Avast WEBforum
Other => Viruses and worms => Topic started by: ahullsb on August 23, 2008, 01:49:07 AM
-
She pulled a no no and clicked on spyware that appeared on her desktop....:( Now it has hijacked the desktop. Avast found a few viruses, one or two of which it could not move or delete, so I was forced to ignore them. Here is what I found from Kaspersky's scan. Can anyone advise me on what I should do? Thank you in advance. I can post a hijack this as well if it will help.
Friday, August 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 18:44:27
Records in database: 1124860
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 84642
Threat name 2
Infected objects 3
Suspicious objects 0
Duration of the scan 01:24:29
File name Threat name Threats count
C:\Program Files\AOL Toolbar\temp.000 Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\AOL Toolbar\~GLH0004.TMP Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\Magentic\bin\magentic_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.f 1
The selected area was scanned.
-
Well as much as I dislike AOHell I would doubt that their toolbar would be considered adware, but it is unlikely that it had anything to do with the prevoius avast detection.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
What was the reason it couldn't be moved, e.g. whar error message was displayed (commonly this file is in use) ?
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php).
-
Haha, I hate aol too. I can't convince her that it sucks. Should I try harder? I did run a boot scan when I initially installed it. It caught two things, two others it could not move or delete. I will see if I can find them now. All I see in the logs are the following: error log and warning log. The computer froze last night about 75 percent through. I am running the scan again.
Here is the error log
10/3/2006 12:18:26 AM SYSTEM 1952 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005.
10/3/2006 4:18:33 AM SYSTEM 1952 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005.
10/3/2006 8:18:36 AM SYSTEM 1952 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005.
10/3/2006 12:18:39 PM SYSTEM 1952 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005.
-
Here is the warning log. I should have written them down I know, but by the time I realized it wasn't going to fix them I had hit ignore and the scan moved on...Any other programs I should try and download or run online?
10/3/2006 12:18:26 AM SYSTEM 1952 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.
10/3/2006 12:50:41 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 12:50:41 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/3/2006 4:18:33 AM SYSTEM 1952 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.
10/3/2006 4:56:44 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 4:56:44 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/3/2006 8:18:36 AM SYSTEM 1952 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.
10/3/2006 9:02:48 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 9:02:48 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/3/2006 12:18:39 PM SYSTEM 1952 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.
10/3/2006 1:08:51 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 1:08:51 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/3/2006 5:14:54 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 5:14:54 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/3/2006 9:20:58 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/3/2006 9:20:58 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 1:27:02 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 1:27:02 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 5:33:05 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 5:33:05 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 9:39:08 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 9:39:08 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 1:45:11 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 1:45:11 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 5:51:15 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 5:51:15 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/4/2006 9:57:18 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/4/2006 9:57:18 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 2:03:21 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 2:03:21 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 6:09:24 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 6:09:24 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 10:15:27 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 10:15:27 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 2:21:31 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 2:21:31 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 6:27:34 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 6:27:34 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/5/2006 10:34:19 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/5/2006 10:34:19 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 2:40:22 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 2:40:22 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 6:46:25 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 6:46:25 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 10:52:29 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 10:52:29 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 2:58:32 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 2:58:32 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 7:04:35 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 7:04:35 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/6/2006 11:10:38 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/6/2006 11:10:38 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 3:16:41 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/7/2006 3:16:41 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 7:22:46 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/7/2006 7:22:46 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 11:28:49 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/7/2006 11:28:49 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 3:34:52 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/7/2006 3:34:52 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 7:40:55 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/7/2006 7:40:55 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/7/2006 11:46:58 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
-
(continued)
10/7/2006 11:46:58 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/8/2006 3:53:01 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/8/2006 3:53:01 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/8/2006 7:59:05 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/8/2006 7:59:05 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/8/2006 12:05:10 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/8/2006 12:05:10 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/8/2006 4:11:13 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/8/2006 4:11:13 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/8/2006 8:17:03 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/8/2006 8:17:03 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/9/2006 12:23:07 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/9/2006 12:23:07 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/9/2006 4:29:10 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/9/2006 4:29:10 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/9/2006 8:35:14 AM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/9/2006 8:35:14 AM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/9/2006 12:41:17 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/9/2006 12:41:17 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
10/9/2006 4:47:20 PM SYSTEM 1952 Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.
10/9/2006 4:47:20 PM SYSTEM 1952 An error has occured while attempting to update. Please check the logs.
