Jump to content
KVT

Avenger.txt reloads and grows in size after each startup recommended by MAM so as to rid of captured malware

Recommended Posts

1. Is the error in opening MS SE related to the earlier fixes or to the installation of Avast? here is a print screen of the error message when trying to update MS SE.

 

I m very curious as to why it does not open. I could keep it disabled on the background and still use Avast as the main AV. what could i do?

 

I have attempted to show you the error message here 'the specified service does not exist as an installed service ERROR CODE : 0x80070424. via a print screen by this facility here does not allow to copy images .

 

2. Can we scan the external drive please? with which tool?

 

That is all is left.

 

Thank you

Share this post


Link to post
Share on other sites

From what i can gather from posts like this

http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_update/security-essentials-error-code-0x80070424/ae1f980e-5f7b-e011-9b4b-68b599b31bf5?page=1

 

when i de-installed the other AV program (Ad-Aware) i suspect some remains were left behind and possibly clash with MS SE.

 

Either i search for the Ad-aware, similarly to what this MS help answer suggests (To remove it completely) and then try to fix it based on these instructions OR i delete completely the MS SE and at some later point try to update it (seems to be free).

 

OR...i can follow this suggestion from 

 

http://www.askvg.com/fix-error-message-0x80070424-in-windows-update-or-microsoft-security-essentials-mse/

 

 METHOD 2: Register the required system files

1. Run following commands in RUN or Start Menu search box one by one:

regsvr32 Qmgr.dll /s

regsvr32 Qmgrprxy.dll /s

Share this post


Link to post
Share on other sites

Or perhaps this? you will be able to tell if this is clean or not...?

http://windowsdiscussions.com/getting-error-code-0x80070424-microsoft-essentials-windows-xp-6671.html

Re: Getting error code 0x80070424 for Microsoft Essentials in Windows XP
 
quote_icon.png Originally Posted by Unregistered viewpost-right.png
I recently installed Microsoft Essentials and the download did not complete the process. The website has encountered a problem and cannot display the page you are trying to view. The error I got is 0x80070424. I have tried many options and still have the same error code 0x80070424. Any help is greatly appreciated. Awaiting for your replies friends. Thanks in Advance !!!
Dear Friend,
>While installing Windows update,Error 0x80070424 comes because of some of dll Registration Problem.
>Now to solve Error 0x80070424 in microsoft update you should follow as showing Below steps :
~Click Start>Run
Copy and Paste Command as showing below :
%SYSTEMROOT%\SYSTEM32\REGSVR32.EXE %SYSTEMROOT%\SYSTEM32\WUAUENG.DLL
~Above line is used for Registering WUAUENG.DLL in window.
>Now,Run Windows Update again.
Your problem may fix.
Regards,
Dharmesh

Share this post


Link to post
Share on other sites

here is another advise from

 

 http://www.uninstallapp.com/article/How-to-uninstall-Adaware.html

 

....in the event that Ad-aware has left some remains files when it was de-installed today and hence possibly causing a conflict with MS SE update;

 

From the scan of farbar, could you see if such remains existed in registry and / or folders? i wont do anything till i hear from you. 

good evening. KVT.

 

'Please know that both of Windows Add/ Remove Programs and its build-in uninstaller can only uninstall the main executable files of the program, but not all program files and components. Some invalid files may be left in system registry and folders. To completely remove Adaware, you need to get rid of those remnants, otherwise, it will slow down your PC and block you installing other incompatible programs.

To thoroughly delete its files, please follow the steps:

Run Registry Editor

Find and delete all registry entries of the program in HKEY_CURRENT_USER\Software, HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\eg ui

Find and delete all files of the program in system folders C:\Program Files\, C:\Document and Settings\All Users\Application Data\ and C:\Documents and Settings\%USER%\Application Data\.'

Share this post


Link to post
Share on other sites

Dear TWE,

Just to let you know that i connected the external drive to the new computer and scanned its content via Mcafee. 28,000 plus items were scanned, but the scan got hung at 98% and it has been there for more than one hour now, scanning a rootkit (not sure what that is). It has reported 0 viruses and 1 upotential unwanted file.

 

I tried to open various files, folders and all of them opened ok (nothing crypted), except for a 6 GB folder called 'Camera' which i at the time of the other pc infection on Tuesday i moved from the pc to the external drive to make space in the infected pc. Windows cannot open these images, it does not recognise the format (yet they are all in jpg format).

 

Perhaps the E drive can be scanned with another scanning program like farbar?

 

Have a good night.  

Share this post


Link to post
Share on other sites

OK....The Mcafee scan got finally completed after it hung and it reported a 'Crack-Adobe' potential hazardous program. Before it showed that i chatted with Mcafee on web chat and they took control of viewing the laptop and they saw a ''rootkit'' infection in a folder; they said they had a patch they could apply but i would need to call the AV service support team on the phone. They also showed me this page with info; http://www.mcafee.com/uk/downloads/free-tools/how-to-use-rootkitremover.aspx where one can download the fix. 

