Katusha.A, BackDoor.Generic14.ANAA and Rootkit.0Access

[cmlion]

a)no, is not that Dell Wireless WLAN 1501 Half Mini-Card driver good for me. The answer was "no compatible hardware found...."

At Dell Site are 8 links, but wich one I have to use?? Yours is wrong. I have on a directory here what drivers I used at instalation time, for wireless was R223648_wireless_qmi_module_not_exist, for ethernet R223644-ethernet but I found now what wich maybe is what you want for me:R181542_Dell Wireless 360 Module with Bluetooth 2.1 + EDR_sitedell.exe (65M). I don't remember now why so many drivers that time.

b) Unfortunately chkdsk does not have a log and I was asleeped last night during it's run. What did he does in fact? Only repairing. Maybe it's log was the one on it's last screen wich I did not see as I told you.

c)You got C:\MYDRIVERS.TXT but after reboot

Generic Host Process for win32 services encountered a problem:

C:\DOCUME~1\m\LOCALS~1\Temp\WER8608.dir00\svchost.exe.mdmp

C:\DOCUME~1\m\LOCALS~1\Temp\WER8608.dir00\appcompat.txt

d) please respond my 4 questions I addressed to my last post

MYDRIVERS.TXT

attach.txt

dds.txt

[AdvancedSetup]

Okay let me try to answer your questions.

1. Q: Why attach.txt must be zip-ed before send to you
   A: In some cases the file size is too large to post and can cause the post to lock if you try to post directly
   
2. Q: I want to reinstall AVG. It's ok?
   A: Not right now as you have mix of Anti-Virus installed that needs to be cleaned up first
   
3. Q: What do you mean by "I'm guessing that the only time you're getting an IP block is when Skype is running.
   A: Unfortunately some IP ranges in certain European Countries allow hosting of malicious material. In general it is rare to see someone connected to a site in Romania is all. Since you live there (I'm guessing) it is normal to be on that range
   
4. Q: In case I Want to connect to net by UTP(wire) do I have to install in addition Realtek RTL811DL Ethernet controller?
   A: I'm trying to see if installing the network driver package for your system might put back the NetBT service which DHCP appears to need. You can manually set the IP to connect but obtaining an IP address automatically via DHCP is the normal process. If you were to travel with the laptop and cannot use DHCP then you may not be able to connect to other networks
   
5. Q: )no, is not that Dell Wireless WLAN 1501 Half Mini-Card driver good for me
   A: As long as you know which driver you actually need that's okay. I would need to run a more in-depth hardware scanner to determine what you actually have
   
6. Q: Unfortunately chkdsk does not have a log and I was asleeped last night during it's run. What did he does in fact?
   A: It does actually log what it finds or does if you look they are written to the Application Log, with a "Source" name of WINLOGON. Using Event Viewer you can review the entries
   
7. Q: You got C:\MYDRIVERS.TXT but after reboot
   A: Thank you - all looks okay except the missing NetBT service
   
8. Q: Generic Host Process for win32 services encountered a problem:
   A: Can you zip up those files and post them back
   
9. Q: please respond my 4 questions I addressed to my last post
   A: This reply should answer all those questions

NOTE::

The CHKDSK did not appear to help according to the Event Logs

11/8/2011 8:26:54 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

STEP 01

I'm assuming that you re-installed one of the network driver packages you already had, if not please do.

Then please set the network card to DHCP and reboot the computer.

Then run the batch file from the GetNetworkInfo2.zip again and post back the new text file. Please make sure it is new and not the old one, delete the old text file if it's still there.

STEP 02

The logs show that you either have the following Anti-Virus installed or at least some components of it left over. Thus not wise to install AVG over the top of them.

Please look in your Control Panel, Add/Remove for the following products and if found remove them.

AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Outpost Security Suite *Enabled*

STEP 03

Please see the following site for help with removing Outpost Security Suite if needed.

STEP 04

Please download the following tool and run it to manually remove any old left over elements of AVG that were not removed before.

