



## Glaswegian (Dec 5, 2004)

Sorry - posted at the same time.

What you've done should be fine - ComboFix will reboot your system anyway and all those programmes will be reactivated.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Quarantine 'radio' button ??
> OK, I'll go ahead with this, *but with reservations*.


Be careful what you wish for because this is Hotel California (no reservations needed but you can never leave). Sure hope you have a sense of humour.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Quarantine 'radio' button ??
> OK, I'll go ahead with this, but with reservations.


See this explanation of a "radio" button in computer terminology:

http://en.wikipedia.org/wiki/Radio_button


----------



## Robert the Bruce (Aug 16, 2006)

Text ComboFix result (I hope) - I should perhaps point out that at Stage 50 a Window appeared which said 'Grep.3xe has encountered a problem and need to close. We are sorry for the inconvenience. Please tell Microsoft about this problem - Send Error report.'


----------



## Robert the Bruce (Aug 16, 2006)

Oh for crying out loud, what now ?
While waiting for a reply I decided to go to Google and from there to my favourites and from there to a site I visit regularly. However, a window appeared which said 'Security Alert - You are about to leave a secure Internet Connection. It will be possible for others to view information you send. Do you want to continue ?'
What now ?


----------



## Robert the Bruce (Aug 16, 2006)

Cookiegal said:


> Be careful what you wish for because this is Hotel California (no reservations needed but you can never leave). Sure hope you have a sense of humour.


Yep, I have a sense of humour and love the song.


----------



## Glaswegian (Dec 5, 2004)

Hi again

Good work.

*Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.*

Id like to have one file tested  you may need to unhide your hidden/system files first.

Go to *My Computer > Tools > Folder Options > View* tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the *Hide protected operating system files* option.

Please go to: *VirusTotal*


Make sure the 'Upload a file' tab is selected.
To the right of the page you'll find a "*Choose File*" button.










Click the "Choose File" button and browse to this file in *RED*:

* c:\windows\system32\kernel32.dll*

Then click the blue "*Scan it!*" button in the middle of the VirusTotal page.
 If you receive a message saying the File has already been analyzed click *Reanalyze file now.*
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

*Combofix*


Close any open browsers.

Open *notepad* and copy/paste the text in the box below into it:


```
ClearJavaCache::

File::
c:\windows\system32\drivers\bhjavovc.sys
c:\windows\system32\drivers\enrdtbrw.sys
c:\windows\system32\drivers\fctzjrqs.sys
c:\windows\system32\drivers\fejhjcvg.sys
c:\windows\system32\drivers\jmusqmwj.sys
c:\windows\system32\drivers\nxkrioic.sys

Driver::
bhjavovc
enrdtbrw
fctzjrqs
fejhjcvg
jmusqmwj
nxkrioic
```
Looking at the image below as an example










Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag *CFScript* onto *ComboFix.exe.*

*If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.*

When finished, it will produce a log for you at *"C:\ComboFix.txt"*

*Do not mouseclick combofix's window whilst it's running. This may cause it to stall.*

*CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!*

Please post the log *C:\ComboFix.txt * for further review.

Download   *Malwarebytes' Anti-Malware* to your desktop.


Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
 *Update Malwarebytes' Anti-Malware*
 *Launch Malwarebytes' Anti-Malware*

Then click *Finish*.
If an update is found, it will download and install the latest version.
Once the program has loaded, select *Perform Full Scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results. *Note that the full scan may take quite some time.*
Be sure that everything is checked, and click *Remove Selected*.
When completed, a log will open in Notepad. *Save it to your desktop*.
* Note:* Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, *post that saved log *in your next reply.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Yep, I have a sense of humour and love the song.


:up: Me too.


----------



## Robert the Bruce (Aug 16, 2006)

× Cookies are disabled! This site requires cookies to be enabled to work properly 
CommunityStatisticsDocumentationFAQAboutJoin our community
Sign in

SHA256: d3b69a8b59e07e775f99871c4ad107a4f72f392325695e7f261f6aa6e590d4e6 
SHA1: c88d57cc99f75cd928b47b6e444231f26670138f 
MD5: b921fb870c9ac0d509b2ccabbbbe95f3 
File size: 966.5 KB ( 989696 bytes ) 
File name: kernel32.dll 
File type: Win32 DLL 
Detection ratio: 0 / 40 
Analysis date: 2012-05-05 15:32:17 UTC ( 1 minute ago )

00More detailsAntivirus Result Update 
AhnLab-V3 - 20120505 
AntiVir - 20120504 
Antiy-AVL - 20120505 
Avast - 20120505 
AVG - 20120505 
BitDefender - 20120505 
ByteHero - 20120505 
CAT-QuickHeal - 20120505 
ClamAV - 20120505 
Commtouch - 20120505 
Comodo - 20120505 
Emsisoft - 20120505 
eSafe - 20120502 
eTrust-Vet - 20120504 
F-Prot - 20120505 
F-Secure - 20120505 
Fortinet - 20120505 
GData - 20120505 
Ikarus - 20120505 
Jiangmin - 20120505 
K7AntiVirus - 20120505 
Kaspersky - 20120505 
McAfee - 20120504 
McAfee-GW-Edition - 20120505 
Microsoft - 20120505 
NOD32 - 20120505 
nProtect - 20120505 
Panda - 20120505 
PCTools - 20120505 
Rising - 20120504 
Sophos - 20120505 
SUPERAntiSpyware - 20120411 
Symantec - 20120505 
TheHacker - 20120505 
TrendMicro - 20120505 
TrendMicro-HouseCall - 20120504 
VBA32 - 20120504 
VIPRE - 20120505 
ViRobot - 20120505 
VirusBuster - 20120504

Comments
Votes
Additional information
No comments

More comments 
Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼ 
Remove Formatting

Post comment 
You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community No votesMore votes 
An error occurred ssdeep12288:7wLw6PKp1IgSq1cNfxVNLww0I7OM4mQRQ:XpWHfnNLxwaQRQ 
TrIDWin64 Executable Generic (42.6%)
Win32 EXE PECompact compressed (generic) (20.7%)
Win32 Executable MS Visual C++ (generic) (18.8%)
Win 9x/ME Control Panel applet (7.7%)
Win32 Executable Generic (4.2%)

ExifToolUninitializedDataSize....: 0
InitializedDataSize......: 459776
ImageVersion.............: 5.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 5.1.2600.5781
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows NT BASE API Client DLL
CharacterSet.............: Unicode
LinkerVersion............: 7.1
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows command line
FileVersion..............: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)
TimeStamp................: 2009:03:21 15:06:58+01:00
FileType.................: Win32 DLL
PEType...................: PE32
InternalName.............: kernel32
ProductVersion...........: 5.1.2600.5781
SubsystemVersion.........: 4.0
OSVersion................: 5.1
OriginalFilename.........: kernel32
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 537088
FileSubtype..............: 0
ProductVersionNumber.....: 5.1.2600.5781
EntryPoint...............: 0xb64e
ObjectFileType...........: Dynamic link library

Sigcheckpublisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: kernel32
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: kernel32
file version.............: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)
description..............: Windows NT BASE API Client DLL

Portable Executable structural informationCompilation timedatestamp.....: 2009-03-21 14:06:58
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0000B64E

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 537065 537088 6.66 20e7d84df75e06dfbc481e20c3e7f8d2
.data 544768 17504 9728 0.59 dd0a1d702ba641dd9a3e4aa8d1896aec
.rsrc 565248 417512 417792 3.39 c875d981cddbef706b9ead3eb62aec87
.reloc 983040 23684 24064 6.62 55b85ac969f28a4d4dff5820d55ffa12

PE Imports....................:

ntdll.dll
_wcsnicmp, NtFsControlFile, NtCreateFile, RtlAllocateHeap, RtlFreeHeap, NtOpenFile, NtQueryInformationFile, NtQueryEaFile, RtlLengthSecurityDescriptor, NtQuerySecurityObject, NtSetEaFile, NtSetSecurityObject, NtSetInformationFile, CsrClientCallServer, NtDeviceIoControlFile, NtClose, RtlInitUnicodeString, wcscspn, RtlUnicodeToMultiByteSize, wcslen, _memicmp, memmove, NtQueryValueKey, NtOpenKey, NtFlushKey, NtSetValueKey, NtCreateKey, RtlNtStatusToDosError, RtlFreeUnicodeString, RtlDnsHostNameToComputerName, wcsncpy, RtlUnicodeStringToAnsiString, RtlxUnicodeStringToAnsiSize, NlsMbCodePageTag, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlCreateUnicodeStringFromAsciiz, wcschr, wcsstr, RtlPrefixString, _wcsicmp, RtlGetFullPathName_U, RtlGetCurrentDirectory_U, NtQueryInformationProcess, RtlUnicodeStringToOemString, RtlReleasePebLock, RtlEqualUnicodeString, RtlAcquirePebLock, RtlFreeAnsiString, RtlSetCurrentDirectory_U, RtlTimeToTimeFields, NtSetSystemTime, RtlTimeFieldsToTime, NtQuerySystemInformation, RtlSetTimeZoneInformation, NtSetSystemInformation, RtlCutoverTimeToSystemTime, _allmul, NtEnumerateKey, RtlOpenCurrentUser, RtlQueryRegistryValues, _itow, DbgBreakPoint, RtlFreeSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, RtlAllocateAndInitializeSid, DbgPrint, NtOpenProcess, CsrGetProcessId, DbgUiDebugActiveProcess, DbgUiConnectToDbg, DbgUiIssueRemoteBreakin, NtSetInformationDebugObject, DbgUiGetThreadDebugObject, NtQueryInformationThread, DbgUiConvertStateChangeStructure, DbgUiWaitStateChange, DbgUiContinue, DbgUiStopDebugging, RtlDosPathNameToNtPathName_U, RtlIsDosDeviceName_U, RtlCreateAtomTable, NtAddAtom, RtlAddAtomToAtomTable, NtFindAtom, RtlLookupAtomInAtomTable, NtDeleteAtom, RtlDeleteAtomFromAtomTable, NtQueryInformationAtom, RtlQueryAtomInAtomTable, RtlOemStringToUnicodeString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlMultiByteToUnicodeSize, RtlPrefixUnicodeString, RtlLeaveCriticalSection, RtlEnterCriticalSection, NtEnumerateValueKey, RtlIsTextUnicode, NtReadFile, NtAllocateVirtualMemory, NtUnlockFile, NtLockFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlCopyUnicodeString, NtFreeVirtualMemory, NtWriteFile, RtlCreateUnicodeString, RtlFormatCurrentUserKeyPath, RtlGetLongestNtPathLength, NtDuplicateObject, NtQueryKey, NtDeleteValueKey, RtlEqualString, CsrFreeCaptureBuffer, CsrCaptureMessageString, CsrAllocateCaptureBuffer, strncpy, RtlCharToInteger, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, CsrAllocateMessagePointer, NtQueryObject, wcscmp, RtlCompareMemory, NtQueryDirectoryObject, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, NtOpenDirectoryObject, NtCreateIoCompletion, NtSetIoCompletion, NtRemoveIoCompletion, NtSetInformationProcess, NtQueryDirectoryFile, RtlDeleteCriticalSection, NtNotifyChangeDirectoryFile, NtWaitForSingleObject, RtlInitializeCriticalSection, NtQueryVolumeInformationFile, NtFlushBuffersFile, RtlDeactivateActivationContextUnsafeFast, RtlActivateActivationContextUnsafeFast, NtCancelIoFile, NtReadFileScatter, NtWriteFileGather, wcscpy, NtOpenSection, NtMapViewOfSection, NtFlushVirtualMemory, RtlFlushSecureMemoryCache, NtUnmapViewOfSection, NtCreateSection, NtQueryFullAttributesFile, swprintf, NtQueryAttributesFile, RtlDetermineDosPathNameType_U, NtRaiseHardError, NtQuerySystemEnvironmentValueEx, RtlGUIDFromString, NtSetSystemEnvironmentValueEx, RtlInitString, RtlUnlockHeap, RtlSetUserValueHeap, RtlFreeHandle, RtlAllocateHandle, RtlLockHeap, RtlSizeHeap, RtlGetUserInfoHeap, RtlReAllocateHeap, RtlIsValidHandle, RtlCompactHeap, RtlImageNtHeader, NtProtectVirtualMemory, NtQueryVirtualMemory, NtLockVirtualMemory, NtUnlockVirtualMemory, NtFlushInstructionCache, NtAllocateUserPhysicalPages, NtFreeUserPhysicalPages, NtMapUserPhysicalPages, NtMapUserPhysicalPagesScatter, NtGetWriteWatch, NtResetWriteWatch, NtSetInformationObject, LdrQueryImageFileExecutionOptions, CsrNewThread, CsrClientConnectToServer, RtlCreateTagHeap, LdrSetDllManifestProber, RtlSetThreadPoolStartFunc, RtlEncodePointer, _stricmp, wcscat, RtlCreateHeap, RtlDestroyHeap, RtlExtendHeap, RtlQueryTagHeap, RtlUsageHeap, RtlValidateHeap, RtlGetProcessHeaps, RtlWalkHeap, RtlSetHeapInformation, RtlQueryHeapInformation, RtlInitializeHandleTable, RtlExtendedLargeIntegerDivide, NtCreateMailslotFile, RtlFormatMessage, RtlFindMessage, LdrUnloadDll, LdrUnloadAlternateResourceModule, LdrDisableThreadCalloutsForDll, strchr, LdrGetDllHandle, LdrUnlockLoaderLock, LdrAddRefDll, RtlComputePrivatizedDllName_U, RtlPcToFileHeader, LdrLockLoaderLock, RtlGetVersion, LdrEnumerateLoadedModules, RtlVerifyVersionInfo, RtlUnicodeStringToInteger, LdrLoadAlternateResourceModule, RtlDosApplyFileIsolationRedirection_Ustr, LdrLoadDll, LdrGetProcedureAddress, LdrFindResource_U, LdrAccessResource, LdrFindResourceDirectory_U, RtlImageDirectoryEntryToData, _strcmpi, NtSetInformationThread, NtOpenThreadToken, NtCreateNamedPipeFile, RtlDefaultNpAcl, RtlDosSearchPath_Ustr, RtlInitUnicodeStringEx, RtlQueryEnvironmentVariable_U, RtlAnsiCharToUnicodeChar, RtlIntegerToChar, NtSetVolumeInformationFile, RtlIsNameLegalDOS8Dot3, NtQueryPerformanceCounter, sprintf, NtPowerInformation, NtInitiatePowerAction, NtSetThreadExecutionState, NtRequestWakeupLatency, NtGetDevicePowerState, NtIsSystemResumeAutomatic, NtRequestDeviceWakeup, NtCancelDeviceWakeupRequest, NtWriteVirtualMemory, LdrShutdownProcess, NtTerminateProcess, RtlRaiseStatus, RtlSetEnvironmentVariable, RtlExpandEnvironmentStrings_U, NtReadVirtualMemory, RtlCompareUnicodeString, NtCreateJobSet, NtCreateJobObject, NtIsProcessInJob, RtlEqualSid, RtlSubAuthoritySid, RtlInitializeSid, NtQueryInformationToken, NtOpenProcessToken, NtResumeThread, NtAssignProcessToJobObject, CsrCaptureMessageMultiUnicodeStringsInPlace, NtCreateThread, NtCreateProcessEx, RtlDestroyEnvironment, NtQuerySection, NtQueryInformationJobObject, RtlGetNativeSystemInformation, RtlxAnsiStringToUnicodeSize, NtOpenEvent, NtQueryEvent, NtTerminateThread, wcsrchr, NlsMbOemCodePageTag, RtlxUnicodeStringToOemSize, NtAdjustPrivilegesToken, RtlImpersonateSelf, wcsncmp, RtlDestroyProcessParameters, RtlCreateProcessParameters, RtlInitializeCriticalSectionAndSpinCount, NtSetEvent, NtClearEvent, NtPulseEvent, NtCreateSemaphore, NtOpenSemaphore, NtReleaseSemaphore, NtCreateMutant, NtOpenMutant, NtReleaseMutant, NtSignalAndWaitForSingleObject, NtWaitForMultipleObjects, NtDelayExecution, NtCreateTimer, NtOpenTimer, NtSetTimer, NtCancelTimer, NtCreateEvent, RtlCopyLuid, strrchr, _vsnwprintf, RtlReleaseActivationContext, RtlActivateActivationContextEx, RtlQueryInformationActivationContext, NtOpenThread, LdrShutdownThread, RtlFreeThreadActivationContextStack, NtGetContextThread, NtSetContextThread, NtSuspendThread, RtlRaiseException, RtlDecodePointer, towlower, RtlClearBits, RtlFindClearBitsAndSet, RtlAreBitsSet, NtQueueApcThread, NtYieldExecution, RtlRegisterWait, RtlDeregisterWait, RtlDeregisterWaitEx, RtlQueueWorkItem, RtlSetIoCompletionCallback, RtlCreateTimerQueue, RtlCreateTimer, RtlUpdateTimer, RtlDeleteTimer, RtlDeleteTimerQueueEx, CsrIdentifyAlertableThread, RtlApplicationVerifierStop, _alloca_probe, RtlDestroyQueryDebugBuffer, RtlQueryProcessDebugInformation, RtlCreateQueryDebugBuffer, RtlCreateEnvironment, RtlFreeOemString, strstr, toupper, isdigit, atol, tolower, NtOpenJobObject, NtTerminateJobObject, NtSetInformationJobObject, RtlAddRefActivationContext, RtlZombifyActivationContext, RtlActivateActivationContext, RtlDeactivateActivationContext, RtlGetActiveActivationContext, DbgPrintEx, LdrDestroyOutOfProcessImage, LdrAccessOutOfProcessResource, LdrFindCreateProcessManifest, LdrCreateOutOfProcessImage, RtlNtStatusToDosErrorNoTeb, RtlpApplyLengthFunction, RtlGetLengthWithoutLastFullDosOrNtPathElement, RtlpEnsureBufferSize, RtlMultiAppendUnicodeStringBuffer, _snwprintf, RtlCreateActivationContext, RtlFindActivationContextSectionString, RtlFindActivationContextSectionGuid, _allshl, RtlNtPathNameToDosPathName, RtlUnhandledExceptionFilter, CsrCaptureMessageBuffer, NtQueryInstallUILanguage, NtQueryDefaultUILanguage, wcspbrk, RtlGetDaclSecurityDescriptor, NtCreateDirectoryObject, _wcslwr, _wtol, RtlIntegerToUnicodeString, NtQueryDefaultLocale, _strlwr, RtlUnwind

