[1972vet]

Hello 1972Vet:

...I was able to run the ESET Online Scanner...I disabled the Microsoft Firewall and then tried to run the ESET. It ran through to 100% and found 2 items with the log below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
esets_scanner_update returned -1 esets_gle=36882
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=92262bcc64c0584ca6d53f93bbac8b4b
# engine=13859
# end=finished
# remove_checked=false
...
sh=0F83E64227E3280DC06D90014E70AB5034AB2D86 ft=1 fh=ba85a6898d827777 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe"
sh=B595414285D7C921EB34662B13D6C8BC3A75379B ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CuteWriter.zip"

You...or someone...must have tweaked Windows Firewall because I use the same Windows on board Firewall and ESET has always run fine on my system with no wrestling around necessary. Does anyone else have access to that system?

But now I still have the firewall disabled. I see the items it found are related to the print to pdf program I utilize. If this is an issue - which it seems to be - any other software recommendations? I also followed your direction and pasted the RougeKiller log below too. As for the AOL Proxy I do use AOL Dialup, but accordingly the settings should be automatic. I will look to hear your next steps. Atleast this looks like progress. Thank You.

While the firewall is disabled, please allow ESET to remove the two items it found. As to any substitute, I would have to have you clarify exactly what the software does. As it seems from your brief description, that you use it to convert pdf files for printing purposes? Is this correct? If that's all you use it for, then try IrFanView. I use it for graphics manipulation but it has a multitude of purposes, surely you'll find some usefulness with it.

=========================================================

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 05/18/2013 15:47:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_05182013_02d1547.txt >>

As to your RogueKiller log above, it clearly shows that there are no issues relating to any proxy, as none are presented in that log. Further, this log shows NO issues of any kind relating to any serious issues commonly caused by today's most troublesome rogue applications. That looks like a clean machine to me!

[Advertisements]

Hello 1972Vet:

Through some trial and error I was able to run the ESET Online Scanner - How? - I disabled the Microsoft Firewall and then tried to run the ESET. It ran through to 100% and found 2 items with the log below. But now I still have the firewall disabled. I see the items it found are related to the print to pdf program I utilize. If this is an issue - which it seems to be - any other software recommendations? I also followed your direction and pasted the RougeKiller log below too. As for the AOL Proxy I do use AOL Dialup, but accordingly the settings should be automatic. I will look to hear your next steps. Atleast this looks like progress. Thank You.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
esets_scanner_update returned -1 esets_gle=36882
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=92262bcc64c0584ca6d53f93bbac8b4b
# engine=13859
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-18 07:11:12
# local_time=2013-05-18 03:11:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=47099
# found=2
# cleaned=0
# scan_time=6278
sh=0F83E64227E3280DC06D90014E70AB5034AB2D86 ft=1 fh=ba85a6898d827777 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe"
sh=B595414285D7C921EB34662B13D6C8BC3A75379B ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CuteWriter.zip"


=========================================================

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 05/18/2013 15:47:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_05182013_02d1547.txt >>

Hello 1972Vet:

...I was able to run the ESET Online Scanner...I disabled the Microsoft Firewall and then tried to run the ESET. It ran through to 100% and found 2 items with the log below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
esets_scanner_update returned -1 esets_gle=36882
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=92262bcc64c0584ca6d53f93bbac8b4b
# engine=13859
# end=finished
# remove_checked=false
...
sh=0F83E64227E3280DC06D90014E70AB5034AB2D86 ft=1 fh=ba85a6898d827777 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe"
sh=B595414285D7C921EB34662B13D6C8BC3A75379B ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CuteWriter.zip"

You...or someone...must have tweaked Windows Firewall because I use the same Windows on board Firewall and ESET has always run fine on my system with no wrestling around necessary. Does anyone else have access to that system?

No changes or tweaks to the firewall were made. Maybe by some sort or program or something - but not knowingly. In fact - as an example - maybe you or someone within the forums can speak to this - when I selected to download the ESET online scanner - it does not even list ESET on the list to allow or deny access under the firewall - nor did any type of pop-up show up to allow/deny access. (I speak of this before I disabled the firewall of course.)