STEP 05

Please download the following tool and run it to manually remove any old left over elements of Kaspersky Anti-Virus that were not removed before.

STEP 06

Make sure to restart your computer now

STEP 07

Click on START - RUN and type in CMD and click OK. Then in the DOS console type the following and press the Enter key.

netsh int ip reset c:\resetlog.txt

netsh winsock reset catalog

Now RESTART THE COMPUTER Again.

STEP 08

Let's run this again as well - you don't need to download it again if you still have it.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[cmlion]

* Q: I want to reinstall AVG. It's ok?

A: Not right now as you have mix of Anti-Virus installed that needs to be cleaned up first

I heve smth. regarding Kaspersky, but noth. in Program Files. I must to use ccleaner to remove all sheet from registry? Or may be a good remover froms somewere

* Q: What do you mean by "I'm guessing that the only time you're getting an IP block is when Skype is running.

A: Unfortunately some IP ranges in certain European Countries allow hosting of malicious material.

The problem is in connection with skype? Where is the log point where you observed such thing, whta IP?

In general it is rare to see someone connected to a site in Romania is all.

Let me translate: We talk about a site in Romania or skype site?? Hard english here (is all)

* Q: In case I Want to connect to net by UTP(wire) do I have to install in addition Realtek RTL811DL Ethernet controller?

A: I'm trying to see if installing the network driver package for your system might put back the NetBT service which DHCP appears to need.

You can manually set the IP to connect but obtaining an IP address automatically via DHCP is the normal process.

If you were to travel with the laptop and cannot use DHCP then you may not be able to connect to other networks

Yes but I reffer to finding a driver wich covers either wireless and utp conections. It's clear, I want to resolve my DHCP issue but BTW the UTP netw. connection is also depending by DHCP

* Q: )no, is not that Dell Wireless WLAN 1501 Half Mini-Card driver good for me

A: As long as you know which driver you actually need that's okay. I would need to run a more in-depth hardware scanner to determine what you actually have

How you use that scanner? First of all we need to find the good driver (wireless and UTP) and at this point we don't know who is the appropriate one.

* Q: Unfortunately chkdsk does not have a log and I was asleeped last night during it's run. What did he does in fact?

A: It does actually log what it finds or does if you look they are written to the Application Log, with a "Source" name of WINLOGON. Using Event Viewer you can review the entries

thanks for that info. the result is

* Q: You got C:\MYDRIVERS.TXT but after reboot

A: Thank you - all looks okay except the missing NetBT service

* Q: Generic Host Process for win32 services encountered a problem:

A: Can you zip up those files and post them back

here is a little complicated

* Q: please respond my 4 questions I addressed to my last post

A: This reply should answer all those questions

No!! the importest is that:

All these logs I send to you maybe help the person who made the backdoor to control my PC indeed.

Is not dangerous for my laptop to sens you these logs? I see a lot of downloads. Can I send you a PM? I saw your collegue (to whom I thanks very, very much because gave me the opportunity knowing such great profi as you are)

forbidded me to use it(just because I told him it's rude to say to someone stop PM-me). I don't PM someone just because I do not have to do. Unfortunattely I'm very sorry we cannot use email somehow.

Now I see step one. As I told you before, no in this very moment I do not know what wireless( and utp) driver to use. I do not have yet DHCP service in use.

Step 2: I do not have those entries in CP

the steps 3,4,5 are very good for me now

Steps 6,7, tonight but I think before that it's good the (re)establish DHCP service. How?

thank's you a lot Ron, you are very good guy

[AdvancedSetup]

Q: I heve smth. regarding Kaspersky, but noth. in Program Files. I must to use ccleaner to remove all sheet from registry? Or may be a good remover froms somewere

A: I already provided you with a link to remove the Kasperksy AV please use that

Q: The problem is in connection with skype? Where is the log point where you observed such thing, whta IP?

A: It was in many logs and our own product MBAM blocked it.

