J S Fake

system · October 5, 2009, 9:25pm

Hi nmb

I am doing the scans but it is bedtime. I will post them tomorrow.

Many, many thanks for your help, which is much appreciated.

Regards

qim

system · October 5, 2009, 9:42pm

malwarebytes antimalware and superantispyware, are these two or three programmes?

I have Malwarebytes but could you give me a link for the others as I don’t want to get a rogue programme?

Thanks

qim

DavidR · October 5, 2009, 10:13pm

Two programs, that is the full name for MalwareBytes (AntiMalware, a.k.a. MBAM).

SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

system · October 5, 2009, 10:15pm

Thanks

Here goes first scan report:

Malwarebytes’ Anti-Malware 1.41
Database version: 2910
Windows 5.1.2600 Service Pack 3

05/10/2009 23:13:56
mbam-log-2009-10-05 (23-13-56).txt

Scan type: Full Scan (C:|)
Objects scanned: 202400
Time elapsed: 55 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

nmb · October 6, 2009, 4:33am

Sorry that I couldn’t reply yesterday it was already late for me (2 A.M), had to sleep. get malwarebytes from malwarebytes.org/mbam.php you will be redirected to cnet.com, from there you can download. I see that you have already scanned using mbam. nothing has been found. do a scan using superantispyware which will remove the cookies and others.

welcome to the forums.

system · October 6, 2009, 10:23am

Ok, here goes the other one. It looks clean but I stil think there is something stopping U95.exe from working (I haven’t usd sinve talking to you yesterday). Did you see my amended post #36?

Also, when I tried to load the prog I got repeated error in Event Viewer/Application Event 8 related to Crypt 32 and with a reference in the explanation about www.download.windowsupdate.com/msdownload/update/v3/static/trusted/en/authrootseq.txt The message is in Portuguese but if you like I can try and translate the rest.

Thank you very much

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/06/2009 at 10:50 AM

Application Version : 4.29.1002

Core Rules Database Version : 4147
Trace Rules Database Version: 2077

Scan type : Complete Scan
Total Scan Time : 03:31:53

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 6647
Registry threats detected : 0
File items scanned : 25579
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Qimi\Cookies\qimi@mediafire[1].txt
C:\Documents and Settings\Qimi\Cookies\qimi@ads.sapo[2].txt

nmb · October 6, 2009, 10:29am

forget about u95. remove that program. use what sir polonus told. you have nothing to worry.
now, see if your computer is vulnerable. get secunia psi : http://secunia.com/vulnerability_scanning/personal/ and scan your system. and fix everything it shows a vulnerable. that’s more than enough.

nmb

system · October 6, 2009, 11:54am

Slowly, slowly…

Ok, I now got to the DEP (Data Execution Prevention), but can’t find the Avast file/folder that I am supposed to add.

Does thi address the blue screen? The three files thatI sent you were they all related to Avast?

Thanks

qim

nmb · October 6, 2009, 12:18pm

the default avast installation is c:\program files\alwil software\ get inside avast4 folder and the specified file. it is explained clearly in sir bob’s post. read it slowly.

minidumps are file which are created by the os when bsods occur. i saw the minidumps and two were caused by ashserv.exe. and other I don’t remember may be ntoskernel.exe . don’t worry about that. just add to dep and, have you updated to 1356 version?.

nothing else to worry.

system · October 6, 2009, 12:33pm

Thanks nmb

Yes, I have updated Avast and all other progs as per Secunia.

Please, forgive me for insisting, but I am still puzzled over U95.exe. When you watch footlball online, some sites will suspend the transmission to force you to register and pay. A way round that is u95.exe, which apparently blocks or hides or changes the IP address, so that the sire does not know if you are on or not (I suppose).

Suddenly the U95.exe stopped working. As soon as I load it I am unable to conect to the internet. In my ignorance, I guess that it could be another programme (malicious) that needs the IP where it should be. I can’t work out why it does not work anymore, despite the fact that I accept and will follow your advice not to use it any more. What concerns me is there could be something in the system still.

I have done a number of other checks and was very surprised to see under 32 Autorun, a word document in my pen drive. How can a Word document be in Autorun? Have a look at the OTL.txt below. Incidentally is thee a site that explains how to read and understand OTL?