PE Exports....................:

ActivateActCtx, AddAtomA, AddAtomW, AddConsoleAliasA, AddConsoleAliasW, AddLocalAlternateComputerNameA, AddLocalAlternateComputerNameW, AddRefActCtx, AddVectoredExceptionHandler, AllocConsole, AllocateUserPhysicalPages, AreFileApisANSI, AssignProcessToJobObject, AttachConsole, BackupRead, BackupSeek, BackupWrite, BaseCheckAppcompatCache, BaseCleanupAppcompatCache, BaseCleanupAppcompatCacheSupport, BaseDumpAppcompatCache, BaseFlushAppcompatCache, BaseInitAppcompatCache, BaseInitAppcompatCacheSupport, BaseProcessInitPostImport, BaseQueryModuleData, BaseUpdateAppcompatCache, BasepCheckWinSaferRestrictions, Beep, BeginUpdateResourceA, BeginUpdateResourceW, BindIoCompletionCallback, BuildCommDCBA, BuildCommDCBAndTimeoutsA, BuildCommDCBAndTimeoutsW, BuildCommDCBW, CallNamedPipeA, CallNamedPipeW, CancelDeviceWakeupRequest, CancelIo, CancelTimerQueueTimer, CancelWaitableTimer, ChangeTimerQueueTimer, CheckNameLegalDOS8Dot3A, CheckNameLegalDOS8Dot3W, CheckRemoteDebuggerPresent, ClearCommBreak, ClearCommError, CloseConsoleHandle, CloseHandle, CloseProfileUserMapping, CmdBatNotification, CommConfigDialogA, CommConfigDialogW, CompareFileTime, CompareStringA, CompareStringW, ConnectNamedPipe, ConsoleMenuControl, ContinueDebugEvent, ConvertDefaultLocale, ConvertFiberToThread, ConvertThreadToFiber, CopyFileA, CopyFileExA, CopyFileExW, CopyFileW, CopyLZFile, CreateActCtxA, CreateActCtxW, CreateConsoleScreenBuffer, CreateDirectoryA, CreateDirectoryExA, CreateDirectoryExW, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiber, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateHardLinkA, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectA, CreateJobObjectW, CreateJobSet, CreateMailslotA, CreateMailslotW, CreateMemoryResourceNotification, CreateMutexA, CreateMutexW, CreateNamedPipeA, CreateNamedPipeW, CreateNlsSecurityDescriptor, CreatePipe, CreateProcessA, CreateProcessInternalA, CreateProcessInternalW, CreateProcessInternalWSecure, CreateProcessW, CreateRemoteThread, CreateSemaphoreA, CreateSemaphoreW, CreateSocketHandle, CreateTapePartition, CreateThread, CreateTimerQueue, CreateTimerQueueTimer, CreateToolhelp32Snapshot, CreateVirtualBuffer, CreateWaitableTimerA, CreateWaitableTimerW, DeactivateActCtx, DebugActiveProcess, DebugActiveProcessStop, DebugBreak, DebugBreakProcess, DebugSetProcessKillOnExit, DecodePointer, DecodeSystemPointer, DefineDosDeviceA, DefineDosDeviceW, DelayLoadFailureHook, DeleteAtom, DeleteCriticalSection, DeleteFiber, DeleteFileA, DeleteFileW, DeleteTimerQueue, DeleteTimerQueueEx, DeleteTimerQueueTimer, DeleteVolumeMountPointA, DeleteVolumeMountPointW, DeviceIoControl, DisableThreadLibraryCalls, DisconnectNamedPipe, DnsHostnameToComputerNameA, DnsHostnameToComputerNameW, DosDateTimeToFileTime, DosPathToSessionPathA, DosPathToSessionPathW, DuplicateConsoleHandle, DuplicateHandle, EncodePointer, EncodeSystemPointer, EndUpdateResourceA, EndUpdateResourceW, EnterCriticalSection, EnumCalendarInfoA, EnumCalendarInfoExA, EnumCalendarInfoExW, EnumCalendarInfoW, EnumDateFormatsA, EnumDateFormatsExA, EnumDateFormatsExW, EnumDateFormatsW, EnumLanguageGroupLocalesA, EnumLanguageGroupLocalesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceNamesA, EnumResourceNamesW, EnumResourceTypesA, EnumResourceTypesW, EnumSystemCodePagesA, EnumSystemCodePagesW, EnumSystemGeoID, EnumSystemLanguageGroupsA, EnumSystemLanguageGroupsW, EnumSystemLocalesA, EnumSystemLocalesW, EnumTimeFormatsA, EnumTimeFormatsW, EnumUILanguagesA, EnumUILanguagesW, EnumerateLocalComputerNamesA, EnumerateLocalComputerNamesW, EraseTape, EscapeCommFunction, ExitProcess, ExitThread, ExitVDM, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExpungeConsoleCommandHistoryA, ExpungeConsoleCommandHistoryW, ExtendVirtualBuffer, FatalAppExitA, FatalAppExitW, FatalExit, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, FillConsoleOutputCharacterW, FindActCtxSectionGuid, FindActCtxSectionStringA, FindActCtxSectionStringW, FindAtomA, FindAtomW, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationA, FindFirstChangeNotificationW, FindFirstFileA, FindFirstFileExA, FindFirstFileExW, FindFirstFileW, FindFirstVolumeA, FindFirstVolumeMountPointA, FindFirstVolumeMountPointW, FindFirstVolumeW, FindNextChangeNotification, FindNextFileA, FindNextFileW, FindNextVolumeA, FindNextVolumeMountPointA, FindNextVolumeMountPointW, FindNextVolumeW, FindResourceA, FindResourceExA, FindResourceExW, FindResourceW, FindVolumeClose, FindVolumeMountPointClose, FlushConsoleInputBuffer, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FoldStringA, FoldStringW, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeResource, FreeUserPhysicalPages, FreeVirtualBuffer, GenerateConsoleCtrlEvent, GetACP, GetAtomNameA, GetAtomNameW, GetBinaryType, GetBinaryTypeA, GetBinaryTypeW, GetCPFileNameFromRegistry, GetCPInfo, GetCPInfoExA, GetCPInfoExW, GetCalendarInfoA, GetCalendarInfoW, GetComPlusPackageInstallStatus, GetCommConfig, GetCommMask, GetCommModemStatus, GetCommProperties, GetCommState, GetCommTimeouts, GetCommandLineA, GetCommandLineW, GetCompressedFileSizeA, GetCompressedFileSizeW, GetComputerNameA, GetComputerNameExA, GetComputerNameExW, GetComputerNameW, GetConsoleAliasA, GetConsoleAliasExesA, GetConsoleAliasExesLengthA, GetConsoleAliasExesLengthW, GetConsoleAliasExesW, GetConsoleAliasW, GetConsoleAliasesA, GetConsoleAliasesLengthA, GetConsoleAliasesLengthW, GetConsoleAliasesW, GetConsoleCP, GetConsoleCharType, GetConsoleCommandHistoryA, GetConsoleCommandHistoryLengthA, GetConsoleCommandHistoryLengthW, GetConsoleCommandHistoryW, GetConsoleCursorInfo, GetConsoleCursorMode, GetConsoleDisplayMode, GetConsoleFontInfo, GetConsoleFontSize, GetConsoleHardwareState, GetConsoleInputExeNameA, GetConsoleInputExeNameW, GetConsoleInputWaitHandle, GetConsoleKeyboardLayoutNameA, GetConsoleKeyboardLayoutNameW, GetConsoleMode, GetConsoleNlsMode, GetConsoleOutputCP, GetConsoleProcessList, GetConsoleScreenBufferInfo, GetConsoleSelectionInfo, GetConsoleTitleA, GetConsoleTitleW, GetConsoleWindow, GetCurrencyFormatA, GetCurrencyFormatW, GetCurrentActCtx, GetCurrentConsoleFont, GetCurrentDirectoryA, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDateFormatW, GetDefaultCommConfigA, GetDefaultCommConfigW, GetDefaultSortkeySize, GetDevicePowerState, GetDiskFreeSpaceA, GetDiskFreeSpaceExA, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetDllDirectoryA, GetDllDirectoryW, GetDriveTypeA, GetDriveTypeW, GetEnvironmentStrings, GetEnvironmentStringsA, GetEnvironmentStringsW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeProcess, GetExitCodeThread, GetExpandedNameA, GetExpandedNameW, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFirmwareEnvironmentVariableA, GetFirmwareEnvironmentVariableW, GetFullPathNameA, GetFullPathNameW, GetGeoInfoA, GetGeoInfoW, GetHandleContext, GetHandleInformation, GetLargestConsoleWindowSize, GetLastError, GetLinguistLangSize, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetLogicalDriveStringsA, GetLogicalDriveStringsW, GetLogicalDrives, GetLogicalProcessorInformation, GetLongPathNameA, GetLongPathNameW, GetMailslotInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNamedPipeHandleStateW, GetNamedPipeInfo, GetNativeSystemInfo, GetNextVDMCommand, GetNlsSectionName, GetNumaAvailableMemory, GetNumaAvailableMemoryNode, GetNumaHighestNodeNumber, GetNumaNodeProcessorMask, GetNumaProcessorMap, GetNumaProcessorNode, GetNumberFormatA, GetNumberFormatW, GetNumberOfConsoleFonts, GetNumberOfConsoleInputEvents, GetNumberOfConsoleMouseButtons, GetOEMCP, GetOverlappedResult, GetPriorityClass, GetPrivateProfileIntA, GetPrivateProfileIntW, GetPrivateProfileSectionA, GetPrivateProfileSectionNamesA, GetPrivateProfileSectionNamesW, GetPrivateProfileSectionW, GetPrivateProfileStringA, GetPrivateProfileStringW, GetPrivateProfileStructA, GetPrivateProfileStructW, GetProcAddress, GetProcessAffinityMask, GetProcessDEPPolicy, GetProcessHandleCount, GetProcessHeap, GetProcessHeaps, GetProcessId, GetProcessIoCounters, GetProcessPriorityBoost, GetProcessShutdownParameters, GetProcessTimes, GetProcessVersion, GetProcessWorkingSetSize, GetProfileIntA, GetProfileIntW, GetProfileSectionA, GetProfileSectionW, GetProfileStringA, GetProfileStringW, GetQueuedCompletionStatus, GetShortPathNameA, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeExA, GetStringTypeExW, GetStringTypeW, GetSystemDEPPolicy, GetSystemDefaultLCID, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemRegistryQuota, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetSystemTimes, GetSystemWindowsDirectoryA, GetSystemWindowsDirectoryW, GetSystemWow64DirectoryA, GetSystemWow64DirectoryW, GetTapeParameters, GetTapePosition, GetTapeStatus, GetTempFileNameA, GetTempFileNameW, GetTempPathA, GetTempPathW, GetThreadContext, GetThreadIOPendingFlag, GetThreadLocale, GetThreadPriority, GetThreadPriorityBoost, GetThreadSelectorEntry, GetThreadTimes, GetTickCount, GetTimeFormatA, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultUILanguage, GetUserGeoID, GetVDMCurrentDirectories, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationA, GetVolumeInformationW, GetVolumeNameForVolumeMountPointA, GetVolumeNameForVolumeMountPointW, GetVolumePathNameA, GetVolumePathNameW, GetVolumePathNamesForVolumeNameA, GetVolumePathNamesForVolumeNameW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetWriteWatch, GlobalAddAtomA, GlobalAddAtomW, GlobalAlloc, GlobalCompact, GlobalDeleteAtom, GlobalFindAtomA, GlobalFindAtomW, GlobalFix, GlobalFlags, GlobalFree, GlobalGetAtomNameA, GlobalGetAtomNameW, GlobalHandle, GlobalLock, GlobalMemoryStatus, GlobalMemoryStatusEx, GlobalReAlloc, GlobalSize, GlobalUnWire, GlobalUnfix, GlobalUnlock, GlobalWire, Heap32First, Heap32ListFirst, Heap32ListNext, Heap32Next, HeapAlloc, HeapCompact, HeapCreate, HeapCreateTagsW, HeapDestroy, HeapExtend, HeapFree, HeapLock, HeapQueryInformation, HeapQueryTagW, HeapReAlloc, HeapSetInformation, HeapSize, HeapSummary, HeapUnlock, HeapUsage, HeapValidate, HeapWalk, InitAtomTable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedFlushSList, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, InvalidateConsoleDIBits, IsBadCodePtr, IsBadHugeReadPtr, IsBadHugeWritePtr, IsBadReadPtr, IsBadStringPtrA, IsBadStringPtrW, IsBadWritePtr, IsDBCSLeadByte, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessInJob, IsProcessorFeaturePresent, IsSystemResumeAutomatic, IsValidCodePage, IsValidLanguageGroup, IsValidLocale, IsValidUILanguage, IsWow64Process, LCMapStringA, LCMapStringW, LZClose, LZCloseFile, LZCopy, LZCreateFileW, LZDone, LZInit, LZOpenFileA, LZOpenFileW, LZRead, LZSeek, LZStart, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadModule, LoadResource, LocalAlloc, LocalCompact, LocalFileTimeToFileTime, LocalFlags, LocalFree, LocalHandle, LocalLock, LocalReAlloc, LocalShrink, LocalSize, LocalUnlock, LockFile, LockFileEx, LockResource, MapUserPhysicalPages, MapUserPhysicalPagesScatter, MapViewOfFile, MapViewOfFileEx, Module32First, Module32FirstW, Module32Next, Module32NextW, MoveFileA, MoveFileExA, MoveFileExW, MoveFileW, MoveFileWithProgressA, MoveFileWithProgressW, MulDiv, MultiByteToWideChar, NlsConvertIntegerToString, NlsGetCacheUpdateCount, NlsResetProcessLocale, NumaVirtualQueryNode, OpenConsoleW, OpenDataFile, OpenEventA, OpenEventW, OpenFile, OpenFileMappingA, OpenFileMappingW, OpenJobObjectA, OpenJobObjectW, OpenMutexA, OpenMutexW, OpenProcess, OpenProfileUserMapping, OpenSemaphoreA, OpenSemaphoreW, OpenThread, OpenWaitableTimerA, OpenWaitableTimerW, OutputDebugStringA, OutputDebugStringW, PeekConsoleInputA, PeekConsoleInputW, PeekNamedPipe, PostQueuedCompletionStatus, PrepareTape, PrivCopyFileExW, PrivMoveFileIdentityW, Process32First, Process32FirstW, Process32Next, Process32NextW, ProcessIdToSessionId, PulseEvent, PurgeComm, QueryActCtxW, QueryDepthSList, QueryDosDeviceA, QueryDosDeviceW, QueryInformationJobObject, QueryMemoryResourceNotification, QueryPerformanceCounter, QueryPerformanceFrequency, QueryWin31IniFilesMappedToRegistry, QueueUserAPC, QueueUserWorkItem, RaiseException, ReadConsoleA, ReadConsoleInputA, ReadConsoleInputExA, ReadConsoleInputExW, ReadConsoleInputW, ReadConsoleOutputA, ReadConsoleOutputAttribute, ReadConsoleOutputCharacterA, ReadConsoleOutputCharacterW, ReadConsoleOutputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, ReadFileEx, ReadFileScatter, ReadProcessMemory, RegisterConsoleIME, RegisterConsoleOS2, RegisterConsoleVDM, RegisterWaitForInputIdle, RegisterWaitForSingleObject, RegisterWaitForSingleObjectEx, RegisterWowBaseHandlers, RegisterWowExec, ReleaseActCtx, ReleaseMutex, ReleaseSemaphore, RemoveDirectoryA, RemoveDirectoryW, RemoveLocalAlternateComputerNameA, RemoveLocalAlternateComputerNameW, RemoveVectoredExceptionHandler, ReplaceFile, ReplaceFileA, ReplaceFileW, RequestDeviceWakeup, RequestWakeupLatency, ResetEvent, ResetWriteWatch, RestoreLastError, ResumeThread, RtlCaptureContext, RtlCaptureStackBackTrace, RtlFillMemory, RtlMoveMemory, RtlUnwind, RtlZeroMemory, ScrollConsoleScreenBufferA, ScrollConsoleScreenBufferW, SearchPathA, SearchPathW, SetCPGlobal, SetCalendarInfoA, SetCalendarInfoW, SetClientTimeZoneInformation, SetComPlusPackageInstallStatus, SetCommBreak, SetCommConfig, SetCommMask, SetCommState, SetCommTimeouts, SetComputerNameA, SetComputerNameExA, SetComputerNameExW, SetComputerNameW, SetConsoleActiveScreenBuffer, SetConsoleCP, SetConsoleCommandHistoryMode, SetConsoleCtrlHandler, SetConsoleCursor, SetConsoleCursorInfo, SetConsoleCursorMode, SetConsoleCursorPosition, SetConsoleDisplayMode, SetConsoleFont, SetConsoleHardwareState, SetConsoleIcon, SetConsoleInputExeNameA, SetConsoleInputExeNameW, SetConsoleKeyShortcuts, SetConsoleLocalEUDC, SetConsoleMaximumWindowSize, SetConsoleMenuClose, SetConsoleMode, SetConsoleNlsMode, SetConsoleNumberOfCommandsA, SetConsoleNumberOfCommandsW, SetConsoleOS2OemFormat, SetConsoleOutputCP, SetConsolePalette, SetConsoleScreenBufferSize, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetConsoleWindowInfo, SetCriticalSectionSpinCount, SetCurrentDirectoryA, SetCurrentDirectoryW, SetDefaultCommConfigA, SetDefaultCommConfigW, SetDllDirectoryA, SetDllDirectoryW, SetEndOfFile, SetEnvironmentVariableA, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileApisToANSI, SetFileApisToOEM, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFilePointerEx, SetFileShortNameA, SetFileShortNameW, SetFileTime, SetFileValidData, SetFirmwareEnvironmentVariableA, SetFirmwareEnvironmentVariableW, SetHandleContext, SetHandleCount, SetHandleInformation, SetInformationJobObject, SetLastConsoleEventActive, SetLastError, SetLocalPrimaryComputerNameA, SetLocalPrimaryComputerNameW, SetLocalTime, SetLocaleInfoA, SetLocaleInfoW, SetMailslotInfo, SetMessageWaitingIndicator, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetProcessDEPPolicy, SetProcessPriorityBoost, SetProcessShutdownParameters, SetProcessWorkingSetSize, SetSearchPathMode, SetStdHandle, SetSystemPowerState, SetSystemTime, SetSystemTimeAdjustment, SetTapeParameters, SetTapePosition, SetTermsrvAppInstallMode, SetThreadAffinityMask, SetThreadContext, SetThreadExecutionState, SetThreadIdealProcessor, SetThreadLocale, SetThreadPriority, SetThreadPriorityBoost, SetThreadUILanguage, SetTimeZoneInformation, SetTimerQueueTimer, SetUnhandledExceptionFilter, SetUserGeoID, SetVDMCurrentDirectories, SetVolumeLabelA, SetVolumeLabelW, SetVolumeMountPointA, SetVolumeMountPointW, SetWaitableTimer, SetupComm, ShowConsoleCursor, SignalObjectAndWait, SizeofResource, Sleep, SleepEx, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateJobObject, TerminateProcess, TerminateThread, TermsrvAppInstallMode, Thread32First, Thread32Next, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, Toolhelp32ReadProcessMemory, TransactNamedPipe, TransmitCommChar, TrimVirtualBuffer, TryEnterCriticalSection, TzSpecificLocalTimeToSystemTime, UTRegister, UTUnRegister, UnhandledExceptionFilter, UnlockFile, UnlockFileEx, UnmapViewOfFile, UnregisterConsoleIME, UnregisterWait, UnregisterWaitEx, UpdateResourceA, UpdateResourceW, VDMConsoleOperation, VDMOperationStarted, ValidateLCType, ValidateLocale, VerLanguageNameA, VerLanguageNameW, VerSetConditionMask, VerifyConsoleIoHandle, VerifyVersionInfoA, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualBufferExceptionHandler, VirtualFree, VirtualFreeEx, VirtualLock, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, VirtualUnlock, WTSGetActiveConsoleSessionId, WaitCommEvent, WaitForDebugEvent, WaitForMultipleObjects, WaitForMultipleObjectsEx, WaitForSingleObject, WaitForSingleObjectEx, WaitNamedPipeA, WaitNamedPipeW, WideCharToMultiByte, WinExec, WriteConsoleA, WriteConsoleInputA, WriteConsoleInputVDMA, WriteConsoleInputVDMW, WriteConsoleInputW, WriteConsoleOutputA, WriteConsoleOutputAttribute, WriteConsoleOutputCharacterA, WriteConsoleOutputCharacterW, WriteConsoleOutputW, WriteConsoleW, WriteFile, WriteFileEx, WriteFileGather, WritePrivateProfileSectionA, WritePrivateProfileSectionW, WritePrivateProfileStringA, WritePrivateProfileStringW, WritePrivateProfileStructA, WritePrivateProfileStructW, WriteProcessMemory, WriteProfileSectionA, WriteProfileSectionW, WriteProfileStringA, WriteProfileStringW, WriteTapemark, ZombifyActCtx, _hread, _hwrite, _lclose, _lcreat, _llseek, _lopen, _lread, _lwrite, lstrcat, lstrcatA, lstrcatW, lstrcmp, lstrcmpA, lstrcmpW, lstrcmpi, lstrcmpiA, lstrcmpiW, lstrcpy, lstrcpyA, lstrcpyW, lstrcpyn, lstrcpynA, lstrcpynW, lstrlen, lstrlenA, lstrlenW 
Symantec ReputationSuspicious.Insight 
First seen by VirusTotal2009-04-16 16:51:52 UTC ( 3 years ago ) 
Last seen by VirusTotal2012-05-05 15:32:17 UTC ( 1 minute ago ) 
File names (max. 25)4F9.tmp C:\Qoobox\Quarantine\C\WINDOWS\system32\kernel32.dll.vir DPVPMWXMSL-510.pms.dll.SVD DPVLKIPMLG-113.pms.dll.SVD b921fb870c9ac0d509b2ccabbbbe95f3 KERNEL32.dll C:\WINDOWS\system32\kernel32.dll smona131016339034427630663 C_WINDOWS_system32_kernel32.dll d3b69a8b59e07e775f99871c4ad107a4f kabaker.dll 0 c88d57cc99f75cd928b47b6e444231f26670138f file-3101226_dll KERNEL32.DLL kernel32.dll.txt 42F001390017180D1A8B0FA067FDD9005283DD8F.dll C:\WINNT\system32\kernel32.dll DPYWRKYWBT-440.pms.dll.SVD kfwft_dll ntosk_dll DPVLIMXDBT-107.pms.dll.SVD DPVLMELLQS-217.pms.dll.SVD smona131016242367767613313 xkernel32.dll 
Blog | Twitter | [email protected]| Google groups | TOS & Privacy Policy × Recover your passwordEnter the email address associated to your VirusTotal Community account and we'll send you a message so you can setup a new password.
Email: Recover password Cancel 
× Join VirusTotal CommunityInteract with other VirusTotal users and have an active voice when fighting today's Internet threats. Find out more about VirusTotal Community. 
First name Last name Username * Email * Password * Confirm password * * Required field Sign up Cancel 
× Sign inUsername or email Password Forgot your password? Sign in Cancel