Q: Let me translate: We talk about a site in Romania or skype site?? Hard english here (is all)

A: We are talking about Skype and how they use random IP on peer 2 peer sites to facilitate using their product

Q: Yes but I reffer to finding a driver wich covers either wireless and utp conections. It's clear, I want to resolve my DHCP issue but BTW the UTP netw. connection is also depending by DHCP

A: I'm hoping that installing the driver for either one again might fix it for both.

Q: How you use that scanner? First of all we need to find the good driver (wireless and UTP) and at this point we don't know who is the appropriate one.

A: You said you had the drivers already I thought. You can install the network driver you have or download one and if it is not the right drivrer it will not install or simply won't do anything.

Q: No!! the importest is that:

All these logs I send to you maybe help the person who made the backdoor to control my PC indeed.

A: No not really - no one is targeting you specfically. If you notice there are thousands of these types of infections and they are generic to allow them to run on every computer

Please go ahead and follow the directions as best as possible in the steps provided in my other most recent post #52

Thank you.

[cmlion]

A: It was in many logs and our own product MBAM blocked it.

give me an ex.

A: We are talking about Skype and how they use random IP on peer 2 peer sites to facilitate using their product

Yes but is their's IP's(skype's IP's) not romania ones(wich for ex. MBAM blocked them).Here I Don't understand you

A: I'm hoping that installing the driver for either one again might fix it for both.

Yes, all the day I was searching for that driver, now is on my computer(I'm sending that info to you through that driver right now) ,is a new one, but still I cannot start DHCP service

SO, at this moment even if I found the driver, the same behaviour

A: No not really - no one is targeting you specfically. If you notice there are thousands of these types of infections and they are generic to allow them to run on every computer

"If you notice" or "you can notice" or maybe "if you notice, there are thousands of ...."

For my bad english here are 3 ex. but in my oppinion I undestand only the last 2 forms, not yours (the first one)

So, you want to tell me that Katiusha thread, and that backdoor (wich maybe now, are no more on my computer) does not affect

my computer? So it's not obligatory to format my C partiition?

Please go ahead and follow the directions as best as possible in the steps provided in my other most recent post #52

Ok I'll do that now!

[cmlion]

In Event Viewer from Einlogon source I see:

Checking file system on C:

The type of the file system is NTFS.

A disk check has been scheduled.

Windows will now check the disk.

Cleaning up minor inconsistencies on the drive.

Cleaning up 1658 unused index entries from index $SII of file 0x9.

Cleaning up 1658 unused index entries from index $SDH of file 0x9.

Cleaning up 1658 unused security descriptors.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

CHKDSK is verifying file data (stage 4 of 5)...

File data verification completed.

CHKDSK is verifying free space (stage 5 of 5)...

Free space verification is complete.

107523013 KB total disk space.

13886104 KB in 57340 files.

19320 KB in 9619 indexes.

0 KB in bad sectors.

196949 KB in use by the system.

65536 KB occupied by the log file.

93420640 KB available on disk.

4096 bytes in each allocation unit.

26880753 total allocation units on disk.

23355160 allocation units available on disk.

Is my hard disk ill?

===============

Also the errors in EV are:

Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

===========

I passed steps 1(even I have the same static IP),2,3,4,5,6,7

after step 7 I did not have as in the past internet, but when I used the IP static is ok with internet.

NetworkDetails2.txt

NetworkDetails2.txt

resetlog.txt

SystemLook.txt

[AdvancedSetup]

Please try the following.

• 1. Open Network Connections from your control panel
  
• 2. Right click the network adapter, for which you want to disable NetBios click Properties.
  
• 3. Select Internet Protocol (TCP/IP) and click Properties
  
• 4. From the TCP/IP Properties page click Advanced
  
• 5. Select WINS Tab
  
• 6. Below in the NetBIOS Settings Select Disable NetBios over TCP/IP radio box and click OK
  
• 7. Set the connection to use DHCP
  
• 8. Restart the computer

Then run STEP 01 for the GetNetworkInfo2.zip file again and post that log.

