Jump to content

Change Mode


Advanced Member
  • Content Count

  • Joined

  • Last visited

Posts posted by FrankenBox

  1. Results from Virustotal:

    File UD6DD1.EXE received on 08.04.2008 10:40:49 (CET)

    Current status: finished


    Result: 1/36 (2.78%)

    Compact Print results

    Antivirus Version Last Update Result

    AhnLab-V3 2008.7.29.1 2008.08.04 -

    AntiVir 2008.08.04 -

    Authentium 2008.08.03 -

    Avast 4.8.1195.0 2008.08.03 -

    AVG 2008.08.03 -

    BitDefender 7.2 2008.08.04 -

    CAT-QuickHeal 9.50 2008.08.02 -

    ClamAV 0.93.1 2008.08.04 -

    DrWeb 2008.08.04 -

    eSafe 2008.08.03 -

    eTrust-Vet 31.6.6002 2008.08.02 -

    Ewido 4.0 2008.08.03 -

    F-Prot 2008.08.03 -

    F-Secure 7.60.13501.0 2008.08.04 Suspicious:W32/Dzan!Gemini

    Fortinet 2008.08.04 -

    GData 2.0.7306.1023 2008.08.04 -

    Ikarus T3. 2008.08.04 -

    K7AntiVirus 7.10.402 2008.08.02 -

    Kaspersky 2008.08.04 -

    McAfee 5352 2008.08.01 -

    Microsoft 1.3807 2008.08.04 -

    NOD32v2 3323 2008.08.04 -

    Norman 5.80.02 2008.08.01 -

    Panda 2008.08.03 -

    PCTools 2008.08.03 -

    Prevx1 V2 2008.08.04 -

    Rising 2008.08.04 -

    Sophos 4.31.0 2008.08.04 -

    Sunbelt 3.1.1537.1 2008.08.01 -

    Symantec 10 2008.08.04 -

    TheHacker 2008.08.04 -

    TrendMicro 8.700.0.1004 2008.08.04 -

    VBA32 2008.08.04 -

    ViRobot 2008.8.1.1321 2008.08.01 -

    VirusBuster 2008.08.03 -

    Webwasher-Gateway 6.6.2 2008.08.04 -

    Additional information

    File size: 296224 bytes

    MD5...: b8bee3b4802f23fcc809082dfb5a663b

    SHA1..: aaf3bec0920d83e09b24988d9d4baeebaa7c92e5

    SHA256: b4a6cc1c2881f12ac55ea18dcb4d469c2bd39205db6103ff2450ac5b8ba4ba65

    SHA512: 6b3a963734a87b8197dca6b106b9b2bfaa47a152cd26d3f0dbcc94cad96ad5e8


    PEiD..: -

    PEInfo: PE Structure information


    ( base data )

    entrypointaddress.: 0x41db09

    timedatestamp.....: 0x48243050 (Fri May 09 11:06:56 2008)

    machinetype.......: 0x14c (I386)


    ( 4 sections )

    name viradd virsiz rawdsiz ntrpy md5

    .text 0x1000 0x350bb 0x36000 6.61 d7f9a3888ef873e8a66a5ef75280ec7a

    .rdata 0x37000 0xb763 0xc000 5.01 781cee8b4262394da3ccceb73a8c24fe

    .data 0x43000 0xb760 0x3000 3.16 2b669b77dbae0570d425d6dfcbaf70da

    .rsrc 0x4f000 0xaf8 0x1000 4.42 853b1f5de5376361b0ca12f4a6354f1e


    ( 7 imports )

    > WS2_32.dll: -, -, -

    > ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA, QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, QueryServiceConfigA, RegNotifyChangeKeyValue

    > KERNEL32.dll: GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue, GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement, InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP, SetFilePointer, FlushFileBuffers, GlobalLock, CreateFileA, GetFileAttributesA, RaiseException, RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GlobalUnlock, FormatMessageA, SetLastError, GetCurrentProcess, LoadLibraryW, CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer, GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW, DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar, InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA, GetModuleFileNameA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion, VirtualAlloc, DeleteFileA, Sleep, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA, GetTempFileNameA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA, OpenFile, WideCharToMultiByte, GetVersionExA, GetLastError, EnterCriticalSection, _lclose, LeaveCriticalSection, GetPrivateProfileIntA, FindResourceA, FreeLibrary, LoadResource, LockResource, SizeofResource, CreateMutexA, GetModuleHandleA, WaitForSingleObject, GetExitCodeThread, lstrcpyA, GetCurrentProcessId, OpenProcess, CloseHandle, ReadProcessMemory, WriteProcessMemory, GetProcAddress, LoadLibraryA, InterlockedCompareExchange

    > USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA, SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, PeekMessageA, ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, GetKeyState

    > GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC, GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, CreateBitmap

    > WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter

    > OLEAUT32.dll: -, -, -


    ( 61 exports )

    [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], [email protected]@@IAEXXZ, [email protected]@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@XZ, [email protected]@[email protected], [email protected]@@IBE_NXZ, [email protected]@YA_NXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IBE_NXZ, [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected], [email protected]@@[email protected]@Z, [email protected]@@QBE_NXZ, [email protected]@@[email protected]@@Z, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@@IAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IAEXXZ, [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@IAEXXZ, [email protected]@@IAEXXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, C_IsIPChanged, C_OfcDogLockFiles, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN, C_RegWatchDog_Ofc_TMPROXY, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_PCCNTMON, C_UnRegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc_TMPROXY


    ThreatExpert info: http://www.threatexpert.com/report.aspx?md...809082dfb5a663b





    The other service reports nothing.