----------



## Robert the Bruce (Aug 16, 2006)

ComboFix 12-05-05.05 - Rowe 05/05/2012 17:02:00.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1451 [GMT 1:00]
Running from: c:\documents and settings\Rowe\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Rowe\My Documents\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Rowe\Application Data\inst.exe
c:\documents and settings\Rowe\Application Data\PriceGong
c:\documents and settings\Rowe\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Rowe\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Rowe\Application Data\vso_ts_preview.xml
c:\documents and settings\Rowe\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\NEW37.tmp
c:\windows\system32\NEW45.tmp
c:\windows\system32\NEW46.tmp
c:\windows\system32\roboot.exe
c:\windows\system32\SETA0.tmp
c:\windows\system32\SETAC.tmp
c:\windows\system32\SETF4.tmp
E:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2012-05-05 13:49 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E24263AB-CA96-4358-A6B3-A85D436EA6D9}\mpengine.dll
2012-05-04 10:21 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-02 14:39 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-05-02 14:37 . 2012-05-02 14:38	--------	d-----w-	c:\program files\Microsoft Security Client
2012-05-02 14:26 . 2012-05-02 14:26	10288512	----a-w-	c:\program files\mseinstall.exe
2012-05-02 14:17 . 2012-05-02 14:17	--------	dc----w-	c:\documents and settings\All Users\Uniblue
2012-04-26 18:50 . 2012-04-26 18:50	--------	d-----w-	c:\documents and settings\Rowe\Application Data\ElevatedDiagnostics
2012-04-16 18:18 . 2012-04-18 06:35	--------	d-----w-	c:\documents and settings\Rowe\Local Settings\Application Data\LogMeIn Rescue Applet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 19:47 . 2012-04-03 09:44	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-04 19:47 . 2011-05-18 16:34	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-02 20:47 . 2012-04-02 20:47	25685128	----a-w-	c:\program files\wordview_en-us.exe
2012-03-20 19:44 . 2012-03-20 19:44	171064	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-03-02 17:33 . 2012-03-02 17:33	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-03-02 17:33 . 2010-06-05 09:57	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2004-08-04 12:00	916992	----a-w-	c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-02-29 23:58 . 2011-09-29 16:45	881984	----a-w-	c:\windows\system32\nvgenco32.dll
2012-02-29 23:58 . 2011-09-29 16:45	1000256	----a-w-	c:\windows\system32\nvdispco32.dll
2012-02-29 23:58 . 2010-06-03 16:07	65536	----a-w-	c:\windows\system32\OpenCL.dll
2012-02-29 23:58 . 2010-06-03 16:07	2522944	----a-w-	c:\windows\system32\nvcuvid.dll
2012-02-29 23:58 . 2010-06-03 16:07	2437440	----a-w-	c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58 . 2010-06-03 16:07	5918720	----a-w- c:\windows\system32\nvcuda.dll
2012-02-29 23:58 . 2010-06-03 16:07	17534976	----a-w-	c:\windows\system32\nvcompiler.dll
2012-02-29 23:58 . 2006-10-29 15:16	18624512	----a-w-	c:\windows\system32\nvoglnt.dll
2012-02-29 23:58 . 2006-10-29 15:16	2291712	----a-w-	c:\windows\system32\nvapi.dll
2012-02-29 23:58 . 2006-10-29 15:16	13417632	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 23:58 . 2006-10-29 15:16	4309760	----a-w-	c:\windows\system32\nv4_disp.dll
2012-02-29 20:30 . 2010-04-03 18:22	54272	----a-w-	c:\windows\system32\nvwddi.dll
2012-02-29 20:30 . 2010-04-03 18:23	15494464	----a-w-	c:\windows\system32\nvcpl.dll
2012-02-29 20:30 . 2010-04-03 18:23	143680	----a-w-	c:\windows\system32\nvcolor.exe
2012-02-29 20:30 . 2010-04-03 18:23	164160	----a-w-	c:\windows\system32\nvsvc32.exe
2012-02-29 20:30 . 2010-04-03 18:23	108352	----a-w-	c:\windows\system32\nvmctray.dll
2012-02-29 14:10 . 2004-08-04 12:00	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 12:00	148480	----a-w-	c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00	385024	----a-w-	c:\windows\system32\html.iec
2003-08-27 13:19 . 2010-06-02 20:34	36963	----a-r-	c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((( [email protected]_13.39.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-05 15:59 . 2012-05-05 15:59	16384 c:\windows\Temp\Perflib_Perfdata_88.dat
+ 2012-05-05 15:59 . 2012-05-05 15:59	16384 c:\windows\Temp\Perflib_Perfdata_700.dat
+ 2004-08-04 12:00 . 2012-05-05 16:03	67862 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	67862 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-05-05 16:03	433098 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	433098 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-15 39408]
"Akamai NetSession Interface"="c:\documents and settings\Rowe\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-03-13 3331872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE" [2005-01-13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-04 273528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VideoCam Suite.lnk - c:\program files\Common Files\Panasonic\VideoCam Suite AutoStart\VideoCamSuiteAutoStart.exe [2011-8-12 349584]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
backup=c:\windows\pss\Reboot.exeCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-07-31 10:45	139264	----a-w-	c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	----a-w-	c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 13:20	94208	----a-r-	c:\windows\SM1bg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Rowe\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1056:TCP"= 1056:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [21/02/2012 21:15 2348352]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [02/06/2010 13:12 372480]
S1 bhjavovc;bhjavovc;\??\c:\windows\system32\drivers\bhjavovc.sys --> c:\windows\system32\drivers\bhjavovc.sys [?]
S1 enrdtbrw;enrdtbrw;\??\c:\windows\system32\drivers\enrdtbrw.sys --> c:\windows\system32\drivers\enrdtbrw.sys [?]
S1 fctzjrqs;fctzjrqs;\??\c:\windows\system32\drivers\fctzjrqs.sys --> c:\windows\system32\drivers\fctzjrqs.sys [?]
S1 fejhjcvg;fejhjcvg;\??\c:\windows\system32\drivers\fejhjcvg.sys --> c:\windows\system32\drivers\fejhjcvg.sys [?]
S1 jmusqmwj;jmusqmwj;\??\c:\windows\system32\drivers\jmusqmwj.sys --> c:\windows\system32\drivers\jmusqmwj.sys [?]
S1 nxkrioic;nxkrioic;\??\c:\windows\system32\drivers\nxkrioic.sys --> c:\windows\system32\drivers\nxkrioic.sys [?]
S2 bwcdrv;bwcdrv;c:\windows\system32\drivers\BWCDRV.SYS [21/12/2003 09:21 19840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 10:44 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/06/2010 16:12 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:47]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-05 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-05 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
2012-05-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-05 17:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\00\1c\0b4;?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\msv1_0.dll
.
Completion time: 2012-05-05 17:10:06
ComboFix-quarantined-files.txt 2012-05-05 16:10
ComboFix2.txt 2012-05-05 13:41
.
Pre-Run: 57,460,260,864 bytes free
Post-Run: 57,490,661,376 bytes free
.
- - End Of File - - E8CDD58287DFCFDC3760FD3878D41FB4


----------



## Glaswegian (Dec 5, 2004)

Hi

No need to go back to Virustotal - I found the file details using one of the identifiers in the log you posted - the file was clean.