First delete all of the NetworkDetails2.txt files you may have before running it again.

[cmlion]

Now, my status is with IP static(to comunicate with you) and "Disabled NETBIOS over TCPIP"

You have the attach

NetworkDetails2.txt

[AdvancedSetup]

Okay let's just remove the dependency for NetBT from the DHCP service since DNS now handles name resolutions.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from here
  
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  
• Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected.

  [*]Click on OK

  [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02

Download the attached file and open it and double-click the Remove_NetBT_from_DHCP.reg registry file and allow it to merge into the registry.

Then set DHCP back to Automatic and restart the computer again.

Then let me know if DHCP is working now.

remove_netbt.zip

[cmlion]

STEP 02

Download the attached file and open it and double-click the Working_NetBT_Service.reg registry file and allow it to merge into the registry.

Then set DHCP back to Automatic and restart the computer again.

When I tryed to download remove_netbt.zip look what result:

An Error Occurred

Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.

[#10170] We could not find the attachment you were attempting to view.

[cmlion]

the next time I downloaded works!

But the great thing is dhcp working!

Waoooooooooooooooooooo

1) HoW did you do that?

2) Do I have to format my C: partition now?

[cmlion]

3) Can I install AVG? Or what is the order(uninstals, etc) you preffer?

[cmlion]

4) Can you tell screen317 to allow me to use the private messaging system.

[cmlion]

5) I have so many questions to ask you for ex: The virus altered this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]

"Start"=dword:00000002

"DependOnService"=hex(7):54,63,70,69,70,00,41,66,64,00,00

How is possible even reistallation of wireless driver not to repair the distruction?

[AdvancedSetup]

The virus did not alter that setting. It appears to have damaged the NetBT service entry but we were not able to easily repair it so I opted to modify the DHCP to not depend on the NetBT service anymore and is what the registry file you downloaded was for.

Yes please go ahead and install AVG now and make sure you update it and do a full system scan.

As for the PM system I will enable it but please do not PM users that have requested that you not PM them.

Thank you again.

[cmlion]

My last questions:

1) is my hardisk ill? I don't know the error you observed is good enough for computer seller to accept replace it during it's guarantee period

2) do I need to format c: after these threats?

3) you made DHCP be independent of netbt.sys but microsoft thought in it's architecture

to be dependent. Your resolution (we can say resolve the effect not the cause) don't interfer with smth.(I do know what) and

so imply future breaches in security, stability or reability system?

4) Regarding IP blocks you said MBAM did it(in many logs)give me an ex.

5)We are talking about Skype and how they use random IP on peer 2 peer sites to facilitate using their product

Yes but is their's IP's(skype's IP's) not romania ones(as I understood MBAM blocked them).I Don't understand

6) You said no one is targeting me specfically. And there are thousands of these types of infections and they are generic to allow them to run on every computer

Why smbdy made a virus, and allow it to run from time to time for ex. in my computer? Answer:for controll on that computer. Running and stoling data from that computer. So, why you said to me (in other words) not to be afraid of?

7) Can I PM you?

[cmlion]

Hello again

I cannot run Word on my computer. "There is not enogh memory or disk space to run word" is the mesage. Adobe reader is possible, Nero either

Looking in EV/Application log no more red allerts but one:

"Faulting application mbam.exe, version 1.51.0.1118, faulting module unknown, version 0.0.0.0, fault address 0x00030137." and one warning:

and one warning

Windows saved user LAPTOP\m registry while an application or service was still using the registry during log off.

The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

[AdvancedSetup]

The error about the Registry is somewhat normal to see from time to time.

My last questions:

1) is my hardisk ill? I don't know the error you observed is good enough for computer seller to accept replace it during it's guarantee period

No it is probably okay - we've not run any tool to verify any physical harm - most MFG would want to run their own tool for that

2) do I need to format c: after these threats?