  2. Might not be as simple as that... I lost ME7244.exe when I switched back to normal startup to see if it would start because the file search couldn't locate it. I did not find it starting up again, but got a nother bogus looking one... LNAFE2.exe Similarly there does not seem to be a listing for it.


    Right now it is sitting open on my taskmanager but the file search is not able to locate it.


    Unless it is a network file (in which case H*($S*#* we have big problems here), I think it might be an alias name for another process.


    I keep seeing symantec find the same trojan threats over and over again even though I have removed them from the current and system registries.... there is a file here somewhere that I am not finding.



    Edit: Collapsing Following post...

    FOUND IT! It's getting created in a temp file whenever I restart.... I will upload LNAFE2.exe and scan per processes above now...

  3. I'm helping to clean up a work machine that is very very sick while our IT guy is away. Found a number of trojans so far, a few nasty malware pranks, and some rogue .exe files that I can't seem to place.


    Mostly clean now, but I have two processes running that are suspicious.


    msiexec.exe is automatically loading when windows boots, although there are no residual installation processes due to complete.



    ME7244.exe is running and I am not sure what that is... further, there is no google info on it. I am considering it a very likely candidate to be a trouble maker.


    Does anyone know what this process is?

  4. could be that your system preferences are set so that all new dialogs and processes are forced to open into a new window. I have seen it floating around somewhere before, but cant remember exactly where. It's a system setting - check your control panel.


    Or perhaps someone knows exactly where this option is.

  5. Have you disabled the onboard video controller in your BIOS? If not, you will effectively running a dual monitor machine, and the onboard controller will try to be the primary - you won't see anything unless you plug into the onboard jack.


    If not that, try what dickster says - it's most likely just a power issue.

  6. My recommendation for a fix would be to address the warning logic about system restore size.


    I think the average size of drives may be higher than stated, however if this is not the case, try benchmarking against a relative percentage of drive space.


    I have my system restore set almost to minimum (1%) and due to my drive size this is still almost 6000 MB- Would I like to have this space back? Sure, but unless I take the time to look up the setting in my registry my choice is 200MB (two or three points), or 6000MB.


    I can't say I love the new layout, but after playing a little bit, it does provide more information than before.


    It's a good start but could definitely benefit from continued tuning.


    edit: system resort/system restore, with Windows it's about the same thing.

  7. AH! Graphics card issue most likely.


    reference here.


    It seems the problem is that a WinXP SP1 install will not support PCI-E graphics cards. (I was wondering why I had similar problems with mine when I set it up - finally took it too a shop to configure the raid and install for me).


    Since this is a laptop (?) you may have the option in Bios to select a basic (onboard) graphics option and go through the install, upgrade and then reintegrate your upgraded graphics contoller.


    Incidentally - SP1 will not support USB2 either, which may or may not be an issue for you.

  8. Depends on how bad you need what is in the upgrade. I had no problems installing it, but since I run a machine that depends on a lot of legacy apps from older windows OS' and some old DOS code I ran into problems with the new service pack rendering those useless.


    You may find certain changes to settings and the way things are layed out that you may not like. It's more a question of do you really want it rather than do you really need it.

  9. If the disk is clean and scratch free, the next thing I'm wondering about the possibility of a memory problem. Sounds like there is not enough functional memory for XP to load.


    Even with a scratched disk, I have never had problems with BSOD right from the start.


    If the memory is not bad you can try the following: Boot down, disconnect all power cords or batteries, depress the power button for a few seconds to drain any residual charge from the board.


    What I am suspecting is the possibility of a hung thread. Your memory is not clearing it during a normal power up cycle, and so there is not enough room for windows to load.


    Once the memory is cleared you should definitely be able to load XP. If you have enough memory to run Vista, then XP will easily fit.

  10. Windows and MSN messenger have a tab under the tools menu for Privacy. You can place this person on the list to block them from having contact. Your daughter will likely be able to figure out how to undo this if she wants too contact this person.


    You will need to speak with her and explain why this is not a good relationship for her too have at this point in her life, and setup the blocks together. She can delete the contact from her friends list, and you and she can add them to the block list. This is usually under Tools => Options => Privacy.


    I don't know of an administrative way to do this so she CANNOT contact this person again, you will need her cooperation, hence will need to discuss this with her. She does not need to "say goodbye" or explain herself. Just delete the contact and block them.