Once you have posted the Malwarebytes scan results I'll post further instructions.


----------



## Robert the Bruce (Aug 16, 2006)

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.05.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Rowe :: ROWE-B1115B646A [administrator]

Protection: Enabled

05/05/2012 17:33:19
mbam-log-2012-05-05 (17-33-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 291351
Time elapsed: 47 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\Tools\ChPrio.exe (Spyware.Password) -> Quarantined and deleted successfully.

(end)
I'm pissed off to say the least. This is the 6th attempt at getting back on here. After the Malware scan I restarted my computer. It froze after start-up. As soon as I tried to do anything the screen either froze or I was left with the egg-timer icon. This happened a further 5 times. Why ? Why wasn't I told that this might happen ?


----------



## Robert the Bruce (Aug 16, 2006)

I'm now starting to feel a little disconcerted. Lack of replies to my last post is leaving me with a feeling of helplessness. Switching on my computer to-day I had the same problem. After start-up my computer freezes and I'm left with a egg-timer (loading) icon. Microsoft Essentials icon on the taskbar is RED at this point. I had to press the restart button on the front of my computer and just hope for the best.
What worries most is the fact that I lost my job recently and so can't afford computer repairs or a new computer, moreover I need the computer to look for a job. Where are you ?


----------



## Robert the Bruce (Aug 16, 2006)

After switching on my computer both yesterday and to-day I found that my computer screen once started up tends to freeze. I'm left with the loading egg-timer icon. My Microsoft Essentials icon on the taskbar is red at this point. I'm forced to press the restart button at the front of my computer in order to re-start and then hope for the best.
This new problem only started after, see thread here http://forums.techguy.org/virus-other-malware-removal/1051715-cant-get-rid-adware-4.html#post8345263.
I lost my job recently and so cannot afford repairs or a new computer. Moreover, I need my computer to look for a job. One problem has led straight into another. What happened ?


----------



## Drabdr (Nov 26, 2007)

Robert the Bruce,

I have merged the information from the thread you just started into one thread. Please do not start duplicate threads on the same subject.

Please be patient with the helpers.


----------



## LauraMJ (Mar 18, 2004)

> I'm now starting to feel a little disconcerted. Lack of replies to my last post is leaving me with a feeling of helplessness.


Did you happen to notice the size of the logs and information you are giving your helper? EACH AND EVERY single line of those logs has to be researched and analyzed in order to give YOU the highest quality help and instructions and to provide YOU with as much protection and care for YOUR computer as possible. ALL OF THIS is done without asking for any pay or even really any thanks.

It would be just a bit nice if you would show just a small amount of gratitude and patience for someone's extreme attention to detail and hard work.......all for YOUR benefit.....and wait until they have had time to analyze and research YOUR problems.


----------



## Robert the Bruce (Aug 16, 2006)

All I know is my computer could be on the verge of breaking down entirely, and me with it through no fault of my own. I'm well aware those guys do a good job and if I knew as much about computers as they do I also would be helping other folk. I'm sure you understand that as far as I knew my computer was almost fixed, and now this. Thing is, now my computer has another problem and that was AFTER following instructions. I just can't understand why I wasn't told this might happen and what to do if it did. I just hope they haven't given up on me. I'll try to be patient but I hope you can understand my desperation.


----------



## Cookiegal (Aug 27, 2003)

I believe a false positive detection by MalwareBytes (and subsequent file quarantine) is responsible for the problems you're currently experiencing. MalwareBytes is an excellent program and false detections do occur with EVERY security program at times. That is why we always recommend that default action be set to quarantine rather than remove or delete so that things can be restored, if necessary. Unfortunately, false detections are impossible for any malware removal specialist to foresee. 

I am in the process of verifying this with the developers of MalwareBytes. If I'm correct then we can restore the file. Please bear with us and do not attempt to restore the file until we hear back from them. They may need something from you in order to verify the integrity of this particular file and/or why it was detected and we would appreciate your patience and cooperation in that regard.


----------



## LauraMJ (Mar 18, 2004)

Robert the Bruce said:


> All I know is my computer could be on the verge of breaking down entirely, and me with it through no fault of my own. I'm well aware those guys do a good job and if I knew as much about computers as they do I also would be helping other folk. I'm sure you understand that as far as I knew my computer was almost fixed, and now this. Thing is, now my computer has another problem and that was AFTER following instructions. I just can't understand why I wasn't told this might happen and what to do if it did. I just hope they haven't given up on me. I'll try to be patient but I hope you can understand my desperation.


Desperation is one thing (and pretty normal here, I might add), rudeness, impatience, cursing at helpers (like wtf in an earlier post) is quite another and is really not acceptable. While you may realize it because of your desperation, some of your posts have not been very polite, or even nice. So as far as your comment to "back off" is concerned--It's my job here as Administrator to bring that to a poster's attention and insist on civility and politeness with helpers. We all understand your desperation and confusion....the vast majority of posters here are in the same boat as you. You are not the first, nor will you be the last to be worried and concerned about your computer. However, from here on out, I suggest you take a deep breath and try to create posts that ask questions in a polite and patient manner.


> I'm sure you understand that as far as I knew my computer was almost fixed, and now this.


I'm not sure why you thought that, as Glaswegian seemed rather clear that you had multiple problems yet to be fixed.  At any rate, it would probably be helpful if you ask your helper that sort of thing as they can give you a clearer estimation of how close to being fixed it is.


----------



## Robert the Bruce (Aug 16, 2006)

OK, points taken.


----------



## Cookiegal (Aug 27, 2003)

It has been confirmed to me that it was indeed a false positive and will be fixed in the next update. The developers are very quick to address such things, I might add. As I'm not sure when the next update comes out and you seem to have downloaded the trial version of MalwareBytes rather than the free version, should a detection pop up again on this same file do not allow MBAM to quarantine it (tell it to ignore).

So please open the MalwareBytes program and click on the Quarantine tab. There should be two items in there but ONLY one is a false positive so please highlight ONLY the following entry:

*C:\WINDOWS\system32\Tools\ChPrio.exe*

Then go down to the right and click on the button that says "Restore" then exit the program. If you're unsure of the process, I'm including a link that has a video showing how to do it:

http://helpdesk.malwarebytes.org/entries/20849911-how-to-restore-items-from-quarantine

Then reboot the machine and hopefully this will improve the performance although there are still some issues with malware that can have some effect. Please wait now for Glaswegian to continue this with you.


----------



## Robert the Bruce (Aug 16, 2006)

OK I've done that. I'll reboot my computer now but I have a horrible feeling about this. Are you saying that my computer wasn't starting properly and getting stuck on the egg-timer/loading icon because of that false positive ?


----------



## Cookiegal (Aug 27, 2003)

Yes, because the file was related to a reboot program tied to the motherboard.


----------



## Robert the Bruce (Aug 16, 2006)

OK, here goes.


----------



## Robert the Bruce (Aug 16, 2006)

It didn't work. This is the 6th attempt at get back here. Computer will start-up with Microsoft Essentials in the red or the Microsoft Essentials icon (on the taskbar) not there at all. As soon as I attempt to do anything the screen freezes or I'm left with the egg-timer/loading icon. Please tell me what is going on ? Why was I told this would fix the start-up problem when clearly it DIDN'T ? Please understand, I didn't have this particular problem BEFORE coming on here. I feel I'm going backwards. HELP PLEASE.


----------



## Cookiegal (Aug 27, 2003)

Can you verify that this file now exists in this location?

C:\WINDOWS\system32\Tools\ChPrio.exe


----------



## Cookiegal (Aug 27, 2003)

Are you having difficulty with locating the file?


----------



## Robert the Bruce (Aug 16, 2006)

I got as far as 'Tools' and a MalwareBytes Window popped up which said 'Malware Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below: Ignore
Disable Protection
Quarantine.'
Now, I couldn't do anything more unless I chose an option so I chose 'Ignore.' MalwareBytes named the file you mentioned within the window and yes, the file was there. Strange though, if I was a TSG volunteer helper I'd like to think that I would have foresaw that this might happen and issued instructions beforehand. As it turned out I had to choose an option which may have been the wrong one. Also, I get the feeling that this file is supposed to be there and if that's the case then what's wrong, why did Malware do what it did ? I hope I'm wrong but it's yet another step backwards it seems. Don't give up please.


----------



## Cookiegal (Aug 27, 2003)

It's hard not to give up with your condescending tone but I'm trying.

Yes, I should have told you to update MalwareBytes but because I wasn't sure if the update had been issued yet, I DID tell you to choose ignore if that file was flagged again.

So update MalwareBytes now. Then open it up and see if that file is still shown in quarantine. If so, restore it again. Then verify that it exists in its proper location and let me know.


----------



## Cookiegal (Aug 27, 2003)

Also, disable MBAM's real-time protection before doing the above (if it's not too late). I have to look for the instructions so please wait and I'll post back.


----------



## Robert the Bruce (Aug 16, 2006)

I'm sorry. But I'm getting exaspirated. I feel I may lose the use of my computer and that would be disastrous with regards to searching for a job and as I said before, I simply can't afford a new computer or repair costs. I'll get back to you soon. it's meal-time here.


----------



## Cookiegal (Aug 27, 2003)

OK. Thank you. I understand your frustration but we will get there. Here are the instructions to disable MalwareBytes' real-time protection and also change the setting so it doesn't start when you reboot the machine (so it doesn't interfere again). Do this before restoring the file and checking that it was restored to its proper location.

Right-click the MBAM icon in your system tray and uncheck Enable Protection. After confirming, right-click the icon again and uncheck Start with Windows so it doesn't load when you reboot the computer.


----------



## Cookiegal (Aug 27, 2003)

I'm taking the dog for a walk and then have to do some yard work so I'll check back later on.


----------



## Robert the Bruce (Aug 16, 2006)

OK I've done that but before I go any further, I'm still seeing within MalwareBytes window a green Protection box which says 'enabled' and with no access to the box to uncheck it. Although I have done the right-click thing you asked me to do. OK to proceed ?


----------



## Robert the Bruce (Aug 16, 2006)

What about the 3 other boxes ? 1 - Start File Execution Blocking When Protection Module Starts
2 - Start Malicious Website Blocking When Protection Module Starts
3 - Show Tooltip Balloon When Malicious Website Is Blocked (which seems to be every website there is.)
The file is not there (i.e. in quarantine), just the 'Pup.MyWebSear....' but the file IS in Windows/System32/Tools.


----------



## Robert the Bruce (Aug 16, 2006)

Also, what kind of program offers protection by preventing your computer from starting up ? I don't get it, why would it do that ? Also, all of this because of an Adware file ?


----------



## Cookiegal (Aug 27, 2003)

As long as you've unchecked "Start with Windows" the program shouldn't start when you reboot the computer. If the file in question is no longer in quarantine but IS in its proper place then it shouldn't be blocked by MBAM when you reboot.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Also, what kind of program offers protection by preventing your computer from starting up ? I don't get it, why would it do that ? Also, all of this because of an Adware file ?


I'm not sure what you mean by this. I explained to you that it's a false detection and that this occurs from time to time. How it affects the computer depends on the file and what purpose it serves.


----------



## Robert the Bruce (Aug 16, 2006)

Right, so what now ?


----------



## Glaswegian (Dec 5, 2004)

Hi again

Malware removal is not an exact science - all computer systems are different, and all have different programmes installed. Yes, sometimes things happen which one cannot predict - often the malware can react when we try to remove it, or removal of one piece can reveal further malware which had been previously hidden. All I can ask is that you follow my instructions and we *will* clean your system.

You should also know that I have a family and a job - I cannot spend 24 hours a day online doing this - I had a greenhouse to construct today...

Before I ask you to run another scan I would like you to go back to Virustotal (please *enable* cookies this time) and scan that kernel32 file again. Please follow these instructions carefully.

Please go to: *VirusTotal*


Make sure the 'Upload a file' tab is selected.
To the right of the page you'll find a "*Choose File*" button.










Click the "Choose File" button and browse to this file in *RED*:

*c:\windows\system32\kernel32.dll*

Then click the blue "*Scan it!*" button in the middle of the VirusTotal page.
 If you receive a message saying the File has already been analyzed click *Reanalyze file now.*
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.


----------



## Cookiegal (Aug 27, 2003)

I will leave you with Glaswegian now but will be following along. Please follow his instructions carefully.


----------



## Robert the Bruce (Aug 16, 2006)

Hello again. Thanks Cheeseball.
Yes I understand what you mean. Hope your Greenhouse went up OK. First of all, how and where do I enable cookies ?


----------



## Glaswegian (Dec 5, 2004)

Well, the frame is all done - just the glass left now, but I think I'll be leaving that for a few days.

For IE, go to Tools > Internet Options > Privacy tab and move the slider to Low or Accept all Cookies. Click OK. Once you have completed the scan you can reverse these instructions to put the setting back again.


----------



## Robert the Bruce (Aug 16, 2006)

× Cookies are disabled! This site requires cookies to be enabled to work properly 
CommunityStatisticsDocumentationFAQAboutJoin our community
Sign in

Analysis completed. 
SHA256: d3b69a8b59e07e775f99871c4ad107a4f72f392325695e7f261f6aa6e590d4e6 
SHA1: c88d57cc99f75cd928b47b6e444231f26670138f 
MD5: b921fb870c9ac0d509b2ccabbbbe95f3 
File size: 966.5 KB ( 989696 bytes ) 
File name: C:\WINDOWS\system32\kernel32.dll 
File type: Win32 DLL 
Detection ratio: 0 / 42 
Analysis date: 2012-05-06 19:38:13 UTC ( 0 minutes ago )

00More details 
Antivirus Result Update 
AhnLab-V3 - 20120506 
AntiVir - 20120506 
Antiy-AVL - 20120506 
Avast - 20120506 
AVG - 20120506 
BitDefender - 20120506 
ByteHero - 20120505 
CAT-QuickHeal - 20120505 
ClamAV - 20120506 
Commtouch - 20120506 
Comodo - 20120506 
DrWeb - 20120506 
Emsisoft - 20120506 
eSafe - 20120506 
eTrust-Vet - 20120504 
F-Prot - 20120506 
F-Secure - 20120506 
Fortinet - 20120506 
GData - 20120506 
Ikarus - 20120506 
Jiangmin - 20120506 
K7AntiVirus - 20120505 
Kaspersky - 20120506 
McAfee - 20120506 
McAfee-GW-Edition - 20120506 
Microsoft - 20120506 
NOD32 - 20120506 
Norman - 20120506 
nProtect - 20120506 
Panda - 20120506 
PCTools - 20120506 
Rising - 20120504 
Sophos - 20120506 
SUPERAntiSpyware - 20120411 
Symantec - 20120506 
TheHacker - 20120505 
TrendMicro - 20120506 
TrendMicro-HouseCall - 20120506 
VBA32 - 20120504 
VIPRE - 20120506 
ViRobot - 20120506 
VirusBuster - 20120506

Comments
Votes
Additional information
No comments

More comments 
Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼ 
Remove Formatting

Post comment 
You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community No votesMore votes 
An error occurred Blog | Twitter | [email protected]| Google groups | TOS & Privacy Policy × Recover your passwordEnter the email address associated to your VirusTotal Community account and we'll send you a message so you can setup a new password.
Email: Recover password Cancel 
× Join VirusTotal CommunityInteract with other VirusTotal users and have an active voice when fighting today's Internet threats. Find out more about VirusTotal Community. 
First name Last name Username * Email * Password * Confirm password * * Required field Sign up Cancel 
× Sign inUsername or email Password Forgot your password? Sign in Cancel

I changed the settings to 'Allow All Cookies' but that's not what it says at the top of the page. Hope that's not what it means in this case. Also, I left this page running during the scan, is that OK ?


----------



## Glaswegian (Dec 5, 2004)

Hi again

That looks fine thanks.