As I said before, FDISK, FORMAT would certainly be the most robust method of clean up and recovery but most users don't have the media and or time/knowledge to do that type of work so we try to help clean and remove the infections so you don't have to.

3) you made DHCP be independent of netbt.sys but microsoft thought in it's architecture

to be dependent. Your resolution (we can say resolve the effect not the cause) don't interfer with smth.(I do know what) and

so imply future breaches in security, stability or reability system?

If you were on a work network then there might possibly be an issue, but for a computer at home there is no concern or issue that you should run into by removing this

4) Regarding IP blocks you said MBAM did it(in many logs)give me an ex.

I'm sorry but I really don't have time to go back and forth over this question. If you're not geting the IP block then that is good - nothing more on that to look at then

5)We are talking about Skype and how they use random IP on peer 2 peer sites to facilitate using their product

Yes but is their's IP's(skype's IP's) not romania ones(as I understood MBAM blocked them).I Don't understand

I'm not really sure what to tell you at this point. I've explained this now multiple times - perhaps maybe if you have a friend or associate that can translate to your language perhaps that would be best. I could attempt to translate into Romanian via Google language tools but I'm sure that would only make it worse.

6) You said no one is targeting me specfically. And there are thousands of these types of infections and they are generic to allow them to run on every computer

Why smbdy made a virus, and allow it to run from time to time for ex. in my computer? Answer:for controll on that computer. Running and stoling data from that computer. So, why you said to me (in other words) not to be afraid of?

Yes people make virus and malware to steal data and information and/or scare you into running their tools and possibly buying fake software with a credit card so they can take your money. Big business for it out on the Web

Yes you should be concerned about such an infection but that is why you're here now trying to get this all cleaned up, but its not due to you as an individual it happens to thousands of computers all the time

7) Can I PM you?

You can but not sure why you would want or need to. If it's for support issues I do not normally respond to PM for support issues unless I've requested private information

STEP 01

For x86 bit systems please download GrantPerms.zip and save it to your desktop.

For x64 bit systems please download GrantPerms64.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following in the edit box:

insert the full path to Microsoft Word from the shortcut link properties

also insert the full path to mbam.exe from the shortcut link properties

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

STEP 02

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt

 

[cmlion]

Hello and welcome back

Regarding points 4 and 5 the problem is not with my english (I undestand it very well) but with what do uou mean by IP blocking.

When you said about blocking IP's I did not understand you mean skype IP's (78.141.177.7) or my router IP's address (gave it to me by ISP)

A week ago I unistalled Office (using a fix for uninstall operation from Microsoft) or at least I thought I unsinstalled it, because the directory C:\Program Files\Microsoft Office\Office12 still exist, with POWERPNT.EXE,POWERPNT.EXE,EXCELL.EXE,WINWORD.EXE but noth in C:\Program Files\Microsoft Office\

I observed I have one dir C:\Program Files\Malwarebytes' Anti-Malware and one dir(empty) with caps locks C:\Program Files\MALWAREBYTES' ANTI-MALWARE

You have the attachments

The problems with my computer is not only with Excell(now is unistalled as I told you and) but also with Mozilla wich it is blocked from time to time and I need to use Chrome instead.

Perms.txt

dds.txt

Perms.txt

[AdvancedSetup]

Please make sure that AVG allows MBAM to run by doing the following.

Show Hidden Files and Folders in Windows XP:

• Click Start and select My Computer
  
• Click the Tools item from the menu at the top of the window (if you don't see Tools press the Alt key on your keyboard and it will appear)
  
• Select Folder Options
  
• Click the View tab and make sure Show hidden files and folders is selected under Hidden files and folders
  
• Next, uncheck the box next to Hide protected operating system files (Recommended)
  
• Then, uncheck the box next to Hide extensions for known filetypes
  
• Click Apply then click OK
  

Set Exclusions for Malwarebytes' Anti-Malware in AVG Free 2011 on Windows XP:

1. Open AVG and close the pop-up ad that shows up on the bottom of the screen then double-click on Resident Shield
   
2. Click on Tools at the top and select Advanced settings...
   
3. Click on Excluded Items under Resident Shield
   
4. Click on the Add Path button on the right
   
5. Click on the + next to My Computer in the Browse For Folder window
   
6. Click on the + next to your system drive (usually C:)
   
7. Click on the + next to Program Files
   
8. Click once on the Malwarebytes' Anti-Malware folder so that it is highlighted and click on OK
   
9. Click on the Add Path button on the right
   
10. Click on the + next to My Computer in the Browse For Folder window
    
11. Click on the + next to your system drive (usually C:)
    
12. Click on the + next to Documents and Settings
    
13. Click on the + next to Application Data
    
14. Click once on the Malwarebytes folder so that it is highlighted and click on OK
    
15. Click on the Add File button on the right and click on My Computer on the left
    
16. Double-click on your system drive (usually C:)
    
17. Double-click on Windows
    
18. Scroll to the right until you find the System32 folder and double-click on it
    
19. Double-click on the drivers folder
    
20. Scroll to the right until you find mbam.sys and double-click on it
    
21. Click on the Add File button on the right and scroll to the right until you find mbamswissarmy.sys and double-click on it
    
22. Click on the Apply button at the bottom of the program window and then click on OK
    
23. Close the AVG window
    

Then if needed run this removal tool (while AVG is disabled)

• Download and run mbam-clean.exe from here
  
• It will ask to restart your computer, please allow it to do so very important
  
• After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.
    

Then also run the following

Set Exclusions for AVG Free 2011 in Malwarebytes' Anti-Malware:

• Open Malwarebytes' Anti-Malware and click on the Ignore List tab
  
• Click on the Add button
  
• In the small browse window that opens, navigate to C:\Program Files and click once on AVG and click OK
  
• Close Malwarebytes' Anti-Malware
  

Then let me know if MBAM is working again or not or if there are any errors still.

I'm not sure I understand what you mean about MS Word. If you uninstalled it already then it shouldn't run or do you just mean you ran some other update for Office?

[cmlion]

Hello

Please make sure that AVG allows MBAM to run by doing the following.

In the last 2 years I run MBAM without problems from the AVG part. ALl times MBAM shows an report with results. What

do I have to understand that MBAM not showed me the true??

I will follow your indications but at the first view it seems you didn't use the new interface, in fact the new AVG 2012

Open AVG and close the pop-up ad that shows up on the bottom of the screen

I have AVG user interface no popup!!!!At the botton it is a notification with AVG security 2012

then double-click on Resident Shield

The new AVG has no resident shield at the Overview menu (as it was one month ago) but the Resident Shield is a checkmark on Anti-virus menu

I underline that is a checkmark for Resident Shield and I cannot doublick-it as you pointed me

Click on Tools at the top and select Advanced settings...

Click on Excluded Items under Resident Shield

Here there is a menu Exceptions

Click on the Add Path button on the right

Click on the + next to My Computer in the Browse For Folder window

Click on the + next to your system drive (usually C:)

Click on the + next to Program Files

Click once on the Malwarebytes' Anti-Malware folder so that it is highlighted and click on OK

Click on the Add Path button on the right

Click on the + next to My Computer in the Browse For Folder window

Click on the + next to your system drive (usually C:)

Click on the + next to Documents and Settings

Click on the + next to Application Data

Click once on the Malwarebytes folder so that it is highlighted and click on OK

Click on the Add File button on the right and click on My Computer on the left

Double-click on your system drive (usually C:)

Double-click on Windows

Scroll to the right until you find the System32 folder and double-click on it

Double-click on the drivers folder

Scroll to the right until you find mbam.sys and double-click on it

Click on the Add File button on the right and scroll to the right until you find mbamswissarmy.sys and double-click on it

I do not have mbamswissarmy.sys there!!