  11. Try the Vista tweaks first, if you still are not satisfied open up your bios on start up (one of the F# keys will be indicated on the splash screen) and ensure that boot from CD is the first boot option. If you have an XP disc that can be installed, there is no reason that I can think of that it should not be able to replace a Vista installation. The basic installation does not require an internet connection, hence no way for the machine to know whether the copy of XP you have is already in use or not - incidentally, that doesn't really matter as long as you are not running the same XP on several machines simultaneously.


    Every XP installation process I know of allows you to clear and format your drives before proceeding.


    If Vista has some sort of protection against this, you should at least be able to create a boot disk with one of the Vista utilities to let you boot into a rudimentary command prompt at which point you would be able to manually format.


    That said, if you cannot tweak Vista too your liking the manual method is an option we can walk you through. We should see a Tech Express post however, so that we know what we are dealing with.

  12. Erm........... soory for being a bit thick about this but can someone explain exactly how I can stop this person communicating with my daughter. I am not very PC literate so step by step would be good. She is using firefox as her browser by the way.





    Since this is a third party connection there is no direct connection between your (daughter's) computer and that of this individual. The website hosts a central meeting area (server) that other computers connect into.


    Since you are at this point merely concerned about the individual, the best action is to speak with your daughter about it. If there is nothing unseemly about the nature of their conversations then all you really can do is forbid her to interact with this person, and suggest she use caution in the future.


    If she is unable or unwilling to do this, you need to block this site, and using the firewall settings will do this. Each program is different, and if you can tell us which one you use, there will be someone that can walk you through that process.


    If she is being contacted through her instant messaging program (different than the website chat area) then there is a bit of a problem, and you can set the IM program to block that... again, if you can tell us what program you (she) is using we can walk you through that too.

  13. When you started to install the older OS, did you use the basic (express) mode, or the advanced mode?


    If the disc was not bios locked as Mouse suggests, then you may want to use the advanced mode so that you can format the partition and clear out the Vista installation.


    CAUTION: You will loose the data on that partition, so ensure that you have backed up all documents and media you wish to save. You will also have to reinstall all software regardless of whether you have saved data and settings from it. You may know that already, but fair warning.


    In the installation you will have the option to clear and reformat the drive. Do so and the XP installation should go along smoothly enough, sans whatever OEM drivers are required.

  14. A decent firewall program should have the ability to maintain an exclusion list. Additionally, if you believe that this person is purposely mis-representing their age you should report their I.P. to the site administrators with their concerns.

  15. Generally just pulling them out is perfectly safe no matter what state things are in. If you are transferring simple media such as documents, pictures, or music the worst that will happen is that you get a broken file in the destination location if you remove it in the middle of a transfer. If you have a running program that is pulling data from flash drive then you can get a broken thread, generate file fragmentation on your HDD, and possibly create an error in your registry (depending upon the opperation) but we all know how to correct those problems don't we? ;)

  16. That problem is often related to registry errors. It's always good to have a utility on hand to keep your drive and registry in clean, properly ordered condition. This will not only help prevent software errors, but improve performance noticably.


    You can manually delete the files via your command prompt, and then run a registry cleanup for those stubborn corrupted install files.

  17. Now worries I guess I just didn't make it clear.

    The cd-drive is on an IDE cable I'm guessing, but the hard drive is attached to a separate SATA cable as you said. The pc was originally equipped with this setup, but the drive crashed, was taken out and replaced with an IDE hard drive, I got a new SATA hard drive and that was put back.



    In that case it's a matter of reconfiguring your SATA controller. Unfortunately that is not my area of expertise as I just recently upgraded to this hardware configuration and haven't had enough play time yet.


    I do know that you will have to make sure that your computer is not trying to boot or read from the location with the IDE drives (probably a bios setting), you can leave it connected, just set the bios to boot from the SATA first. If that gets you going great, but likely there is a bit more too it and you may need your windows or HDD setup cd to complete the rest.

  18. er.... do you have SATA cable or IDE cable then? I had assumed IDE based on the comment that the HDD and DVD were on the same cable. SATA is entirely seperate cable for each drive, so you wouldn't be able to run both drives off it anyway.


    Sorry if that sounds like a basic response, but that's how I'm reading your issue. I have never heard of a line with both SATA and IDE connections, so something is not making sense about your hardware setup.


    One of the errors might be the way the machine is reading the hardware. SATA/RAID setups can be tricky to impliment.

  19. set both drives to "cable select" then make sure that that HDD is on the first plug (this is actually the second one in... you have two on one end of the cable and one on the other... the single plug of course is what goes into the MOBO, the first plug up from that is the cable select master, the second (the end plug) is the slave if you use CSS jumper setting.


    That said, you may still need to go through an install process even if your drive has transferred. If this is the case do not format, select repair install instead and go from there.


    Good luck - reconfiguring a system can be irritating at best.

  • Create New...