Looking at the last ComboFix log Im not sure the script worked correctly.

To make it easier for you I have attached a CFScript file to this post. Simply download the file to your desktop. Once you have used the file I shall remove it  we dont want anyone else to use it.










Refering to the picture above, drag *CFScript* onto *ComboFix.exe.*

*If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.*

When finished, it will produce a log for you at *"C:\ComboFix.txt"*

*Do not mouseclick combofix's window whilst it's running. This may cause it to stall.*

*CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!*

Please post the log *C:\ComboFix.txt * for further review.


----------



## Robert the Bruce (Aug 16, 2006)

Here we go again, sorry. I really don't know what you want me to do here. I'm dragging the script into the cat's mouth but nothing's happening. Do you mean I've to drag the text using the little black window/box I see here?


----------



## Glaswegian (Dec 5, 2004)

Hi

Did you download the attachment to your desktop? Is the file *CFScript.txt *now sitting on your desktop?


----------



## Robert the Bruce (Aug 16, 2006)

ComboFix 12-05-06.03 - Rowe 06/05/2012 21:07:13.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1341 [GMT 1:00]
Running from: c:\documents and settings\Rowe\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Rowe\My Documents\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\bhjavovc.sys"
"c:\windows\system32\drivers\enrdtbrw.sys"
"c:\windows\system32\drivers\fctzjrqs.sys"
"c:\windows\system32\drivers\fejhjcvg.sys"
"c:\windows\system32\drivers\jmusqmwj.sys"
"c:\windows\system32\drivers\nxkrioic.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rowe\Application Data\vso_ts_preview.xml
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_bhjavovc
-------\Service_enrdtbrw
-------\Service_fctzjrqs
-------\Service_fejhjcvg
-------\Service_jmusqmwj
-------\Service_nxkrioic
.
.
((((((((((((((((((((((((( Files Created from 2012-04-06 to 2012-05-06 )))))))))))))))))))))))))))))))
.
.
2012-05-06 20:16 . 2012-05-06 20:16	29904	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{68F8EE81-E804-4DD5-A6F3-64433F07302C}\MpKsl89c10b19.sys
2012-05-05 18:04 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{68F8EE81-E804-4DD5-A6F3-64433F07302C}\mpengine.dll
2012-05-05 16:32 . 2012-05-05 16:32	--------	d-----w-	c:\documents and settings\Rowe\Application Data\Malwarebytes
2012-05-05 16:32 . 2012-05-05 16:32	--------	dc----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-05 16:32 . 2012-04-04 14:56	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-05-05 16:32 . 2012-05-05 16:32	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-05-05 16:23 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-02 14:39 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-05-02 14:37 . 2012-05-02 14:38	--------	d-----w-	c:\program files\Microsoft Security Client
2012-05-02 14:26 . 2012-05-02 14:26	10288512	----a-w-	c:\program files\mseinstall.exe
2012-05-02 14:17 . 2012-05-02 14:17	--------	dc----w-	c:\documents and settings\All Users\Uniblue
2012-04-26 18:50 . 2012-04-26 18:50	--------	d-----w-	c:\documents and settings\Rowe\Application Data\ElevatedDiagnostics
2012-04-16 18:18 . 2012-04-18 06:35	--------	d-----w-	c:\documents and settings\Rowe\Local Settings\Application Data\LogMeIn Rescue Applet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 19:47 . 2012-04-03 09:44	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-04 19:47 . 2011-05-18 16:34	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-02 20:47 . 2012-04-02 20:47	25685128	----a-w-	c:\program files\wordview_en-us.exe
2012-03-20 19:44 . 2012-03-20 19:44	171064	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-03-02 17:33 . 2012-03-02 17:33	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-03-02 17:33 . 2010-06-05 09:57	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2004-08-04 12:00	916992	----a-w-	c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-02-29 23:58 . 2011-09-29 16:45	881984	----a-w-	c:\windows\system32\nvgenco32.dll
2012-02-29 23:58 . 2011-09-29 16:45	1000256	----a-w-	c:\windows\system32\nvdispco32.dll
2012-02-29 23:58 . 2010-06-03 16:07	65536	----a-w-	c:\windows\system32\OpenCL.dll
2012-02-29 23:58 . 2010-06-03 16:07	2522944	----a-w-	c:\windows\system32\nvcuvid.dll
2012-02-29 23:58 . 2010-06-03 16:07	2437440	----a-w-	c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58 . 2010-06-03 16:07	5918720	----a-w-	c:\windows\system32\nvcuda.dll
2012-02-29 23:58 . 2010-06-03 16:07	17534976	----a-w-	c:\windows\system32\nvcompiler.dll
2012-02-29 23:58 . 2006-10-29 15:16	18624512	----a-w-	c:\windows\system32\nvoglnt.dll
2012-02-29 23:58 . 2006-10-29 15:16	2291712	----a-w-	c:\windows\system32\nvapi.dll
2012-02-29 23:58 . 2006-10-29 15:16	13417632	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 23:58 . 2006-10-29 15:16	4309760	----a-w-	c:\windows\system32\nv4_disp.dll
2012-02-29 20:30 . 2010-04-03 18:22	54272	----a-w-	c:\windows\system32\nvwddi.dll
2012-02-29 20:30 . 2010-04-03 18:23	15494464	----a-w-	c:\windows\system32\nvcpl.dll
2012-02-29 20:30 . 2010-04-03 18:23	143680	----a-w-	c:\windows\system32\nvcolor.exe
2012-02-29 20:30 . 2010-04-03 18:23	164160	----a-w-	c:\windows\system32\nvsvc32.exe
2012-02-29 20:30 . 2010-04-03 18:23	108352	----a-w-	c:\windows\system32\nvmctray.dll
2012-02-29 14:10 . 2004-08-04 12:00	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 12:00	148480	----a-w-	c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00	385024	----a-w-	c:\windows\system32\html.iec
2003-08-27 13:19 . 2010-06-02 20:34	36963	----a-r-	c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((( [email protected]_13.39.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-06 20:15 . 2012-05-06 20:15	16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
+ 2012-05-06 20:16 . 2012-05-06 20:16	16384 c:\windows\Temp\Perflib_Perfdata_1bc.dat
- 2010-06-03 15:06 . 2009-11-16 13:09	89088 c:\windows\system32\Tools\ChPrio.exe
+ 2012-05-06 14:39 . 2012-05-06 14:39	89088 c:\windows\system32\Tools\ChPrio.exe
+ 2004-08-04 12:00 . 2012-05-06 15:39	67862 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	67862 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-05-06 15:39	433098 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	433098 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-15 39408]
"Akamai NetSession Interface"="c:\documents and settings\Rowe\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-03-13 3331872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE" [2005-01-13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-04 273528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VideoCam Suite.lnk - c:\program files\Common Files\Panasonic\VideoCam Suite AutoStart\VideoCamSuiteAutoStart.exe [2011-8-12 349584]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
backup=c:\windows\pss\Reboot.exeCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-07-31 10:45	139264	----a-w-	c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	----a-w-	c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 13:20	94208	----a-r-	c:\windows\SM1bg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Rowe\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1062:TCP"= 1062:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 MpKsl89c10b19;MpKsl89c10b19;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{68F8EE81-E804-4DD5-A6F3-64433F07302C}\MpKsl89c10b19.sys [06/05/2012 21:16 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/05/2012 17:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [21/02/2012 21:15 2348352]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [02/06/2010 13:12 372480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/05/2012 17:32 22344]
S2 bwcdrv;bwcdrv;c:\windows\system32\drivers\BWCDRV.SYS [21/12/2003 09:21 19840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 10:44 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/06/2010 16:12 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL89C10B19
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:47]
.
2012-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-06 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
2012-05-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-06 21:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\00\1c\0b4;?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Drivers\bwcsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RunDLL32.exe
.
**************************************************************************
.
Completion time: 2012-05-06 21:20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-06 20:20
ComboFix2.txt 2012-05-05 16:10
ComboFix3.txt 2012-05-05 13:41
.
Pre-Run: 52,021,178,368 bytes free
Post-Run: 52,167,962,624 bytes free
.
- - End Of File - - B21F297F41E5CB6475FA74A3A149F5AF
You may want me to run the scan again because I forgot I'm supposed to turn off Microsoft Essentials-Real Time Protection etc before running the scan.


----------



## Glaswegian (Dec 5, 2004)

Excellent - nicely done.

I'll be back soon with further instructions once I review this log. I've deleted the attachment.


----------



## Glaswegian (Dec 5, 2004)

Hi again

That looks much better. How is your system running now?

Download *Security Check* by screen317 from  *here* or  *here*.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called *checkup.txt*; please post the contents of that document.


----------



## Robert the Bruce (Aug 16, 2006)

Results of screen317's Security Check version 0.99.32 
Windows XP Service Pack 3 x86 
Internet Explorer 8 
*`````````````````````````````` 
Antivirus/Firewall Check:* 
Windows Firewall Enabled! 
Microsoft Security Essentials 
*``````````````````````````````` 
Anti-malware/Other Utilities Check:* 
Java(TM) 6 Update 31 
*```````````````````````````````` 
Process Check: 
objlist.exe by Laurent* 
Windows Defender MSMpEng.exe 
Malwarebytes' Anti-Malware mbamservice.exe 
Microsoft Security Essentials msseces.exe 
*``````````End of Log````````````*


----------



## Glaswegian (Dec 5, 2004)

Hi

How is your system running now?

Let's run an online scan.

Go *here* to run an online scannner from ESET.
*Note:* You will need to use *Internet explorer* for this scan
 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is unticked and the *Scan Archives* option is ticked.
Click on Advanced Settings, ensure the options *Scan for potentially unwanted applications*, *Scan for potentially unsafe applications*, and *Enable Anti-Stealth Technology* are ticked.
Click *Scan*
Wait for the scan to finish
Use *notepad* to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.


----------



## Robert the Bruce (Aug 16, 2006)

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=47131eb03b253a4fa971e9575a68ca9e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-06 10:26:55
# local_time=2012-05-06 11:26:55 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 42 92 4876 4071986 0 0
# compatibility_mode=8192 67108863 100 0 176 176 0 0
# scanned=82485
# found=5
# cleaned=0
# scan_time=2177
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll	a variant of Win32/Adware.Yontoo.B application (unable to clean)	00000000000000000000000000000000	I
C:\Documents and Settings\Rowe\Application Data\OpenCandy\OpenCandy_9653938C1AA04D238617BAFDC795A49C\RegistryReviverSetup-ppi_.exe	a variant of Win32/RegistryReviver application (unable to clean)	00000000000000000000000000000000	I
C:\System Volume Information\_restore{E6891B1E-116B-4450-98F8-5C4F424E14B4}\RP649\A0297775.exe	Win32/Adware.1ClickDownload application (unable to clean)	00000000000000000000000000000000	I
C:\System Volume Information\_restore{E6891B1E-116B-4450-98F8-5C4F424E14B4}\RP649\A0297776.dll	a variant of Win32/Adware.Yontoo.A application (unable to clean)	00000000000000000000000000000000	I
C:\System Volume Information\_restore{E6891B1E-116B-4450-98F8-5C4F424E14B4}\RP681\A0304807.exe	Win32/OpenCandy application (unable to clean)	00000000000000000000000000000000	I


----------



## Robert the Bruce (Aug 16, 2006)

Well I guess I'll have to take the chance and close down now. I just hope I don't have the same hassle I've been having lately when starting up. I'll find out tomorrow. BTW, the MalwareBytes Icon has disappeared from my Taskbar ??? Was that supposed to happen ?


----------



## Glaswegian (Dec 5, 2004)

Hi again

Eset found a couple of things to deal with - the others are being held in the System Restore points - we will deal with them later.

If you closed MBAM then it's icon will not appear in the Task Bar - is that what you mean?

I'll wait to hear from you regarding your system before we decide the next steps.


----------



## Robert the Bruce (Aug 16, 2006)

I may have closed MBAM I don't remember. Anyhow, my computer had no problems starting up this morning and appears to be running OK. My computer always was running OK (apart from the problem with McAfee https://community.mcafee.com/thread/40646?start=0&tstart=0) it was just that Adware:Win32/OpenCandy thingy which brought me here. I'd uninstalled McAfee and installed Microsoft Essentials as a replacement and after the first scan I noticed OpenCandy. You may already know of all this anyway. Also, can I draw your attention to post#41 as I'm getting those window messages again. Thanks.


----------



## Glaswegian (Dec 5, 2004)

Hi again

Those messages are fairly common - you just need to adjust your Internet Explorer settings.

http://answers.yahoo.com/question/index?qid=20080302043516AAXmFdz
http://answers.microsoft.com/en-us/...site-and/a94d649f-56d9-4739-b4ff-7e7ad45cda90

We can use ComboFix to remove those entries, since its already on your system

*Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.*

Close any open browsers.

As before, Ive created the CFScript file for you. Download it from this post to your desktop and drag and drop the file onto ComboFix.










Refering to the picture above, drag *CFScript* onto *ComboFix.exe.*

*If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.*

When finished, it will produce a log for you at *"C:\ComboFix.txt"*

*Do not mouseclick combofix's window whilst it's running. This may cause it to stall.*

*CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!*

Please post the log *C:\ComboFix.txt * for further review.


----------



## Robert the Bruce (Aug 16, 2006)

Do I turn off Microsoft Essentials Real-Time Protection and/or Windows Firewall ?