8/21/2008 9:03:21 PM SYSTEM 1088 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\lphcp46j0ele5.exe" file.
8/21/2008 10:33:36 PM Vicki Hull 2596 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP151\A0027691.exe" file.
-
Yes Our British friends may be in bed
If the are lurking they may chime in
first download and run Malware Bytes Anti Malware (free) and Rogue remover
post the logs
then lets fix your AV
- In windows\system32, or anywhere else, see if you have the file entapi.dll. When you find it, right-click on it and click on Properties. Review the information there. Is the file from or for McAfee?
If you ever have had McAfee on this machine remove with add remove programs then the Mcafee removal tool
see here
http://www.pchell.com/virus/uninstallmcafee.shtml
then go to the bottom of the page and uninstall any other AV you have ever had
then go here
http://www.pchell.com/virus/uninstallantivir.shtml
start in the middle of the page
here
What if Windows Security Center Shows AntiVir or other muliple Antivirus products installed
One quirk with AV causes it to still show up in the Windows Security Center even when its been uninstalled properly. If this is the case, please refer to this article to resolve it.
http://www.pchell.com/support/multiple_antivirus_in_security_center.shtml
THEN
run the Antivir registry cleaner
follow the instructions
when reinstalling avast schedule a boot time scan and report the results
-
Besides these initial errors are very old dating to 2006 and really not worth chassing as there have been many updates since then.
Well the 00000005 (windows file system error 5) is access denied and this can be for legitimate reasons as well as malware being protected. So when you see those errors google the file name that the error is for, this should give you a good idea what application the file is associated with and if the access denied is reasonable.
Also when you get these errors you could schedule a boot-time scan (as mentioned previously) where it is less likely that access would be denied as windows won't be running, this should allow avast to scan the file.
The EntApi.dll file would appear to be a part of McAfee Virus Scan so a) it would be reasonable that it is protected, b) however this shows that there ia another AV installed or remnants on your Mom's system and this can cause conflicts.
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. However, as I said these errors are dated 2006 so may no longer be an issue if McAfee has been removed as there have been no further errors relating to this since 2006.
So I don't know if this is the cause of many of these errors, certainly the 'Function setifaceUpdatePackages() has failed, errors.
Ensure that McAfee has been uninstalled and also run the uninstall tool, I have supplied more information as I have no idea what version she might have had.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe)
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525 (http://ts.mcafeehelp.com/faq3.asp?docid=71525)
####
8/21/2008 9:03:21 PM SYSTEM 1088 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\lphcp46j0ele5.exe" file.
8/21/2008 10:33:36 PM Vicki Hull 2596 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP151\A0027691.exe" file.
These seem valid detections and the only recent ones 21/8/2008, but the main thing is what action did your Mom choose on the detection, Move to chest, Delete, etc. ?
Just about to go to bed ;D
-
I am heading to her house now and will follow all the steps you two suggested. I know she had McAffee a long time ago, I didn't realize there were still stuff left over. I will post the logs as soon as I get them. To answer the last question, she and I have both followed Avast's suggestions to move the files to the vault. Two of them could not be moved or deleted in the boot scan and were forced to be ignored. She still has some fake windows security alert message that is locked on her desktop. I will post as soon as I get some logs.
On another note, my own computer runs Vista and I just came across a thread stating that to install and uninstall applications properly I would have to right click the .exe file and select "run as administrator?" Does anyone have more info about whether this really is necessary or not? I have never done that once in the year and a half that I've used Vista.
-
I'm running the anti malware right now. Rogue remover found nothing. Maybe I'm missing something but I don't see a log anywhere to post for rogue remover. Is there one?
-
Here is my mom's mbam log. Should I remove selected or wait for further instruction?
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
2:21:01 PM 8/23/2008
mbam-log-08-23-2008 (14-20-54).txt
Scan type: Full Scan (C:\|)
Objects scanned: 137109
Time elapsed: 59 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> No action taken.
C:\WINDOWS\SYSTEM32\blphcp46j0ele5.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\phcp46j0ele5.bmp (Trojan.FakeAlert) -> No action taken.
-
- In windows\system32, or anywhere else, see if you have the file entapi.dll. When you find it, right-click on it and click on Properties. Review the information there. Is the file from or for McAfee?