The message is too long, so I’ll attach the file.

qim

nmb · October 6, 2009, 12:41pm

I don’t know how to read the otl log. and I don’t know about u95 as I have never come across it.
find the hidden files in your flash drive. do this:

open up command prompt : start > run > type “cmd”(without quotes) hit enter
change drive to your pen drive. eg : my thumb drive would be g: so type “g:” hit enter
type “dir /ah” and hit enter.
see what files are listed there and post back here.

system · October 6, 2009, 12:49pm

The file is there. I just can’t fathom why autorun…

O volume na unidade G ‚ Intuix key
O n£mero de s‚rie do volume ‚ 3B52-47C7

Direct¢rio de G:\

11/06/2009 07:09 14,233 Fam Trip.eml
19/04/2007 13:29 71,327 PersAppForm_EUSTD_web.pdf
19/04/2007 13:34 106,915 application_form.pdf
19/04/2007 13:36 283,866 deposit-application-pack-for-individuals.pdf
13/02/2006 20:09 921,600 LaunchU3.exe
01/08/2008 16:47 Oxford
20/04/2007 10:47 25,600 Accounts.doc
25/04/2007 23:37 80,384 Final Draft.doc
21/12/2003 19:31 21 pass.txt
30/04/2007 17:34 22,528 NatWest.doc
19/09/2008 09:05 22,528 Rua do sado.doc
04/05/2007 09:21 25,600 Accounts2.doc
05/10/2008 18:46 56,320 I am fully aware of the story of.doc
09/06/2005 11:10 1,000 Address Book.lnk
19/01/2008 13:32 AA308
13/10/2008 20:19 Politics 2008
02/10/2009 13:28 52,002,544 Birthday.dbx
27/01/2008 14:56 159,232 Alliance270108.doc
22/09/2008 14:48 Flights Natal 2008
14/05/2007 12:31 355,460 http___www.jstor.org_cgi-bin_jstor_printpage_00376752_ap010089_01a00080_0.pdf_backcontext=page&dowhat=Acrobat&config=jstor&userID=a301e91a@ox.ac.uk_01cce4406413c461128a5a0e12&0.pdf
20/12/2008 16:54 BBC SWB
16/05/2007 17:22 28,160 Eric.doc
17/05/2007 08:38 22,016 NatWest2.doc
17/05/2007 08:19 26,624 Visa back to Malta.doc
17/05/2007 18:43 20,992 My client is a national.doc
11/12/2008 22:05 Oxford December
29/05/2007 14:02 31,744 IR.doc
02/01/2009 19:12 Jan 2009
02/06/2007 19:22 38,400 Essay 3 - Socialist realism.doc
13/02/2008 16:44 160,768 Alliance130208.doc
04/06/2007 11:54 Summer Trip
02/01/2009 22:06 369,152 Flights Log.doc
13/02/2008 18:14 24,064 Alliance130208b.doc
06/06/2007 10:44 22,528 Nationwide 070607.doc
25/03/2009 17:33 Corruption
15/06/2007 15:25 164,864 France.doc
06/06/2007 20:28 James
26/02/2009 01:14 35,840 Khrushchev.doc
02/03/2007 10:19 IR
07/05/2009 11:59 830,358 Documentaci¢n.eml
14/05/2009 07:56 222,153 O INFORMATION.eml
02/10/2009 13:32 184,360,076 La Massana.dbx
09/06/2009 13:04 249,703 RE_ .eml
09/06/2007 10:42 94,208 Exams Sorted.doc
25/07/2007 15:57 28,160 HMRC.doc
12/06/2009 11:58 81,251 Fw_ BOOKING CONFIRMATION - Travel Agent.eml
12/06/2009 12:56 34,217 Re_ Cama desplegable.eml
10/06/2009 16:55 276,715 RESPONSE FROM NIG.eml
18/02/2008 14:34 24,064 Alliance170208b.doc
17/07/2009 10:03 Documents
22/03/2007 09:35 Final Essays
09/06/2009 17:35 18,050 RV_ Ka.eml
02/05/2009 09:26 6,430 Confirmation de votre r‚servation.eml
21/04/2009 14:25 31,270 R_ GENOVA OVEST RESERVATION.eml
17/07/2009 09:56 35,480 Andorra.eml
01/08/2008 16:45 Misc
18/04/2007 16:31 Everything
08/04/2009 11:51 30,616 Re_ Re_ Mudan‡a de Lisboa para A ndor ra.eml
08/07/2009 20:45 1,118,664 Re_ grandioso dia.eml
31/07/2009 12:01 34,304 Lista mudan‡a.doc
29/08/2007 09:20 7,050 Re_ hotel sporting.eml
27/07/2009 12:26 23,040 AutorizacionDeDespachoIndividual.QUEIROZ.doc
15/08/2009 12:55 22,528 Proposta.doc
15/08/2009 17:28 1,015,972 Scan 19.JPG
10/04/2008 12:32 22,528 NatWest100408.doc
15/08/2009 17:28 2,986,591 Scan 18.JPG
22/06/2008 10:33 Bed
15/08/2009 17:28 2,640,699 Scan 17.JPG
12/11/2007 21:51 1-Thesis
20/09/2009 16:54 25,088 NRock200909.doc
28/09/2009 08:33 41,984 Eca - Draft.doc
09/03/2007 08:27 338 .Mac - iDisk.url
23/10/2007 18:48 39,039 Re_ Mobilia para Oxford.eml
14/12/2007 20:38 57,344 eTMA1.D820.doc
04/11/2007 13:55 Despesas
04/11/2007 13:54 98,304 Backup of Despesas.wbk
13/12/2007 10:44 41,472 eTMA1draft.doc
19/12/2007 08:44 Oxana
25/12/2007 19:29 3,660 Fw_ Account opened.eml
28/09/2009 15:42 58,880 Eca - Final.doc
04/07/2008 11:30 25,600 Alliance030708.doc
09/07/2008 10:18 24,576 AngloIrish090708.doc
12/07/2008 21:26 Katia
21/07/2008 12:22 39,365 easyJet booking reference_ EDNDFTN.eml
21/07/2008 11:52 1,606 Member registration.eml
65 ficheiro(s) 249,745,693 bytes
20 Dir(s) 209,928,192 bytes livres