----------



## Robert the Bruce (Aug 16, 2006)

I went ahead anyway and turned off Microsoft Essentials - Real-Time Protection but left Windows Firewall turned on. Hope that's OK. Please tell. Also I turned my Privacy Settings back to Medium with regards to Cookies AFTER this latest ComboFix. Hope that's also OK.
ComboFix 12-05-07.02 - Rowe 07/05/2012 19:08:02.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1476 [GMT 1:00]
Running from: c:\documents and settings\Rowe\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Rowe\My Documents\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll"
"c:\documents and settings\Rowe\Application Data\OpenCandy\OpenCandy_9653938C1AA04D238617BAFDC795A49C\RegistryReviverSetup-ppi_.exe:"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\documents and settings\Rowe\Application Data\vso_ts_preview.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-05-06 22:46 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCEE28D4-A500-4AD7-B045-8A9EB2C752FE}\mpengine.dll
2012-05-06 21:47 . 2012-05-06 21:47	--------	d-----w-	c:\program files\ESET
2012-05-05 18:04 . 2012-04-12 23:36	6734704	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-05 16:32 . 2012-05-05 16:32	--------	d-----w-	c:\documents and settings\Rowe\Application Data\Malwarebytes
2012-05-05 16:32 . 2012-05-05 16:32	--------	dc----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-05 16:32 . 2012-04-04 14:56	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-05-05 16:32 . 2012-05-05 16:32	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-05-02 14:39 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-05-02 14:37 . 2012-05-02 14:38	--------	d-----w-	c:\program files\Microsoft Security Client
2012-05-02 14:26 . 2012-05-02 14:26	10288512	----a-w-	c:\program files\mseinstall.exe
2012-05-02 14:17 . 2012-05-02 14:17	--------	dc----w-	c:\documents and settings\All Users\Uniblue
2012-04-26 18:50 . 2012-04-26 18:50	--------	d-----w-	c:\documents and settings\Rowe\Application Data\ElevatedDiagnostics
2012-04-16 18:18 . 2012-04-18 06:35	--------	d-----w-	c:\documents and settings\Rowe\Local Settings\Application Data\LogMeIn Rescue Applet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 19:47 . 2012-04-03 09:44	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-04 19:47 . 2011-05-18 16:34	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-02 20:47 . 2012-04-02 20:47	25685128	----a-w-	c:\program files\wordview_en-us.exe
2012-03-20 19:44 . 2012-03-20 19:44	171064	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-03-02 17:33 . 2012-03-02 17:33	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-03-02 17:33 . 2010-06-05 09:57	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2004-08-04 12:00	916992	----a-w-	c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-02-29 23:58 . 2011-09-29 16:45	881984	----a-w-	c:\windows\system32\nvgenco32.dll
2012-02-29 23:58 . 2011-09-29 16:45	1000256	----a-w-	c:\windows\system32\nvdispco32.dll
2012-02-29 23:58 . 2010-06-03 16:07	65536	----a-w-	c:\windows\system32\OpenCL.dll
2012-02-29 23:58 . 2010-06-03 16:07	2522944	----a-w-	c:\windows\system32\nvcuvid.dll
2012-02-29 23:58 . 2010-06-03 16:07	2437440	----a-w-	c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58 . 2010-06-03 16:07	5918720	----a-w-	c:\windows\system32\nvcuda.dll
2012-02-29 23:58 . 2010-06-03 16:07	17534976	----a-w-	c:\windows\system32\nvcompiler.dll
2012-02-29 23:58 . 2006-10-29 15:16	18624512	----a-w-	c:\windows\system32\nvoglnt.dll
2012-02-29 23:58 . 2006-10-29 15:16	2291712	----a-w-	c:\windows\system32\nvapi.dll
2012-02-29 23:58 . 2006-10-29 15:16	13417632	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 23:58 . 2006-10-29 15:16	4309760	----a-w-	c:\windows\system32\nv4_disp.dll
2012-02-29 20:30 . 2010-04-03 18:22	54272	----a-w-	c:\windows\system32\nvwddi.dll
2012-02-29 20:30 . 2010-04-03 18:23	15494464	----a-w-	c:\windows\system32\nvcpl.dll
2012-02-29 20:30 . 2010-04-03 18:23	143680	----a-w-	c:\windows\system32\nvcolor.exe
2012-02-29 20:30 . 2010-04-03 18:23	164160	----a-w-	c:\windows\system32\nvsvc32.exe
2012-02-29 20:30 . 2010-04-03 18:23	108352	----a-w-	c:\windows\system32\nvmctray.dll
2012-02-29 14:10 . 2004-08-04 12:00	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 12:00	148480	----a-w-	c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00	385024	----a-w-	c:\windows\system32\html.iec
2003-08-27 13:19 . 2010-06-02 20:34	36963	----a-r-	c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((( [email protected]_13.39.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-07 11:32 . 2012-05-07 11:32	16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
+ 2012-05-07 11:32 . 2012-05-07 11:32	16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
- 2010-06-03 15:06 . 2009-11-16 13:09	89088 c:\windows\system32\Tools\ChPrio.exe
+ 2012-05-06 14:39 . 2012-05-06 14:39	89088 c:\windows\system32\Tools\ChPrio.exe
+ 2004-08-04 12:00 . 2012-05-07 11:36	67862 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	67862 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-05-07 11:36	433098 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-05-05 12:39	433098 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-15 39408]
"Akamai NetSession Interface"="c:\documents and settings\Rowe\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-03-13 3331872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE" [2005-01-13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-04 273528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VideoCam Suite.lnk - c:\program files\Common Files\Panasonic\VideoCam Suite AutoStart\VideoCamSuiteAutoStart.exe [2011-8-12 349584]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
backup=c:\windows\pss\Reboot.exeCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-07-31 10:45	139264	----a-w-	c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	----a-w-	c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 13:20	94208	----a-r-	c:\windows\SM1bg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Rowe\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/05/2012 17:32 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [21/02/2012 21:15 2348352]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [02/06/2010 13:12 372480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/05/2012 17:32 22344]
S2 bwcdrv;bwcdrv;c:\windows\system32\drivers\BWCDRV.SYS [21/12/2003 09:21 19840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 10:44 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/06/2010 16:12 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/06/2010 23:20 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:47]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 22:20]
.
2012-05-07 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-07 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2012-05-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
2012-05-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-07 19:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\00\1c\0b4;?"
.
Completion time: 2012-05-07 19:15:23
ComboFix-quarantined-files.txt 2012-05-07 18:15
ComboFix2.txt 2012-05-06 20:20
ComboFix3.txt 2012-05-05 16:10
ComboFix4.txt 2012-05-05 13:41
.
Pre-Run: 49,503,711,232 bytes free
Post-Run: 49,691,222,016 bytes free
.
- - End Of File - - 6815611785E6CDC995471A3D1AC00BA0


----------



## Glaswegian (Dec 5, 2004)

Hi

Turning off the Real Time protection is the key - looks like you're really getting the hang of this. 

All looks good - nothing appearing in the logs. How are things running now? Is MSE still reporting OpenCandy?


----------



## Robert the Bruce (Aug 16, 2006)

No, and it hasn't been for some time. But it's now showing a quarantined 'severe' threat called Exploit:JS/Blacole.DG. What now ?


----------



## Glaswegian (Dec 5, 2004)

Can you tell me the actual file name that MSE has quarantined?


----------



## Robert the Bruce (Aug 16, 2006)

This is the bit I don't understand. All I see is what I've written above. I don't know what you mean by or where to find what you call a filename, although I'm sure it's simple when you know how.  So, how do I find out what the file name is ?


----------



## Glaswegian (Dec 5, 2004)

Open MSE.

Then click the 'History' tab and ensure the 'Quarantined Items' radio button is selected. You should now see 2 panels - the top one will contain a list of threats quarantined. Click *once* on *Exploit:JS/Blacole.DG*. In the lower panel scroll down and look at the information - you should see a heading 'Items' and the file name and file path should be shown. You can just copy and paste the details back here. Then close MSE.


----------



## Robert the Bruce (Aug 16, 2006)

Could this be it ? C:/Documents and Settings/Rowe/Local Settings/Temporary Internet Files/Content.IE5/R9SOYRMC/main(1).htm


----------



## Robert the Bruce (Aug 16, 2006)

It wouldn't allow me to Copy & Paste though.


----------



## Glaswegian (Dec 5, 2004)

That's fine - thanks. We just need to clear out your Internet Explorer temporary files.

In IE click *Tools > Internet Options > General Tab*.

In the *Temporary Internet Files* section, click the *Delete Files* button. This will delete all the files that are currently stored in your cache.


----------



## Robert the Bruce (Aug 16, 2006)

OK done that. Should I go to settings then view files and delete all of those as well ?


----------



## Glaswegian (Dec 5, 2004)

You can if you have no need to keep the files (which I'm sure you won't).


----------



## Robert the Bruce (Aug 16, 2006)

OK, so what now ? Although I may not be able to get back to you tonight, that is to say, assuming you get back to me first. If you know what I mean.


----------



## Glaswegian (Dec 5, 2004)

Actually, I'm off to bed now (back to work tomorrow) so we'll finish up tomorrow. There's not much left but I will provide you with general security suggestions etc.

You can also let me know if you have any issues with your system.


----------



## Robert the Bruce (Aug 16, 2006)

OK, cheers. See ya the morra.


----------



## Glaswegian (Dec 5, 2004)

Hi again

Can you let me know how your system is running now? I'm hoping you've booted up OK. Are you receiving any warning messages? Any other issues?


----------



## Robert the Bruce (Aug 16, 2006)

Computer seems to be working OK if a wee bit slow but we all experience that from time to time. I would welcome some advise on how to prevent this kind of thing in the future and how to tell the difference between what threats can be removed and what threats to keep quarantined.
Also, what should I do with ComboFix, Security Check, all those logs and anything else I downloaded while you (and Cheeseball) were helping me ? 
And anything else you can think of.


----------



## Robert the Bruce (Aug 16, 2006)

With regards to post#43. Can I re-hide my Hidden System Files ? Can I change my System Files and Folders back to 'invisible.' ? Can I now check my Hide Protected Operating System Files ?
In other words, can I put those things back the way they were ?


----------



## Glaswegian (Dec 5, 2004)

Hi again

This post will contain Security suggestions as well as links to additional reading. Please ask if there is anything you are unsure about.

All your logs are clean. If there are no more problems well just tidy up and Ill let you go, along with my recommendations for staying safe and secure.

*Reset Hidden/System Files*
To reset your hidden and system files:

Click *Start.*
Open *My Computer.*
Select the *Tools menu* and click *Folder Options.*
Select the *View* tab.
_Deselect_ the *Show hidden files and folders* option.
_Select_ the *Hide file extensions for known types* option.
_Select_ the *Hide protected operating system files* option.
Click *Yes* to confirm.
Click *OK.*

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below










Click *Start > Run* and copy/paste, or type the following bold text into the Run box and click *OK*:

*
ComboFix /Uninstall
*

You can simply delete *DDS*  but I would keep Malwarebytes  its a great on-demand scanner.

Now that you are clean, to help protect your computer in the future I recommend that you get the following *free* programs:

*
General Protection*
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

*
MVPS Hosts File*
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. *Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.*

*Alternate Browsers*
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Chrome
Maxthon
Safari

*Firewalls*
A good firewall will monitor incoming *and* outgoing traffic. *NOTE:* Microsoft's Firewall for XP *does not* monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

*Other Protection*
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

*Web of Trust*
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go 
Yellow for caution 
Red to stop
 WOT has an addon available for both Firefox and IE.

*Do Not Track +*
DNT+ protects your online privacy and prevents advertising companies and social networks from collecting personal information. This means they cannot serve you adverts nor follow you throughout the web. Every time you go online you are being watched and your habits recorded. DNT+ allows you to control your personal details. How DNT+ works.

*ERUNT & NTREGOPT*
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.

*Additional Reading*
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep *clean* and *safe* and enjoy your computing!

*Please respond to this thread one more time so we can mark this thread as resolved.*


----------



## Robert the Bruce (Aug 16, 2006)

OK, I'll go through all of this with a fine-tooth comb tomorrow. Can't right now, something else on. Thanks again for all your help and sorry about being a wee bit crabitt before. Maybe you can tell the others what 'crabitt' means


----------



## Glaswegian (Dec 5, 2004)

Hehe - I sometimes think I spend half my online life explaining Glaswegian slang to other users. 

Take your time - there is quite a bit to read and digest - then post back with any questions.


----------



## Robert the Bruce (Aug 16, 2006)

OK, will do. BTW, what's wrong with I.E.8 ? Oh, and excuse my ignorance but I don't even know what my 'registry' is or what it does ?? Or 'Hosts file' for that matter.


----------



## Robert the Bruce (Aug 16, 2006)

Exploit:JS/Blacole.DG is still showing up in Microsoft Essentials and is under quarantine. Showed I delete/remove it from there and also it's location ?


----------



## Robert the Bruce (Aug 16, 2006)

Could you please have a look at post#101. I can't get past 'Rowe' - I don't see 'Local Settings' anywhere.


----------



## Robert the Bruce (Aug 16, 2006)

Sorry to keep doing this but there seems to be a lot of loose ends I'd forgotten about. What about that Pup.MyWebsear.... (registry key) should I delete/remove that from MalwareBytes quarantine and as for MalwareBytes itself, if I download the free version won't it interfere with my computer on start-up, the way it did before ?


----------



## Robert the Bruce (Aug 16, 2006)

Does Microsoft essentials run smoothly with Chrome or Firefox and if I download any of the Firewalls you suggest do I make sure my Windows Firewall is turned off so that I don't have two Firewalls running at the same time ?
And if I download ANY of the above do I turn off real-time protection whilst doing so ?
Can I remove ESET and 1click downloader from my Add & Remove Programs ?
Also, I can't find DDS and GMER ???
Also, if I download Chrome or Firefox will any of those two automatically overwrite Internet Explorer ? Reason I ask, I can't locate I.E. in order to remove it.
Also, Java - do I NEED it ?
Hopefully this is the last time I need to bother you............but don't bank on it


----------



## Glaswegian (Dec 5, 2004)

Hi

Let's try and take one thing at a time.

Anything held in quarantine is safe and cannot harm your system. Each programme will have an option to delete items from quarantine - you can use that or just leave them. Either way they will not interfere with your system.

If you prefer IE8 then continue to use that - I was simply offering you some options that you may not have been aware of in the past.

You are trying to view Hidden/System files - you would need to unhide them first.

Go to *My Computer > Tools > Folder Options > View* tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the *Hide protected operating system files* option.

You can rehide them using the instructions in Post # 112.

MBAM is an 'on-demand' scanner - it only scans when you tell it to do so. The free version does not have any real time protection and will not interfere with anything on your system. I run it once a week with no problems. I also checked at Malwarebytes forum and the file that caused your problems will be removed from the next database update.

If you download a third party firewall you'll likely find that during the installation Windows firewall will be turned off anyway.

MSE works well with any browser - I've been using it since it first appeared.

DDS and Gmer should be on your desktop - you can always use the Search feature (Start > Search) to find them.

You cannot remove IE - please do not try. I had a user a while back that tried to do that - ended up have to reinstall Windows. I use Firefox - I just don't open IE.

Your Hosts file is explained in detail in the article to which I provided a link (saves me typing out all that info again...).

You don't need Java - that is up to you, although lack of Java may affect the way some websites appear on your screen.

Hope that helps - let me know if you have any further queries.


----------



## Robert the Bruce (Aug 16, 2006)

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.
I think the above is actually the opposite of what I want. I'd rather, for example, hidden files/folders remain hidden and System Files/Folders are invisible.............I think. Which is the way they were to begin with...........I think.


----------



## Glaswegian (Dec 5, 2004)

They are usually hidden - I thought you wanted them unhidden - apologies if I misunderstood.

Anything else?


----------



## Robert the Bruce (Aug 16, 2006)

No, hidden. I don't like to see those hidden files and folders all over the place if I don't have to. 
What about this 1click downloader ? Can I uninstall it or should I keep it, what's it for ?


----------



## Robert the Bruce (Aug 16, 2006)

OK, can you recommend I download and install the following: Spyware Blaster
Spyware Guard
Spybot Search & Destroy
Chrome or Firefox
Comodo Personal Firewall or Zone Alarm
DNT+
Erune & Ntregopt
..........and if I download Chrome or Firefox will IE 8 be automatically uninstalled/deleted/removed ?


----------



## Glaswegian (Dec 5, 2004)

Robert the Bruce said:


> What about this 1click downloader ? Can I uninstall it or should I keep it, what's it for ?


Sorry - you've lost me there. To what are you referring? I don't think I mentioned this anywhere.


----------



## Robert the Bruce (Aug 16, 2006)

That's odd. It's there when I go to Add & Remove Programs. It's 0.2MB in size.


----------



## Robert the Bruce (Aug 16, 2006)

Glaswegian said:


> Hi
> 
> Let's try and take one thing at a time.
> 
> ...


----------



## Robert the Bruce (Aug 16, 2006)

Sorry, that wasn't meant to happen - the previous post. I tried to add the following to that post: Searched for DDS and Gmer, can't find either of them. Although there is a 'Security Check' icon on my Desktop, is that one of them and if so where is the other ?
Also, I've read the info on MVPS Hosts File and I'm sorry but I simply don't understand any of it.


----------



## Glaswegian (Dec 5, 2004)

Hu again

You can simply delete Security Check. DDS and Gmer should also be on your desktop - perhaps check the Recycle Bin?

You don't have to use the Hosts file although it is very useful. Not sure how I can help with that - the instructions for installation should be clear.


----------



## Robert the Bruce (Aug 16, 2006)

Nope, can't see/find DDS or Gmer anywhere. Disnae matter, maybe I'd already deleted them. It's not the installation of Hosts that's the worry, it's what it's for that I don't understand. And also the big black warning that I shouldn't download it if I have.............whatever it was, can't remember.
So, anyway, do you think I should download the ones I mentioned on post #124 ?
And what about this 1click download ?


----------



## Glaswegian (Dec 5, 2004)

Remove the 1clickdownload via Add/Remove Programs.

Have a look at this article I wrote and see if it explains the Hosts file more clearly.


----------



## Robert the Bruce (Aug 16, 2006)

Just got back to the computer just now. Thanks, I'll read the piece you wrote and get back to you.


----------



## Robert the Bruce (Aug 16, 2006)

OK, I've just read your piece on Hosts File. I realise it's in layman's terms and I think I'm starting to understand it a wee bit. One thing though, you said earlier, 'Note - That if you use a company provided Hosts File you should not use MVPS Hosts File.' Does that mean (don't use MVPS) if you/me use a computer in the workplace or your work/employer has provided a computer to use ? If you get my meaning.
Also, I asked earlier, won't MalwareBytes interfere with my computer (if I download and install it) on start-up, the way it did before and if NOT then what would be different this time ?
Also, could you please look at posts 117, 118 and 124. I would be much obliged if you could answer those questions (if you haven't already and maybe I missed it) and then maybe we could put this one to bed, finally.


----------



## Glaswegian (Dec 5, 2004)

Hi

What were you trying to do in Post #117?