This file was nowhere to be found. I searched for it as well. I will use the removal tool as you suggested
-
Hi
yes REMOVE with MBAM it will create a backup/quarantine
That RR did not find anything is good
That old Mcafee hit was somewhere in your error log or ???
anyway McAffe, even when old can cause major interference so do the whole 9 yards removal thing
If the Antivir reg tool finds anything the McAfee removal tool missed let me know
Do not worry about files in Chest or Quarantine
as you noticed Kaspersky does not remove anything but does tell where to look:)
Is that fake message still there?
if it's gone run CCleaner
Defrag
set a new restore point
If not gone
Or if you wish to double check run a different on line scan and Super Anti Spyware first
On your vista question- I'd post separately in the Avast 4 forum
-
Well my mom had leftovers of all kinds of av's. Specifically, Norton, McAffee and AVG...Norton is the only one who's removal tool worked so far. McAffee's seemed to freeze. I restarted, and tried to run the program again, and it tells me it is still running. ??? I followed the steps for AVG, erased all of the program files etc. To be sure I followed the steps in the link to download the latest version of AVG, and that their would be an option to uninstall. I don't see that option anywhere. I felt like I had made it to the last step and was about to install it. Which I do not want to do. Any advice? I am about to uninstall Avast in the hopes that I will be ready for a clean install soon. Is there any sort of log I could post for someone to tell whether all the other AV's are still lurking somewhere?
-
Ya the McAffee cleanup tool is a POS. I've restarted the computer like three times. When I try and run it, I get: Clean up failed. Clean up is already running. It's been over an hour, I'm doubting it could take that long to run...
The good news is that malwarebytes got the hijack desktop stuff off successfully. Once I figure out the proper way to clean up her antivirus stuff I think she will be back in business!
-
Don't know which McAfee tool you used as I gave lots of options before:
The last one I gave previously (see below) might be more relevant if your Mom had the Internet Security Suite.
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525 (http://ts.mcafeehelp.com/faq3.asp?docid=71525)
For AVG Remover, download tool from here, http://www.grisoft.com/ww.download-tools (http://www.grisoft.com/ww.download-tools) there is a 32bit and 64 bit windows version, ensure you use the correct one.
-
NORTON MCAFEE AND AVG lucky her computer could connect or ran at all !
Thanks DavidR you beat me to it !!!
Really glad you got MBAM to work
You can always try the MCAfee tool (s) in safe mode
Do Run the AVG tool that DavidR linked to
Do run the Antivir registry cleaner and let me know what it finds that the removal tools missed :)
After you get her back up
CCleaner
Defrag
New Restore Point
I'd suggest Spyware Blaster by Javacool
a Hosts file
and either Windows Defender or SpywareTerminator (without the toolbar for some free real time protection for mom
-
Thank you for the link. I am trying it now. I was using pchell's site and used the mcafee tool they listed there. It seems to have locked or frozen on the system and claims to be running...indefinitely. But PCHell also said there was no AVG removal tool, so go figure. I am running avg's now. So hopefully the only one left to remove is McAfee.
-
NORTON MCAFEE AND AVG lucky her computer could connect or ran at all !
Thanks DavidR you beat me to it !!!
Really glad you got MBAM to work
You can always try the MCAfee tool (s) in safe mode
Do Run the AVG tool that DavidR linked to
Do run the Antivir registry cleaner and let me know what it finds that the removal tools missed :)
After you get her back up
CCleaner
Defrag
New Restore Point
Sorry I posted before I saw this. I did run the AVG tool. By McAfee tool in safe mode you mean to boot the computer in safe mode? I have not ran the antivirus reg cleaner yet but I will do it now. I was hoping the Mcafee removal tool was going to work first
I'd suggest Spyware Blaster by Javacool
a Hosts file
and either Windows Defender or SpywareTerminator (without the toolbar for some free real time protection for mom
-
Is the antivir reg cleaner for avira? As far as I know she never ran that. Is that why I am running the removal tool or will it fix the rest of my registry problems? And sorry about my above post. THe question is in there somewhere...
-
It also looks for other AVs registry entries.
-
The MAjor Geeks piece was written before AVG tool released in July this year
David is correct about the Antivir tool- it's safer than a general registry cleaner and is tweeked for AV
AS David says ther are several McAFee tools
-
Okay I just ran the program and followed the steps. About 10 items appeared and I checked all and tried to delete/remove them but got an red x error in German...:) I have no idea what it said but it wouldn't do anything.