Click on the Apply button at the bottom of the program window and then click on OK

Close the AVG window

Then if needed

How's that "if needed"??? When ? In the future? Or only this tine????

run this removal tool (while AVG is disabled)

Ok , I will Run it, with AVG disabled(even as I did it before I made the exceptions you pointed me to set

But it seems I have problems with download mbam-clan.exe. It takes 1 minute for so such short file!!!

As I told you some programs not run very well in the last days. I did not have such problems before.

MS Word is Microsoft Word

I will do the rest remaining in the next reply

[cmlion]

Set Exclusions for AVG Free 2011 in Malwarebytes' Anti-Malware:

Open Malwarebytes' Anti-Malware and click on the Ignore List tab

Click on the Add button

In the small browse window that opens, navigate to C:\Program Files and click once on AVG and click OK

Close Malwarebytes' Anti-Malware

I did it. I thoght I told you I do not have MBAM pro version but the free one!!

Then let me know if MBAM is working again or not or if there are any errors still.

Here in my big question. I did not say somewhere MBAM is not working, or doing that with errors!!!

How did you conclude I have such issues? I send you MBAB logs my earlier replies(The same action I do it now -see the attach) and as I understood from you problems were not with threads but with blocking some IP's.

I'm not sure I understand what you mean about MS Word. If you uninstalled it already then it shouldn't run or do you just mean you ran some other update for Office?

I mean that I uninstall all the Microsoft Office but that action did not remove C:\Program Files\Microsoft Office\Office12 directory and others

There are all EXCELL, WORD, etc but double clicking them not obtain any result. Maybe I have to mannualy remover the directory C:\Program Files\Microsoft Office\

mbam-log-2011-11-21 (21-13-07).txt

[cmlion]

Smth more: on my Microsoft Windows Firewall Exceptions I have checked "Rogue checker" and smth called "Online shield". Is good that?

[cmlion]

During this topic or other topics you and your coleagues instruct us to run programs as ddr, combofix.exe,securitycheck.exe, systemlook.exe,otl.exe, etc and you gave us the correpsonding links.

I run AVG lately(both on mine C and D drives) and he reponded with a trojan in otl.exe, I mean Trojan Horse Agent3.AXVV. Is it a false alarm? Or the links from where we downloaded are not so sure!

[AdvancedSetup]

We don't currently have the "exact" exclusion settings for AVG 2012 so you need to explore and review other settings to ensure it's excluded properly in 2012

Detection by Anti-Virus products of these tools we are using are Fale Positives because they could be used to cause damage if used improperly or by Malware writers.

To use the permissions tool you need to put in the path to the actual file you want to unlock or folder. But see below for taking ownership and resetting an entire folder manually.

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

You said right here that you removed Office so how or why would you expect it to work if you uninstalled it?

A week ago I unistalled Office (using a fix for uninstall operation from Microsoft) or at least I thought I unsinstalled it, because the directory C:\Program Files\Microsoft Office\Office12 still exist, with POWERPNT.EXE,POWERPNT.EXE,EXCELL.EXE,WINWORD.EXE but noth in C:\Program Files\Microsoft Office\

You said here that you observed something odd with MBAM - which from your description it would seem to be something wrong with the install thus the recommendation to do a clean removal and reinstall.

I observed I have one dir C:\Program Files\Malwarebytes' Anti-Malware and one dir(empty) with caps locks C:\Program Files\MALWAREBYTES' ANTI-MALWARE

Not sure about removing the folder but you may be able to manually reset all the permisisons to files and folders there and see if it works or not, if not then try to reinstall Office.

There are all EXCELL, WORD, etc but double clicking them not obtain any result. Maybe I have to mannualy remover the directory C:\Program Files\Microsoft Office\

Basically try resetting the ownership and permissions for any files or folders you have an issue with to see if it corrects it.

How to take ownership of a file or a folder in Windows XP

To reset the built-in firewall to defaults click on START RUN and type in the following and click OK

CMD /C NETSH FIREWALL RESET

Then restart the computer.

The let me know what issues if any that you continue to have.