I would install Spybot, Spywareguard, Firefox, ZoneAlarm and DNT+. I use ERUNT and NTREGOPT but they are not essential.

For the Hosts file I meant that if your machine is regularly connected to a company network then the MVPS Hosts file would not be appropriate. Most companies have their own security set up and a custom Hosts file would likely interfere with that. If the machine actually belongs to a company then you would probably not have permission to install anything anyway.

The best analogy I could think of was that the Hosts file is like a telephone directory - that's really all it is. A directory that your browser checks to find a website. If the site is not in your Hosts file then your browser talks to a server to get the address.

I think I did mention earlier that any file held in quarantine, no matter which quarantine, is safe and cannot harm your system. Programmes that provide a quarantine also provide a method for clearing that quarantine if you so wish.

See Post #120.
MBAM should not damage your system. Cookiegal reported the False Positive to Malwarebytes and they have acknowledged this and confirmed it will be excluded from future database updates. This means that the file in question will not be removed next time you scan. I also mentioned IE in that post and why you cannot 'remove' it - just ignore it.

Let me know if I missed anything.


----------



## Robert the Bruce (Aug 16, 2006)

Robert the Bruce said:


> Could this be it ? C:/Documents and Settings/Rowe/Local Settings/Temporary Internet Files/Content.IE5/R9SOYRMC/main(1).htm


Re post#117 - was a reference to post 101. I was pointing out the fact that I couldn't locate on my computer) what had been found on Microsoft Essentials - I couldn't find anything past 'Rowe' i.e. Local Settings. Hope that makes sense.


----------



## Robert the Bruce (Aug 16, 2006)

OK, I'll go ahead and install those programs and maybe one or two others you mention. Internet Explorer is in my Program Files and is 4.32MB in size. Seems odd that I can't (or shouldn't) remove it if I'm not going to use it, by using Firefox (for example) instead or are you saying that IE is an integral part of browsing and therefore shouldn't be touched ?


----------



## Glaswegian (Dec 5, 2004)

IE is an integral part of *Windows* - if you try to remove you will most likely have to reinstall Windows. As I said earlier, just ignore it - that's what I've been doing for years now.


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> Re post#117 - was a reference to post 101. I was pointing out the fact that I couldn't locate on my computer) what had been found on Microsoft Essentials - I couldn't find anything past 'Rowe' i.e. Local Settings. Hope that makes sense.


If I may interject just for clarification. When you mentioned this, Glaswegian told you to unhide files and you replied that you wanted to hide them, not unhide them and then the thread moved in another direction. I think it's a bit like "who's on first?" with so many questions and references back to older posts so it's difficult to keep track of things. 

In effect, you have to unhide files to be able to see the Local Settings folder in order to navigate to that file to delete it.


----------



## Glaswegian (Dec 5, 2004)

Thanks Cookiegal - I was having trouble tracking back to "who said what first"!


----------



## Cookiegal (Aug 27, 2003)

Glaswegian said:


> Thanks Cookiegal - I was having trouble tracking back to "who said what first"!


No problem at all.


----------



## Robert the Bruce (Aug 16, 2006)

A-ha. So if I unhide files I can locate Local Settings and then delete the nasty which appeared in Microsoft Essentials or presumably just remove it from History in Microsoft Essentials. Have I got that right ? BTW two new 'severe' warnings after a scan with Micro Essentials, Exploit:Java/CVE-2012-0507.BB and Exploit/Java/CVE-2012-0507-BC. What is it with Java, or is it to do with a particular site I visit often ?


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> A-ha. So if I unhide files I can locate Local Settings and then delete the nasty which appeared in Microsoft Essentials or presumably just remove it from History in Microsoft Essentials. Have I got that right ? BTW two new 'severe' warnings after a scan with Micro Essentials, Exploit:Java/CVE-2012-0507.BB and Exploit/Java/CVE-2012-0507-BC. What is it with Java, or is it to do with a particular site I visit often ?


If you unhide files/folders you will be able to see the Local Settings folder which will enable you to get to that file to delete it. Whether or not you delete it from the MSE quarantine in inconsequential.

As for the new detections, again, we need to know the file names and the entire paths to them.


----------



## Robert the Bruce (Aug 16, 2006)

containerfile:C:/Documents and Settings/Rowe/Application Data/Sun/Java/Deployment/cache/6.0/51/781e43b3-141b0a81
and
file:C:/Documents and Settings/Rowe/Application Data/Sun/JavaDeployment/cache/6.0/51/781e43b3-141b0a81->a/a2.class
Why do these things keep turning up like a bad smell ? Is it Java's fault or is it caused by browsing particular sites ?


----------



## Robert the Bruce (Aug 16, 2006)

Robert the Bruce said:


> containerfile:C:/Documents and Settings/Rowe/Application Data/Sun/Java/Deployment/cache/6.0/51/781e43b3-141b0a81
> and
> file:C:/Documents and Settings/Rowe/Application Data/Sun/JavaDeployment/cache/6.0/51/781e43b3-141b0a81->a/a2.class
> Why do these things keep turning up like a bad smell ? Is it Java's fault or is it caused by browsing particular sites ?


This time I tried searching for it myself but got as far as Application Data. Upon opening that folder I expected to see Sun then Java but instead I saw Microsoft folder which then led to Media Player and Windows Media. Also, when I go to Tools-Internet Options-Advanced and then scroll down I see Java (Sun) Use JRE 1.6._31 for <applets> (requires restart) - the box is checked/ticked. Is this information of any use ?


----------



## Glaswegian (Dec 5, 2004)

Hi

Those entries are in your Java cache - no need to search for them, just do this

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the *Settings* button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - *Leave BOTH Checked*

*Applications and Applets
Trace and Log Files*

Click OK on Delete Temporary Files Window
*Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.*
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.


----------



## Robert the Bruce (Aug 16, 2006)

There is no Java icon in my control panel. There are 10 other options (Security Centre, Add or Remove Programs, Appearance Themes, Network & Internet Connections, Sounds, Speech & Audio Devices, Performance & Maintenance, Printers & Other Hardware, User Accounts, Date, Time, Language and Regional Options and Accessibility Options) but no Java.


----------



## Glaswegian (Dec 5, 2004)

Hmmm...you do have it installed. Did you check in each of those CP options? Try Add/Remove Programs.


----------



## Robert the Bruce (Aug 16, 2006)

Yes, it's in Add & Remove Programs.


----------



## Glaswegian (Dec 5, 2004)

Phew!


----------



## Robert the Bruce (Aug 16, 2006)

Yes, but I can't do as suggested in post 145. In Add or Remove Programs all I can do is...........add or remove ???


----------



## Glaswegian (Dec 5, 2004)

Strange...

Let's update Java and then you can uninstall any older versions.


Visit this site *Java*
Click the *'Free Java Download'* button.
The site will advise if you need an updated version
Follow the instructions.


----------



## Robert the Bruce (Aug 16, 2006)

OK I downloaded and installed Java but site did not advise me if I needed an updated version or not. Downloaded it anyway. Don't know how to check for updates though (I'll assume it's done automatically) as I don't see a Java icon on my Taskbar or Desktop. Only place I see Java is Add & Remove Programs and Program Files Folder and I can't access updates from there. I presume it's all updated anyway as part of the download. OK, what now ?


----------



## Cookiegal (Aug 27, 2003)

Robert the Bruce said:


> There is no Java icon in my control panel. There are 10 other options (Security Centre, Add or Remove Programs, Appearance Themes, Network & Internet Connections, Sounds, Speech & Audio Devices, Performance & Maintenance, Printers & Other Hardware, User Accounts, Date, Time, Language and Regional Options and Accessibility Options) but no Java.


This is because you're in Category View. If you look on the left side, you can switch to Classic View and then you will see the Java icon and many other things there.


----------



## LauraMJ (Mar 18, 2004)

And if you want to stay in Category View, click on "other control panel options" on the left and you'll see Java there.


----------



## Cookiegal (Aug 27, 2003)

LauraMJ said:


> And if you want to stay in Category View, click on "other control panel options" on the left and you'll see Java there.


Yes but you might have to expand "See Also" first. 

Either way will work. I find it just as easy to toggle back and forth.


----------



## Robert the Bruce (Aug 16, 2006)

Well, well, well. You learn something new every day. I see Java now and it's fully updated.


----------



## Robert the Bruce (Aug 16, 2006)

Well whaddaya know. Dreaded Blue Error all over again. The blue screen error came on, my computer screen/monitor went black, but my computer wouldn't switch off. I pressed the restart button on the front of my computer and pressed the on/off switch but nothing would turn off the computer. I was forced to pull the plug from the socket. When the computer came back on a Windows message was there telling me it was probably a RAM problem and that I should download Windows Diagnostics Tool (I think I've got that right) and save it to a bootable CD or floppy disc. I saved it (I think) to a floppy disc and then............nothing. I removed the floppy disc and then put it back in, still nothing. I don't know how to run this diagnostic and the user guide is too complicated for me, as usual.
At the time of the error I had just burned a movie to a DVD using ConvertX to DVD and utorrent was running at the same time. I was in the process of closing down ConvertX when the blue screen took over. I know you're not supposed to offer advice on such subjects but I tell you this just to offer the information in case it helps.


----------



## Robert the Bruce (Aug 16, 2006)

After the last crash (blue screen error) I decided to run a scan using Microsoft Essentials. I came back into the room about 50 minutes later and my computer had crashed again. I had to pull the plug yet again. What this time ?


----------



## Robert the Bruce (Aug 16, 2006)

Computer keeps crashing now at random. Last time I was in the middle of trying to reply to a Facebook message via e-mail.
After that it crashed even before it started up then again after losing internet connection. Just before it shut down I managed to read a message which said something about a problem with Winsock or something. Computer/Windows gave me 25 seconds warning before shutting down stating that this particular restart should solve the loss of internet connection in this instance. It did, but not before I had to unplug the computer again during the restart, that is to say, the restart failed. I realise that this must be one huge pain in the arse for you guys but please help. I'd just love to get to the bottom of this and get it solved once and for all.


----------



## Squashman (Apr 4, 2003)

Robert the Bruce said:


> At the time of the error I had just burned a movie to a DVD using ConvertX to DVD and utorrent was running at the same time. I was in the process of closing down ConvertX when the blue screen took over. I know you're not supposed to offer advice on such subjects but I tell you this just to offer the information in case it helps.


Did you know that a very large percentage of files sitting out on BitTorrent sites are malware. I read an article not too long ago that said roughly 40% of all files downloaded on bittorrent contain some type of malware, virus or trojan. I can't find the link to the article but did find another study that was done back in 2008 which found that 20% of all files on bittorrent were infected.
http://www.divms.uiowa.edu/~adberns/UICS-08-05.pdf

So here we are 4 years later and I am pretty sure that 40% may be pretty accurate considering the boom of High Speed Internet.


----------



## Robert the Bruce (Aug 16, 2006)

Thanks for the info but it doesn't really address my problem though.


----------



## Robert the Bruce (Aug 16, 2006)

I'm in the process of downloading and installing some of the programs you recommended. However, I've hit a snag. After ZoneAlarm asked me restart my computer and once the computer came back on I was 'hit' with two windows........so to speak. One was from ZoneAlarm which said 'New Network Found - Select a security zone for the Network at IP address: (I won't type out the address here) - Name this network (optional) Below that there is a small window where I'm given the option to name this new network. Below that is 'The Public Zone keeps your computer hidden from others on the network. The Trusted Zone lets you share resources with other computers.'
So do I name this 'new network' and if so what do I name it and more to the point, what IS this 'new network?' Also what do I choose - Public or Trusted ?
The other window is from Spybot which says 'Spybot has detected an important registry entry that has been changed - Category - User specific browser toolbar - Change - value added. Below that there is 'Entry' with a whole load of letters and numbers and 'New data' - with also a whole load of letters and numbers.
PLEASE help because I can't go any further for fear of clicking the wrong buttons/choosing the wrong options.
DNT+ icon is now on my Google toolbar, maybe that's what ZoneAlarm is refering to, I don't know. HELP.
Aw, I don't BELIEVE this. ZoneAlarm is telling me that it's AntiVirus is conflicting with 'another' AntiVirus program namely Microsoft Essentials and is advising me to uninstall the latter. What do I do ?


----------



## Robert the Bruce (Aug 16, 2006)

OK, I've downloaded and installed Spybot Search & Destroy
Spyware Guard
Spyware Blaster
DNT+
Zone Alarm
Win Patrol
Wot
Malwarebytes
Have I overdone things or should I keep all of the above installed ?
Re Spybot - I decided to click 'Allow Change' and all subsequent times also.
Re Zone Alarm - I decided to click/choose 'Public Zone' and also uninstalled Microsoft Essentials.
PLEASE tell me if I've done the right thing, I just couldn't wait any longer. Obviously you are busy doing other things. If you have the time can you please adddress this post and my previous ones. Thank you very much in advance.


----------



## Squashman (Apr 4, 2003)

Robert the Bruce said:


> Thanks for the info but it doesn't really address my problem though.


 au contraire mon frere! It is the root of your problem and the reason why you were infected in the first place. You even said in a previous post this was not your fault this happened and you also said you needed your computer to look for a job. So maybe you should have spent more time looking for a job then downloading movies on BitTorrent.

You know some of us older people actually got our jobs by responding to classified ads in real newspapers and pounding the pavement.

And when personal computers started coming out in the late 70's our public library was probably one of the only places that had computers to use. Plus they usually have the local newspaper to look thru the classifieds.

All of us who help here on TechGuy have a passion for computers and we enjoy helping others understand them. 
If we are going to continue to help you the first thing you need to do is shutdown the BitTORRENT software and uninstall it. Otherwise we are fighting a losing battle. Basically taking one step forward and 10 steps back every time you download another torrent.


----------



## Glaswegian (Dec 5, 2004)

Hi 

Sounds like you have downloaded ZoneAlarm's complete security suite rather than just the firewall. Having 2 AVs on-board is a bad idea. Both will be trying to compete for resources and you are likely to experience some crashes. You need to remove one of them. If it's ZA then you should only install the Firewall. If you want to keep the ZA suite then remove MSE.

Did the crashes start after or before you installed ZA?


----------



## Robert the Bruce (Aug 16, 2006)

I've decided to keep ZA and have uninstalled Microsoft Essentials although I may change that round again.
First crash happened just as I was closing down ConvertX to DVD and had utorrent running at the same time. More crashes happened after that but my computer has been on all day and so far so good. As the previous guy said, it's probably my own fault although I do NOT spend ALL my time downloading movies rather than looking for a job. Eejit.


----------



## Robert the Bruce (Aug 16, 2006)

WILL THIS EVER END ?
Yet another Blue Screen Crash. This time just as I had finished downloading and installing Chrome. I clicked on the internet access/Google button and that's when my computer crashed. Now after restarting I can't open Chrome, I can't uninstall Chrome, I can't do anything with Chrome. It's on my computer doing nothing seemingly locked and frozen. Besides, what I did see of Chrome I didn't like. No toolbars, no favourites, list no nothing really. I'm not sure about the terminology regarding the button I clicked because I can't access Chrome to remind me what it was. Please reply.


----------



## Glaswegian (Dec 5, 2004)

There is a manual workaround for removing Chrome - you can find it here. It's not too involved - just take each step carefully.

What make & model is your hard disc? Perhaps there are some errors there that might need attention.


----------



## buffoon (Jul 16, 2008)

Robert the Bruce said:


> Thanks for the info but it doesn't really address my problem though.


It addresses it very much. And pertinently.

And what is turning into a real problem is that you are binding down numerous advisors by showing a propensity for disregarding any information offered that does not appear to suit your needs or desires.

So if you wish the patience that they all have admirably shown to be maintained, I suggest you change your attitude of ignoring anything that points out the imprudence of working with torrenting and pirated software.

Preferably by confirming that you've followed the previous advice given (not just in this thread), to rid yourself of all that rubbish. Which may give those trying to help and being at least equally needed elsewhere some incentive to overcome the frustration you appear to be hell bent on sowing.

Thank you


----------



## Robert the Bruce (Aug 16, 2006)

It's OK, I downloaded and installed Chrome a second time which, I presume, overwrote the first version, and then I uninstalled it.
Make and Model of Hard Drive is a Seagate Barracuda SATA....I think.