-
no idea without going to the Antivir forum -not a bad idea with 10 of them
maybe they will be removed upon reboot or something like that
do save the locations and you can go in and remove them by hand
10- who'd a thought :) whose entries were there (in other words whose tool does not work)
you might go to the MCAFEE site and see if there are other tools there
Add to the to do list
run Secunia softwrare inspector and update all of mom's apps
then run ccleaner again
then do the defrag and a new restore point
other people are asking about that Vista administrator question- did you get an answer yet?
After you get Avast installed, updated and a scan post back and we can talk prevention
you did re-run MBAM quick scan and REMOVED what it found- did I miss that?- not to worry- it will make a backup
when you are all done you could read the stickie about Hijack This and post a scan
DO NOT FIX ANYTHING
we might get some of those old AV entries that way
-
These seem valid detections and the only recent ones 21/8/2008, but the main thing is what action did your Mom choose on the detection, Move to chest, Delete, etc. ?
We selected "move to chest on all of them." Are they considered okay or "qt" in the vault or do we need to perform additional steps?
Also what log should I post to determine whether there are leftover remnants of old AV programs? I tried all the removal tools, some worked, some did not. I am a little wary of making manual changes to the registry since I am a novice user. Should I not be as concerned about that as I am?
Once I know her old programs are gone I am ready to uninstall/ reinstall avast, along with the rest of her spyware/malware programs. Thanks in advance!
-
I tried using the antivir removal tool and got that message in German. Here is the reply I got from Avira's support forum:
Hello,
The Avira Registry cleaner isn't used for this purpose, it's to correct uninstallation problems. The message you got was "Error when deleting one or more keys".
AntiVir Personal - Free doesn't have spyware protection, so in this case I suggest running a dedicated AntiSpyware product such as SuperAntiSpyware or Malware Bytes AntiMalware (both freeware).
Cheers,
Steve
-
Upon further inspection I noticed that the only entries that the Antvir reg cleaner found were Avast entries, which is currently installed on the machine. Can anyone advise me on how to proceed? I suppose I need to know for sure whether the old AV's are gone, uninstall and reinstall Avast, and then an array of anti spyware/malware programs correct?
-
I would think that if the only entries were avast entires and there were no others then you are good to go
so let's recap
Did you update avast and run a boot time scan- anything to send to chest?
anything currently in the chest (not counting 3 system backup files?)
what are they? can you post a log?
leave them in the chest for now
back on track
Add to the to do list
run Secunia softwrare inspector and update all of mom's apps
then run ccleaner again
then do the defrag and a new restore point
other people are asking about that Vista administrator question- did you get an answer yet?
After you get Avast installed, updated and a scan post back and we can talk prevention
you did re-run MBAM quick scan and REMOVED what it found- did I miss that?- not to worry- it will make a backup
when you are all done you could read the stickie about Hijack This and post a scan
DO NOT FIX ANYTHING
we might get some of those old AV entries that way
-
Okay. Nothing showed up this time in the boot scan. When we ran avast it seemed to pick up a lot of things. Here is the warning log. It also left a window open showing 700 lines that could not be scanned. They are supposed to be archived files that are password protected. Is this normal? I know my mom would not intentionally password protect anything. I'm not sure what archived files are actually.
8/25/2008 8:45:11 PM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/25/2008 9:06:28 PM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4172\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 12:14:43 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4227\comps\acs\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 12:15:33 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.1\comps\acs\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 12:50:43 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1009\A0235832.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 12:59:13 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1053\A0248685.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:04:53 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1078\A0258348.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:07:29 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1082\A0258783.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:07:56 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032797.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:07:58 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032798.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:08:03 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032799.exe\$R1\$PLUGINSDIR\utility.dll" file.
8/26/2008 1:08:07 AM Vicki Hull 3496 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032800.exe\$R1\$PLUGINSDIR\utility.dll" file.
-
See http://forum.avast.com/index.php?topic=35347.msg297170#msg297170 (http://forum.avast.com/index.php?topic=35347.msg297170#msg297170) this topic for more information on why files can't be scanned.
From your log:
I suspect this may be a false positive on the utility.dll file, which is inside this file "C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe"
Don't worry about those in the C:\System Volume Information\_restore points, for the time being, these have previously been removed from system folders and system restore has saved them in a restore point.
"C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe"
Check the offending/suspect file above, at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
What is this CCU_Suite from AOHell that is causing this issue ?