 

I called, but they were very busy, so i am going to bed finally...what a hellish week!!

 

Perhaps you have another patch for the rootkit virus ( i do not know in which folder the virus is at) that we can apply?  than k ypu...

Share this post


Link to post
Share on other sites

About Microsoft Security Essentials, go and run this tool:
 
http://www.bleepingcomputer.com/download/microsoft-security-essentials-removal-tool/
 
 
About your External drive, delete everything that you do not recognize or that is flagged as malware manually. Let's scan your External drive:
 
 
 
Please download MCShield from one of the following links:
 
MCShield -Official download link

  • Double click on MCShield-Setup to install the application.
    Next => I Agree => Next => Install ... per installation click on Run! button.
  • Wait a few seconds to MCShield finish initial HDD scan...
  • Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
  • When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.
 
=> Post here AllScanst.txt
 
 
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Share this post


Link to post
Share on other sites

Gdmorning (or rather afternoon?) TWE,

 

I will follow your instructions and report. I guess the link from bleedingcomputer is to un install completely MS SE right? that was not my intention, but if you suggest that i will do so.

 

Ref the E drive, before i apply the MC Shield, should i make a copy of the E drive to another external drive? just in case that something goes wrong? i would guess not, as at this stage, all you seek is a scan, right? 

Share this post


Link to post
Share on other sites

I have struggled with this a lot TWE.

 

1. Fist ref the E drive: I could not disconnect it using the Windows safely remove hardware icon on the tool bar, as the MCafee Total protection AV which is installed in this new computer (shared with the owner) was still running.... since this am when i ordered a full scan. it hung at 99% (scanning a root kit file) and it had not identified any viruses (unlike very early in the am / last night where a folder was quarantined), I was trying to stop it with no success. To stop MCafee total protection running is not intuitive, they make it difficult. Anyhow, i stopped it finally logging in as the administrator-owner (with a her password) and disabled it for an hour. The 'safely remove tool' still did not recognise that the AV was not running...at the end i just disconnected the E drive and turned it off. 

 

Then i downloaded the MCShield set up exe  file, with my profile, but then i was indicated that admin rights were needed for the set up to progress. So i entered the administrator-owner's password and agreed for changes to the computer to take place. It took a while to master this, AS by the time i was on to this, the MCafee Total Protection came on and i guess it was clashing with the MCShiled...or else i cannot explain why a full run was not taking place (or it was...but it was extremely quick?).  When right clicking on the MCshield icon and would select 'Run' i was given a message that the MCshield is already on running. In the same right click menu it was confusing to see in some places in this list, the same exact icons as with MCafee T.P.. Then it clicked to me, that most possibly this is the same co and this is why these red icons where there,  along with the blue icon.

 

I attempted another download of the MCShield. It replaced the older files, i progressed again to agree to admin permission, the set up took place, and the PC shut and restarted. I went then to the MCshield icon and run it again.The C and computer drives were scanned extremely fast, offering a blue pop message on the right of the screen indicating no viruses. Then i connected the E drive and a similar pop message appeared indicating no viruses. I was much surprised on how fast that was, especially given how long it took for Mcafee TP to do scans before. I read the logs which I provide below, showing that obviously i performed various scans ( i was not even aware i had done so many) and all the scans show the E drive clean, correct?

 

If so, i suspect that the scan of last night /early am to which i agreed a quarantine of the suspected folder cleaned the E drive? in fact after that, this am I observed a change (addition of two recycled folders) in the folders, to which i will offer details with the next message.

 

REGARDS.   

 

>>> MCShield AllScans.txt <<<
 
-----------------------------
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:10:18 > Drive C: - scan started (TI3126230PB ~920 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:19:00 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:25:08 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:25:30 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:42:59 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 15:53:14 > Drive C: - scan started (TI3126230PB ~920 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
10/08/2014 15:53:19 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 16:18:01 > Drive C: - scan started (TI3126230PB ~920 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.8.9.1 / Windows 8.1 <<<
 
 
10/08/2014 16:22:42 > Drive C: - scan started (TI3126230PB ~920 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
10/08/2014 16:22:42 > Drive E: - scan started (no label ~298 GB, NTFS HDD )...
 
 
 
=> The drive is clean.

Share this post


Link to post
Share on other sites

These 3 folders added AUTOMATICALLY to the E DRIVE ARE:

 

1. $RECYCLE.BIN

   -   Recycle Bin

   - S-1-5-21--860850531-701977215-3731542288-1001

   - S- 1-5-21- 1898394649-84795726-1392945531-1000

 

When attempting to access the above files, access is denied.