nmb · October 6, 2009, 12:50pm

hit “dir /ah” not “dir” hit enter.

system · October 6, 2009, 12:54pm

O volume na unidade G ‚ Intuix key
O n£mero de s‚rie do volume ‚ 3B52-47C7

Direct¢rio de G:\

22/05/2006 03:17 System
06/06/2007 20:25 296 WMPInfo.xml
06/06/2007 20:28 172 DRMv1PM.lic
2 ficheiro(s) 468 bytes
1 Dir(s) 209,911,808 bytes livres

nmb · October 6, 2009, 12:56pm

oki paste the contents of autorun. are you sure its your flash drive. g: ?

system · October 6, 2009, 1:00pm

Autorun: Where do I find that?

Yes, that is the flash drive, and in the earlier message with all the files you can see the one in the OLT.txt:

27/07/2009 12:26 23,040 AutorizacionDeDespachoIndividual.QUEIROZ.doc

nmb · October 6, 2009, 1:03pm

I see that there is not autorun.inf in your previous post #53 ? it should be there on flash drives. :-\

when you hit dir /ah it should show hidden files. including autorun.inf.

system · October 6, 2009, 1:07pm

Right, I got it. The problem is my flash drive is actually two drives! At the moment F. and G:

I have the autorun.inf in F: which I can see with the command dir but not with dir /ah

Next problem: when I try to send the contents to a file the access is negated! I can copy and send it.

nmb · October 6, 2009, 1:09pm

when in cmd,

“f:” hit enter

“edit autorun.inf” hit enter and post the contents of it here.

also type “dir /ah” while in f drive. because the previous one was of g: drive.

system · October 6, 2009, 1:19pm

I tried to send a screen sot but cannot send it. What next?
The dir shows apart from date and time

    145 autorun.inf

2,998,778 LaunchPad.zip
921,600 LaunchU3.exe

J S Fake

Announcements