When I see or hear Suite I think security and that means anti-virus, etc. which could mean virus signature files which could be detected by other AVs.
-
This is what it came up with. Is this what you were looking for?
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.26 -
AntiVir 7.8.1.23 2008.08.26 -
Authentium 5.1.0.4 2008.08.26 -
Avast 4.8.1195.0 2008.08.26 -
AVG 8.0.0.161 2008.08.26 -
BitDefender 7.2 2008.08.26 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.26 -
DrWeb 4.44.0.09170 2008.08.26 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6050 2008.08.26 -
Ewido 4.0 2008.08.26 -
F-Prot 4.4.4.56 2008.08.26 -
F-Secure 7.60.13501.0 2008.08.26 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.26 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3390 2008.08.26 -
Norman 5.80.02 2008.08.26 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.26 -
Prevx1 V2 2008.08.27 -
Rising 20.59.11.00 2008.08.26 -
Sophos 4.32.0 2008.08.26 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.26 -
ViRobot 2008.8.26.1350 2008.08.26 -
VirusBuster 4.5.11.0 2008.08.26 -
Webwasher-Gateway 6.6.2 2008.08.26 -
Additional information
File size: 260040 bytes
MD5...: 05302706faf24ca3ca8d7dbb492da107
SHA1..: 1105c3d6153a6cb126df4889a73279039d7ba1bb
SHA256: 7f0ba876bd18196e3c8e97cf4650d77cfc4e59327df33368a768bb45d3bb4701
SHA512: 0abcdebfa9a554c86c3a0782701cdcca87f7544ffbf91d54cc04c43e1a3b3794
00acb5cf55588c98140b900bf50614a75761b82042fa54cdc795b44b64266876
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x403aea
timedatestamp.....: 0x42836681 (Thu May 12 14:21:53 2005)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x648a 0x6600 6.40 95a08a351a308601606d05c5e0caf3be
.rdata 0x8000 0x1c72 0x1e00 5.27 ad3480bbd2b89b35a1007f68da4f66ed
.data 0xa000 0x1c494 0x200 1.29 ac97ebca38d2d8318dca1994bee4b5de
.ndata 0x27000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x32000 0x1000 0xa00 3.12 dce22a93b82b0940b758a282e4a50021
( 8 imports )
> COMCTL32.dll: -, ImageList_AddMasked, ImageList_Destroy, ImageList_Create
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
> KERNEL32.dll: FormatMessageA, GetLastError, GetModuleHandleA, SetErrorMode, GetExitCodeProcess, WaitForSingleObject, ExpandEnvironmentStringsA, GetEnvironmentVariableA, lstrcmpiA, CloseHandle, SetFileTime, GetFileAttributesA, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, lstrcatA, SetCurrentDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, LoadLibraryA, CreateDirectoryA, ExitProcess, GetCurrentProcess, CopyFileA, lstrcpynA, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, GetUserDefaultLangID, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, GlobalAlloc, CreateThread, CreateProcessA, GetTempFileNameA, lstrcpyA, lstrlenA, SetEndOfFile, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetSystemDirectoryA, RemoveDirectoryA, MulDiv, DeleteFileA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GlobalFree, GetPrivateProfileStringA, WriteFile, ReadFile, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, GetModuleFileNameA
> USER32.dll: PostQuitMessage, SetWindowTextA, SetTimer, DestroyWindow, CreateDialogParamA, ExitWindowsEx, CharNextA, GetSysColor, GetWindowLongA, LoadCursorA, SetCursor, CheckDlgButton, GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcA, IsWindowVisible, LoadBitmapA, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuA, CreatePopupMenu, GetSystemMetrics, EndDialog, SetClassLongA, IsWindowEnabled, SetWindowPos, DialogBoxParamA, GetClassInfoA, CreateWindowExA, SystemParametersInfoA, RegisterClassA, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, wvsprintfA, SetForegroundWindow, ShowWindow, CharPrevA, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, PeekMessageA, DispatchMessageA, InvalidateRect, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SendMessageA
> GDI32.dll: GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SetBkColor, SelectObject
> ADVAPI32.dll: RegDeleteKeyA, RegEnumKeyA, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegCloseKey
> SHELL32.dll: ShellExecuteA, SHBrowseForFolderA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA, SHGetPathFromIDListA
> ole32.dll: OleUninitialize, OleInitialize, CoCreateInstance
( 0 exports )
-
great news
system should be running better
as DavidR suggested that was most likely a false positive and now we know it was (Unless it was so new that you are the first victum)
so ignore all of those hits
Please zip and upload the file to virus@avast.com
put a link to your virus total results in the text
If avast will not let you do it then disable avast standard scanner for a moment
then turn it back on
What is this CCU_Suite from AOHell that is causing this issue ?