----------



## Glaswegian (Dec 5, 2004)

Hi

Go here, choose your operating system and download the Windows version of SeaTools. On the same page you will also find a pdf with information but all you need to run is a Short Drive Self Test - should only take a couple of minutes. You may get an option to 'Repair' if problems are found - please do so. The test itself is data safe.


----------



## Robert the Bruce (Aug 16, 2006)

Just after I came out of TSG I went to Google then was about to go to Favourites (and then to Facebook) when Error Reports windows started to appear one by one. Eventually blue screen appeared and my computer shut down and I was unable to switch it off except by pulling the plug. So I've came back on to tell of this latest problem.


----------



## Glaswegian (Dec 5, 2004)

Do you know what the reports said? Was there any message on the BSOD?


----------



## Robert the Bruce (Aug 16, 2006)

It seemed to be mostly Local Settings - Temp...I think. What is BSOD ?
After last crash/shut down I went to Start-My Computer-Local Disk-Tools-Error Checking-Check Now but machine/windows whatever couldn't do the check before restarting so I restarted and left the computer to do what it was supposed to do. After a while I came back into the room and yes, you've guessed it, the computer had shut down/crashed again. So I pulled the plug, restarted and came on to type this out. Should I give up ? Or is this thing fixable ?


----------



## LauraMJ (Mar 18, 2004)

BSOD = Blue Screen of Death.

Sounds like it may be a hardware failure......possibly the hard drive or a memory stick. We could narrow it down pretty closely if you could give us one of the error messages you see on the blue screen when it crashes. Maybe take a photo of the screen and attach it here?


----------



## Squashman (Apr 4, 2003)

Going to need to see the mini dump file.


----------



## DoubleHelix (Dec 10, 2004)

It's entirely possible that one of the files or programs you illegally downloaded included a corrupt file or damaged a system file.

I suggest you format and reinstall Windows and then only install *legal* software and pick a single security application.

There's really no point in having a dozen security applications installed when you've already allowed potentially nefarious software to be downloaded and installed. It's like adding a dozen locks, deadbolts, and alarms to your front door *after* you've invited the robber into your home for tea and crumpets.


----------



## Squashman (Apr 4, 2003)

DoubleHelix said:


> It's entirely possible that one of the files or programs you illegally downloaded included a corrupt file or damaged a system file.


After this many days of working on the problem I would agree. Would have been quicker to just wipe the drive and reinstall Windows.


----------



## Robert the Bruce (Aug 16, 2006)

Wipe the drive and reinstall Windows ? And who pays for that ? I can't afford it.
Anyway, Glaswegian. Here's what happened. I tried to download and install Seagate but there was a 'fatal error' during installation. I was told that I need something called .net v4.0. So I tried to download .net v4.0. but first Zone Alarm checked the file but couldn't verify it straight away. I clicked the advanced button and only then did it verify that the file was OK. I then proceeded to download .net v4.0. This also failed. I was told to go to Microsoft to update. After Microsoft checked for updates a message appeared which said something like 'Microsoft cannot display this page.' I went back and tried again with .net v4.0, this time Zone Alarm detected something 'fishy' about the file i.e. red. I tried again and this time Zone Alarm verified that the file was OK after an advanced check. I then tried .net v4.0 once more. This time it fully installed. When I closed all the pages I noticed that the Seagate installation window was there. So I clicked install and Seagate seemed to install OK.
I ran Seagate and a window with the message 'SCSI - Scanning for support drives. Please wait.......' appeared. I waited for over two hours and there was no change. I clicked on my Taskbar (after 2 hours and 10 minutes) and then task manager and the window was empty. It looked as though nothing was running. It seemed that Seagate had froze or was locked or something. I clicked Start - Turn off Computer and was about to click restart when I noticed that Microsoft wanted to install updates and that if I clicked 'Turn off Computer' the updates would install before shutting down my computer. So I clicked on 'Turn of Computer' and the updates began to install. After 10 minutes I turned my computer on and after start-up I was met with a 'This Computer Has Recovered From A Serious Error' message.
Anyway, did I allow Seagate enough time or not ?


----------



## Robert the Bruce (Aug 16, 2006)

I uninstalled SeaTools restarted my computer and re-installed SeaTools. I ran/opened the program at 5.25p.m, it's now 6 minutes passed 8 and still it says SCSI:Scanning for supported drives. Please wait......'
Why do I get the feeling that this program isn't working properly ? Or is it ? Please help.


----------



## Glaswegian (Dec 5, 2004)

I'm not a Hardware expert I'm afraid but it does sound as though SeaTools was doing a full scan rather than the *Short Drive Self Test*. The full scan will likely take several hours but it will tell us if there are any problems with the drive. Is there any indicator of how much of the scan has been completed? I don't have any Seagate drives but these programmes often have some kind of visual indicator that should tell you how far they have gone or how much is left to do.

I have to agree with other opinions here - it does sound hardware (drive or memory) related.


----------



## Robert the Bruce (Aug 16, 2006)

No indication of how long it would take. I will leave in running for as long as I can tomorrow.


----------



## Robert the Bruce (Aug 16, 2006)

Cheeseball81 said:


> I think it's best we dig deeper then.
> 
> Please download *DDS* by sUBs to your desktop from one of the following locations:
> 
> ...


Just looking back here. Maybe I should do all this again because of the reasons following: I did not disable Script Blocker because I don't know what a Script Blocker is, don't know if I have one and wouldn't know how to disable it if I have. Please advise.
Also, I do not know what a CD Emulation program is, don't know if I have one and wouldn't know how to uninstall it if I have. Please advise.
Also, I can't remember if I followed the instructions to the letter i.e. the part about what to do if the tool warns of rootkit activity and the part about how to post the results i.e. 1 as an attachment and 2 using copy & paste. I just don't remember.
I would like to do this methodically and correct if I didn't before. But I can understand if you and Glaswegian just want out of this one. Please let me know.


----------



## Robert the Bruce (Aug 16, 2006)

DoubleHelix said:


> It's entirely possible that one of the files or programs you illegally downloaded included a corrupt file or damaged a system file.
> 
> I suggest you format and reinstall Windows and then only install *legal* software and pick a single security application.
> 
> There's really no point in having a dozen security applications installed when you've already allowed potentially nefarious software to be downloaded and installed. It's like adding a dozen locks, deadbolts, and alarms to your front door *after* you've invited the robber into your home for tea and crumpets.


I'm well aware of that. It's just that I thought my computer HAD been cleaned.


----------



## Glaswegian (Dec 5, 2004)

Hi

There was no evidence of any rootkit (ComboFix did not spot anything) but we can always double check.

Please download *TDSSKiller.zip* and extract TDSSKiller.exe to your *desktop*.

Execute TDSSKiller.exe by doubleclicking on it. Press *Start Scan*.











If Malicious objects are found, ensure *Cure* is selected (it should be by default)










Click *Continue* then click *Reboot now*










Once complete, a log will be produced at the root drive which is typically C:\

For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt.

Please attach that log.


----------



## dvk01 (Dec 14, 2002)

In view of some of your remarks here before we go any further

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.


----------



## Robert the Bruce (Aug 16, 2006)

Glaswegian said:


> Hi
> 
> There was no evidence of any rootkit (ComboFix did not spot anything) but we can always double check.
> 
> ...


----------



## Robert the Bruce (Aug 16, 2006)

Perhaps I should point out that there was no cure button. Only Skip, Quarantine and Delete. I chose quarantine. Although Akami is supposed to be OK, is it not ?


----------



## Robert the Bruce (Aug 16, 2006)

dvk01 said:


> In view of some of your remarks here before we go any further
> 
> Please run the MGA Diagnostic Tool and post back the report it creates:
> Download *MGADiag* to your desktop.
> ...


I clicked 'Copy' and nothing happened after that.


----------



## Robert the Bruce (Aug 16, 2006)

Robert the Bruce said:


> I clicked 'Copy' and nothing happened after that.


I've tried it many times now. After clicking 'Copy' nothing happens. I can't copy and paste anything from it either.


----------



## dvk01 (Dec 14, 2002)

nothing will appear to happen but it should be copying it 
either open a notepad file & paste it to notepad , then attach the notepad file here or just come back here & paste the information that has been saved to your clipboard.
It doesn't do anything aaht you can see. It doesn't pop up a text file or anything


----------



## Robert the Bruce (Aug 16, 2006)

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-VCVBM-KBG6D-C38RW
Windows Product Key Hash: nnGxeWz7BLSaBm6u+pC7HMoh9Nw=
Windows Product ID: 76477-OEM-2169037-58091
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {9B466E13-9F11-404B-AFFA-A42D46E3D332}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{9B466E13-9F11-404B-AFFA-A42D46E3D332}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C38RW</PKey><PID>76477-OEM-2169037-58091</PID><PIDType>3</PIDType><SID>S-1-5-21-1409082233-861567501-725345543</SID><SYSTEM><Manufacturer>ECS</Manufacturer><Model>GeForce6100PM-M2</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>080015 </Version><SMBIOSVersion major="2" minor="6"/><Date>20091009000000.000000+000</Date></BIOS><HWID>F4683B5701848074</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B367:Elitegroup Computer Systems Co Ltd
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A


----------



## Robert the Bruce (Aug 16, 2006)

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.15.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Rowe :: ROWE-B1115B646A [administrator]

Protection: Disabled

15/05/2012 14:19:19
mbam-log-2012-05-15 (14-19-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294267
Time elapsed: 44 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Could someone please have a look at this. This is the log of a MBAM scan completed at 3p.m. to-day. It says 'Protection Disabled.' Could someone explain that and also the 'Scan Options Disabled - P2P.' I mean, I didn't disable it so what is the meaning of this ? Please help.


----------



## valis (Sep 24, 2004)

let's wait for dvk01 to get back to you regarding the results of the MGA file first, before anything else gets posted......

thanks, 

v


----------



## dvk01 (Dec 14, 2002)

MGA result looks OK 

MBAM is OK 

All it means is that you have the free version & the disabled parts are only available in the Pro ( paid for ) version


----------



## Robert the Bruce (Aug 16, 2006)

I see, OK. Umm, so what now. Computer seems to be working OK................at the moment.


----------



## dvk01 (Dec 14, 2002)

If everything is OK then mark it as solved after you thank Glaswegian for all the hard work & effort he has put in to helping you


----------



## Robert the Bruce (Aug 16, 2006)

dvk01 said:


> If everything is OK then mark it as solved after you thank Glaswegian for all the hard work & effort he has put in to helping you


OK, I'll mark it as solved although I'm not sure that it is. There are many many unanswered questions, just follow the thread and you'll see. Of course I thank Glaswegian (and anyone else who helped me) for all his work and I truly appreciate that. But listen, I don't need you to TELL me to thank anyone. I can do that on my own. Cheers. And thanks again.


----------



## Glaswegian (Dec 5, 2004)

Hi

The file quarantined is legit but not vital. You can see some potential uses for it here

http://www.werockyourweb.com/forums/what-is-akamai-netsession-client-netsession-win-exe

Other than that no signs of any rootkit.

If you have not done so already, then you should back up all important files, either to a CD/DVD or external drive or whatever suits. I still think you may have some hard drive problems that could return in the future. Best to be prepared.

If there are no more questions I'll let you go. Good luck with the job hunting - it cannot be easy at this time.


----------



## Robert the Bruce (Aug 16, 2006)

No it certainly isn't. I guess I'll just to wait on future computer problems cropping up at some point. Don't understand though, why it can't be fixed. I guess it's just an old computer.


----------



## LauraMJ (Mar 18, 2004)

Robert the Bruce said:


> Computer seems to be working OK..





Robert the Bruce said:


> Don't understand though, why it can't be fixed.


----------



## Robert the Bruce (Aug 16, 2006)

LauraMJ said:


>


The problem seemed to be fixed and then it returned. Things were fine for a day or two. Couldn't you have worked that one out ?
Glaswegian, strange thing happened. Just after I finished typing out and posting my previous message I visited a Wallaper site via My Favourites. Instantly after clicking the web-link in My Favourites the BSOD appeared. It was only there for a second and so I couldn't read anything before the screen went blank except something like BALL POOL, I know it wasn't exactly that but it was something like it.
Also, when the computer came back on it went straight into a Check-Verification-Recovery thingy. I may even have got that bit wrong.
While it was doing it's thing I managed to write down some info which I hope can shed some light on this problem, if not then so be it.
'Deleting Index Entry Twitte01-pngIN Index$I30 0 file 8149 Index verification completed CHKDSK is recovering lost files.
Recovering Orphaned File TWITTE-1.Png 11649 into Directory File 8149.'

Now, there may be one or two errors in there but I was in a hurry to write it all down before the computer rebooted.
Also, when it rebooted there was the usual Error Report - 'C:/Docume~1/Rowe/Locals~1/Temp/WEROc25.dir00/miniOS1612-01-dmp.'
And;
'C:/Docume~1/Rowe/Locals~1/Temp/WEROc25.dir00/Sysdata.xml'
If you could please have a look at this and tell me what you make of it.


----------



## LauraMJ (Mar 18, 2004)

Robert the Bruce said:


> The problem seemed to be fixed and then it returned. Things were fine for a day or two. Couldn't you have worked that one out ?


Please point out where, between post 196 and post 200, which is where those two quotes _of yours_ were take from, where you explain that a problem has returned.

And I suggest you do so in a much more polite manner than what I've just quoted from your most recent post.


----------



## Robert the Bruce (Aug 16, 2006)

LauraMJ said:


> Please point out where, between post 196 and post 200, which is where those two quotes _of yours_ were take from, where you explain that a problem has returned.
> 
> And I suggest you do so in a much more polite manner than what I've just quoted from your most recent post.


Just read the posts and you'll see.


----------



## LauraMJ (Mar 18, 2004)

Robert the Bruce said:


> Just read the posts and you'll see.


Just for your own reference, here are all those posts (196 - 200). Please show me where in these posts below that you explain there is another problem. 


Robert the Bruce said:


> I see, OK. Umm, so what now. Computer seems to be working OK................at the moment.





dvk01 said:


> If everything is OK then mark it as solved after you thank Glaswegian for all the hard work & effort he has put in to helping you





Robert the Bruce said:


> OK, I'll mark it as solved although I'm not sure that it is. There are many many unanswered questions, just follow the thread and you'll see. Of course I thank Glaswegian (and anyone else who helped me) for all his work and I truly appreciate that. But listen, I don't need you to TELL me to thank anyone. I can do that on my own. Cheers. And thanks again.





Glaswegian said:


> Hi
> 
> The file quarantined is legit but not vital. You can see some potential uses for it here
> 
> ...





Robert the Bruce said:


> No it certainly isn't. I guess I'll just to wait on future computer problems cropping up at some point. Don't understand though, why it can't be fixed. I guess it's just an old computer.


----------



## Robert the Bruce (Aug 16, 2006)

Read post #198.


----------



## LauraMJ (Mar 18, 2004)

Since you haven't specified, I'm going to assume you are referring to this?


> here are many many unanswered questions


If so, this in no way discusses a returning problem. This indicates that you have past questions, which could be about anything at all in this thread. You've asked questions about programs you already had on your computer, programs you've been asked to download, you've asked about how malware effects your computer, you've asked about MANY things. None of us here have any idea what "questions" you are currently referring to. Regardless......nothing about that sentence indicates you have a specific problem that has returned during the time between those posts of yours that I originally referenced. You merely say you have "some unanswered questions." You say you are not sure that it is solved, even though you had just said it was working okay......and you give no reason why you feel it is not solved.

You point out a new problem ONLY AFTER I questioned those posts.

So your snide insinuation that I was too stupid to have figured it out on my own is highly inappropriate and your continued 
refusal to give clarification or apologize for your rudeness when I expressed confusion to _your own statements_ leads me to believe you are simply enjoying the attention you are getting from our malware experts and you just don't want to let go of that attention. In light of the fact that I cannot get you to answer me in an appropriate manner, this thread is now closed.

If you do indeed have a NEW problem regarding a BSOD, you may post that in the forum that matches your operating system. Be aware, however, that you have brought attention on yourself by your disrespect and rudeness in this thread, so I suggest you take your time and make any future posts in a civil and polite manner.


----------