 

2. e67da71529d38d1117be45ac1d4b08

 

  - sp3qfe a folder file modified on 05.08.14. 

  - UPDATE a folder file same modification date 

  - an REQ file titled $shtdwn$.req - same modification date 

  - spmsg.dll (modified last 30.11.2007)

  - spunist.exe (modified 30.11.2007) 

 

When i tried to access the above files, folders, i was asked admin rights, i entered admin password and still i was asked to proceed to 'security settings'. I did not.

 

It is the first time i see this file as this. Is it possible that is part of the 'Crack-Adobe' folder that was placed in quarantine by MCafee TR last night? what do i do with it? I d not need the 'crack-adobe' files and if so, can i delete them, or do i need to go to the security link and then....? 

 

I also notice that under the Adobe 9 Pro folder, the folder 'PATCH' is now empty. 

 

3. RECYCLER 

- S-1-5-21- 73586283-152049171-1708537758-1000

- S-1-5-21-1004336348-1563985344-1343024091-1001

- S-1-5-21-2064934842-1280075813-924725345-1028

 

Access to the above files is denied. 

 

4. System Volume Information

 

Also access denied. 

 

If i need to DELETE the above folders and their files, how will i be able to if access is denied? 

Share this post


Link to post
Share on other sites

Now, reference to the hard drive of the infected laptop (Dell):

 

1. I downloaded and run the MS SE removal tool and it is removed. Btw, i received a note from Avast recommending to delete the RealPlay Networks plug in on I.E (internet explorer) as a security precaution. Should I do? is not that useful to play videos? mind you i do not use IE unless i have to, i use Chrome. 

 

2. in looking at the files and folders now, I found 'Decrypt_instruction icon, HTML and text files under the 'Administrator' folder in Documents and Settings. The 'date modified' is August 1, i guess when i first had the first infection. Should i delete these files w/out opening them?

 

3. Following the fixlog file i sent you yesterday (post no 125 above) can we run a 'clean remains and fix files' file to clean all (as done with the first infection?). Please send me the appropriate file to run.

 

4. 

Share this post


Link to post
Share on other sites

Thank you. Ref the Zippyshare, the 'Enable Show Hidden...' file, is warning me that registry files will be altered. I agree and i continue?

Share this post


Link to post
Share on other sites

Ok, i proceed now.  

Ref the cleaning of the remains and used tools, i was referring to the 'Delfix' file (your post no 104) that we used to clean the tools used yesterday am before i was infected with the second virus , right after. We proceeded to clean this second infection, but not clean the log files and tools used. 

Share this post


Link to post
Share on other sites

1. Ref my post 141 i run and agreed to the 'Enable Show Hidden...' request. I can still see in the E drive these 4 folders i described earlier most of which i do not have access into? were they created after Mcafee T.P. placed in quarantine the suspicious folder. 

 

2. Ok, i will delete the whole Crack Adobe folder. 

Share this post


Link to post
Share on other sites

Correction on my post 144 above:these three files under the folder no 2 i listed earlier (of E drive) do not appear anymore. 

 

 an REQ file titled $shtdwn$.req - same modification date 

  - spmsg.dll (modified last 30.11.2007)

  - spunist.exe (modified 30.11.2007) 

Share this post


Link to post
Share on other sites
 Sorry I meant this (which is to cover hidden files, called Enable Hidden) 


 which i applied to the E drive files and which did hide one of them (the rest were hidden after i called a Mcafee technician and showed me how to hide from the 'view' system files. The temp folder with the long name of letters and numbers i deleted it.  SO, the E drive issue is over. 

 

OR this

 


http://www58.zippysh...68485/file.html which is to apply a DOS command (.dat file) to the registry of the infected (yet fixed) pc to fix what (?) exactly?


 


anyhow, i believe you are referring to the later, so after manually deleting these encrypted html and text notes, i did download again the Fix.bat file and again it flushed through a DOS command window, which closed very fast. 


 


Should i now run Delfix ? 


 


Or do i go manually and delete the FRST folder and the text files and logs of the scans and fives. Will deleting them manually be enough, or the file addresses on the background need to be deleted as well?


 


We are almost there, I think! what a marathon week! have hardly slept or eaten and w/out you i would have collapsed  :(


 


Share this post


Link to post
Share on other sites

One more thing:

There is a folder in the E drive now that i transferred (when infection took place) earlier in the week, from the desktop of the pc. It is around 8 GB and contains mostly pictures and some mp video files. While all the other picture folders in the E drive can be opened and viewed ok, this folder which came from the desk top, cannot be viewed (the pictures). There is a message when MS Office Manager tries to open them, which says there is an incompatible form. Yet they are .jpg files!

 

Could it be that during the infection, some relevant program files, did not update ok, BUT i cannot open these images even from the new laptop (which is all fine) and again i can open the other picture files. Strange....but not the end of the world :huh:   

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.