best search for this and Nuke it
Let's re-run Kaspersky to make sure the hit's it found are gone
you could also run a scan with Super Anti Spyware -quarantine- do not remove/delete
run the secunia software inspector and get Mom up to date
-
Yes most certainly a false positive.
Since you have the sample in the suspect folder, avast will let you zip and password protect it.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Periodically check it (scan it in the chest, as you can't scan it in an excluded location), there should still be a copy in the chest even if you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
-
Thank you very much for the help everyone! I have run secunia and all of her software should be up to date. I also finally got her to agree to join the 21st century and stop using aol. I will run another online scan tomorrow and post the results. I will try and remove every bit of aol software that I can find. And lastly I will send the file in question to avast the first chance I get!
-
go TEAM
I'll be looking for the Kaspersky and SuperANtispyware results
new version out today- good timing
then we'll talk some about prevention for mom
-
You're welcome, glad I could help.
-
Here is my moms kaskersky report
Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 19:57:46
Records in database: 1151889
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 77567
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:12:53
File name Threat name Threats count
C:\Program Files\Magentic\bin\magentic_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.f 1
The selected area was scanned.
-
can you go online to virustotal and upload that file
-
I think the key points here are a) Kaspersky pre-fixes the name with not-a-virus b) did you install Magentic whatever that might be ?
-
However the not-a-virus thing can also mean that since we- Kaspersky- are an Anti-Virus company do not expect us to fix this for you :)
so let's check it out
as David R says is that file from a trusted source?
-
I don't know. It appears to be some sort of wallpaper program so it's probably anything but trusted. It is not available in add/remove programs. I was just going to delete the folder but I will wait for advice first. Here is the log from virustotal. I hope it isn't too long. There was a lot of information on it.
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.31 SPR/Dldr.ImLoader.F.1
Authentium 5.1.0.4 2008.08.30 -
Avast 4.8.1195.0 2008.08.31 -
AVG 8.0.0.161 2008.08.31 -
BitDefender 7.2 2008.08.31 -
CAT-QuickHeal 9.50 2008.08.29 Downloader.ImLoader.f (Not a Virus)
ClamAV 0.93.1 2008.08.31 -
DrWeb 4.44.0.09170 2008.08.31 -
eSafe 7.0.17.0 2008.08.28 Downloader.Win32.ImL
eTrust-Vet 31.6.6057 2008.08.29 -
Ewido 4.0 2008.08.31 Not-A-Virus.Downloader.Win32.ImLoader.f
F-Prot 4.4.4.56 2008.08.30 -
F-Secure 7.60.13501.0 2008.08.31 Downloader.Win32.ImLoader.f
Fortinet 3.14.0.0 2008.08.31 -
GData 19 2008.08.31 -
Ikarus T3.1.1.34.0 2008.08.31 not-a-virus:Downloader.Win32.ImLoader.f
K7AntiVirus 7.10.433 2008.08.30 not-a-virus:Downloader.Win32.ImLoader.f
Kaspersky 7.0.0.125 2008.08.31 not-a-virus:Downloader.Win32.ImLoader.f
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3401 2008.08.30 -
Norman 5.80.02 2008.08.29 W32/DLoader.FSLC
Panda 9.0.0.4 2008.08.31 Adware/KeenValue
PCTools 4.4.2.0 2008.08.31 -
Prevx1 V2 2008.08.31 Malicious Software
Rising 20.59.61.00 2008.08.31 -
Sophos 4.33.0 2008.08.31 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.08.31 -
TheHacker 6.3.0.6.068 2008.08.30 Aplicacion/ImLoader.f
TrendMicro 8.700.0.1004 2008.08.31 -
ViRobot 2008.8.30.1357 2008.08.30 -
VirusBuster 4.5.11.0 2008.08.31 -
Webwasher-Gateway 6.6.2 2008.08.31 Riskware.Dldr.ImLoader.F.1
Additional information
File size: 484928 bytes
MD5...: dcda3fe4e38b44b7c4f9c560afd6b459
SHA1..: c79bed56fb09875434ff1b9be3a14874d08b3f89
SHA256: 311c03a96fa0645f4f09248df267aeabe8f995bd128f6b7c793e9f91b66828fe
SHA512: 31b043397dc6a5327d06fd8bfed2769e2990da8a93b3a409dbe1c07cb2872967
9ef63f8813eeca7cbf3fd5895c2d584ff98012384a520c4090da177c4b97553f
PEiD..: Armadillo v1.71
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x43899b
timedatestamp.....: 0x45e2dbc5 (Mon Feb 26 13:08:21 2007)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x430a4 0x44000 6.53 6de93ca20a01840fdedcbf3992ffb68d
.rdata 0x45000 0x7d34 0x8000 4.90 abbf0b94d52edebb44c3adc2395d349d
.data 0x4d000 0xa684 0x7000 4.88 e46b00c9fd1c474c60f600319d9b3104
.rsrc 0x58000 0x20550 0x21000 6.20 900e44b2ffbf9b550c83f3e26e6aedee
( 12 imports )
> urlmon.dll: URLDownloadToCacheFileA
> WININET.dll: InternetSetOptionA, InternetCloseHandle, InternetOpenUrlA, DeleteUrlCacheEntry, HttpQueryInfoA, InternetReadFile, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetConnectA, InternetAutodial, InternetGetConnectedState, InternetGetCookieA, InternetOpenA
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> SHELL32.dll: ShellExecuteExA, SHGetSpecialFolderLocation, SHGetMalloc, SHGetPathFromIDListA
> COMCTL32.dll: ImageList_Draw, ImageList_Destroy, ImageList_Create, ImageList_Add, InitCommonControlsEx, ImageList_AddMasked
> KERNEL32.dll: CloseHandle, CreateFileA, CreateDirectoryA, SetFileAttributesA, SetFileTime, DosDateTimeToFileTime, WideCharToMultiByte, FindNextFileA, FindClose, FindFirstFileA, MultiByteToWideChar, lstrlenA, lstrlenW, GetShortPathNameA, GetModuleHandleA, GetModuleFileNameA, SetEvent, InterlockedDecrement, WaitForSingleObject, CreateThread, CreateEventA, QueueUserAPC, ReleaseMutex, Sleep, lstrcmpiA, GetCurrentThreadId, GetCommandLineA, GetLastError, CreateMutexA, InitializeCriticalSection, HeapDestroy, DeleteCriticalSection, FreeLibrary, GetProcAddress, LoadLibraryA, lstrcpyA, lstrcatA, InterlockedIncrement, LeaveCriticalSection, EnterCriticalSection, TlsSetValue, OutputDebugStringA, WriteFile, TlsGetValue, GetLocalTime, SetUnhandledExceptionFilter, GetCurrentProcess, GetSystemDefaultLangID, GetSystemDirectoryA, SetCurrentDirectoryA, SetThreadPriority, WaitForMultipleObjects, GetExitCodeThread, ReadFile, GetFileSize, GetExitCodeProcess, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, DeleteFileA, RemoveDirectoryA, GetVersionExA, GetTempPathA, GetEnvironmentVariableA, SleepEx, SetFilePointer, LocalFree, FormatMessageA, CopyFileA, GlobalFree, TerminateProcess, lstrcmpA, FlushInstructionCache, LocalLock, LoadLibraryExA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetPrivateProfileSectionNamesA, TlsAlloc, TlsFree, RtlUnwind, GetFileType, HeapFree, HeapAlloc, InterlockedExchange, GetVersion, ExitProcess, LCMapStringA, LCMapStringW, GetCPInfo, CompareStringA, CompareStringW, HeapSize, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetStdHandle, GetStartupInfoA, SetEndOfFile, SetHandleCount, GetStdHandle, GetFileAttributesA, ExitThread, HeapReAlloc, RaiseException, SetLastError, FlushFileBuffers, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetStringTypeA, GetStringTypeW, GetACP, GetOEMCP, IsBadReadPtr, IsBadCodePtr, SetEnvironmentVariableA, GetCurrentThread, GetLocaleInfoW
> USER32.dll: CallWindowProcA, UnregisterClassA, DrawFocusRect, CopyRect, EnableWindow, GetNextDlgTabItem, GetFocus, GetKeyState, CharLowerA, CreateDialogParamA, wsprintfA, IsChild, FillRect, GetDesktopWindow, CreateAcceleratorTableA, ReleaseCapture, SetCapture, InvalidateRgn, GetWindowPlacement, InflateRect, EndPaint, ScreenToClient, MoveWindow, LoadImageA, LoadBitmapA, ExitWindowsEx, DialogBoxParamA, RedrawWindow, InvalidateRect, DestroyIcon, SetRectEmpty, GetParent, GetWindow, GetWindowRect, GetClassInfoExA, MapWindowPoints, GetDC, GetWindowTextLengthA, GetDlgItem, GetWindowLongA, SetWindowLongA, GetClientRect, LoadIconA, ReleaseDC, SetWindowPos, GetSystemMetrics, EndDialog, GetActiveWindow, PeekMessageA, CreateWindowExA, GetMessageA, DispatchMessageA, IsWindow, DestroyWindow, RegisterClassExA, FindWindowA, GetWindowThreadProcessId, EnumThreadWindows, PostMessageA, IsWindowVisible, GetClassNameA, IsIconic, ShowWindow, SetForegroundWindow, PostQuitMessage, GetSysColor, GetForegroundWindow, WaitForInputIdle, MsgWaitForMultipleObjectsEx, DrawTextA, GetSystemMenu, RemoveMenu, LoadCursorA, SetCursor, SetRect, SendDlgItemMessageA, GetWindowTextA, SetWindowTextA, RegisterWindowMessageA, DefWindowProcA, CharNextA, PostThreadMessageA, LoadStringA, SendMessageA, SetDlgItemTextA, SetFocus, BeginPaint, SystemParametersInfoA, DrawIcon, TranslateMessage
> GDI32.dll: SetBkColor, CreateCompatibleDC, SelectObject, StretchBlt, GetObjectA, DeleteObject, SetBkMode, GetStockObject, CreateSolidBrush, CreateCompatibleBitmap, SetTextColor, BitBlt, CreateFontIndirectA, DeleteDC, ExtTextOutA, GetDeviceCaps, GetTextExtentPoint32A
> ADVAPI32.dll: RegCloseKey, RegDeleteKeyA, RegEnumKeyExA, RegNotifyChangeKeyValue, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegQueryValueExA, RegCreateKeyExA
> ole32.dll: CoTaskMemAlloc, OleLockRunning, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, CoRegisterClassObject, CoRevokeClassObject, CoDisconnectObject, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoTaskMemFree, ProgIDFromCLSID, CLSIDFromProgID, CLSIDFromString
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathFindFileNameA, UrlUnescapeA
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A8C89B3A40FAC9026602072FC2B06200E179546B
-
Bingo
What's incredimail?
do you have a paid for version of IncrediMail XE and Gold Membership?
If it's nothing you need
search for incredimail and remove anything you recognise? did you google?
examples from another post- yours will be different
C:\Program Files\Magentic\bin\magentic_install.exe
D:\IM Stuff\incredimail_install.exe do you have this folder???
D:\PROGZ Group\ >>>do you have this folder?? who is PROGZ Group? if there Could be on any drive
D:\PROGZ Group\IncrediMail\Build 2154 Info\incredimail_2154_install.exe
D:\PROGZ Group\IncrediMail\Build 2180\incredimail_instal_2180.exe
D:\PROGZ Group\IncrediMail\incredimail_install_Build 1888.exe
you might upload the file to--- virus at avast.com with a link to your VT results
D:\PROGZ Group\ >>>do you have this folder?? who is PROGZ Group? if there
-
She isn't sure exactly what incredimail is, and the same for magenta. Neither of the programs are available in the add/remove programs. I do see folders for each in program files. Should I just delete the program files for each or should I be running some other tool?
-
Incredimail is an email program that makes use of lots of eye candy, smilie icons, etc. and IMHO more style than substance and we see lots of topics in the forums about problems with it.
-
First try start>programs and see if there is a listing with an uninstall
second check the folders for an uninstall\
anything in "program files'?
Actually this might be one where genuine Lavasoft AD-Aware would work :)
I'm not going back and look but did you scan with spybot search and destroy??
It migh also get this one and is a good scanner to have around in any case
if no luck with those to or if you just want to do it by had use search on all possible combinations and zap
then search the registry with regedit search function
if any questions post back
this may be adware but it does come up as a problem child
and once you click the EULA who knows who their "affiliates" and "partners" are