But now I still have the firewall disabled. I see the items it found are related to the print to pdf program I utilize. If this is an issue - which it seems to be - any other software recommendations?

I also followed your direction and pasted the RougeKiller log below too. As for the AOL Proxy I do use AOL Dialup, but accordingly the settings should be automatic. I will look to hear your next steps. While the firewall is disabled, please allow ESET to remove the two items it found. As to any substitute, I would have to have you clarify exactly what the software does. As it seems from your brief description, that you use it to convert pdf files for printing purposes? Is this correct? If that's all you use it for, then try

IrFanView. I use it for graphics manipulation but it has a multitude of purposes, surely you'll find some usefulness with it.

I will run ESET again while firewall is disabled - I would recommend doing a quick search for the CutePDF Writer - it is installed as a "printer" and enables the user to print a document directly to a .pdf file without the need to physically print it out. It gets saved as a .pdf file. Not sure if IfFanView is something that would work for me. I am not familiar with it - but I will review the link you posted.

At least this looks like progress. Thank You.

=========================================================

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 05/18/2013 15:47:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_05182013_02d1547.txt >>

As to your RogueKiller log above, it clearly shows that there are no issues relating to any proxy, as none are presented in that log. Further, this log shows NO issues of any kind relating to any serious issues commonly caused by today's most troublesome rogue applications. That looks like a clean machine to me!

A clean machine is good - except for the above mentioned. Where do we go from here with the links to the other antivirus protection links you were going to post. What other items should be run or installed to keep the system buttoned up?

Thank You.

(please note that my responses to your queries today are posted in orange. I hope I posted in the correct sequence.)

Edited by nirsmar, 19 May 2013 - 12:30 PM.

[nirsmar]

Hello 1972Vet:

Through some trial and error I was able to run the ESET Online Scanner - How? - I disabled the Microsoft Firewall and then tried to run the ESET. It ran through to 100% and found 2 items with the log below. But now I still have the firewall disabled. I see the items it found are related to the print to pdf program I utilize. If this is an issue - which it seems to be - any other software recommendations? I also followed your direction and pasted the RougeKiller log below too. As for the AOL Proxy I do use AOL Dialup, but accordingly the settings should be automatic. I will look to hear your next steps. Atleast this looks like progress. Thank You.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
esets_scanner_update returned -1 esets_gle=36882
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=92262bcc64c0584ca6d53f93bbac8b4b
# engine=13859
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-18 07:11:12
# local_time=2013-05-18 03:11:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=47099
# found=2
# cleaned=0
# scan_time=6278
sh=0F83E64227E3280DC06D90014E70AB5034AB2D86 ft=1 fh=ba85a6898d827777 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe"
sh=B595414285D7C921EB34662B13D6C8BC3A75379B ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CuteWriter.zip"


=========================================================

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 05/18/2013 15:47:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_05182013_02d1547.txt >>

Hello 1972Vet:

...I was able to run the ESET Online Scanner...I disabled the Microsoft Firewall and then tried to run the ESET. It ran through to 100% and found 2 items with the log below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
esets_scanner_update returned -1 esets_gle=36882
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=92262bcc64c0584ca6d53f93bbac8b4b
# engine=13859
# end=finished
# remove_checked=false
...
sh=0F83E64227E3280DC06D90014E70AB5034AB2D86 ft=1 fh=ba85a6898d827777 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe"
sh=B595414285D7C921EB34662B13D6C8BC3A75379B ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.C application" ac=I fn="C:\Documents and Settings\Admin\My Documents\Downloads\CuteWriter.zip"

You...or someone...must have tweaked Windows Firewall because I use the same Windows on board Firewall and ESET has always run fine on my system with no wrestling around necessary. Does anyone else have access to that system?

No changes or tweaks to the firewall were made. Maybe by some sort or program or something - but not knowingly. In fact - as an example - maybe you or someone within the forums can speak to this - when I selected to download the ESET online scanner - it does not even list ESET on the list to allow or deny access under the firewall - nor did any type of pop-up show up to allow/deny access. (I speak of this before I disabled the firewall of course.)

But now I still have the firewall disabled. I see the items it found are related to the print to pdf program I utilize. If this is an issue - which it seems to be - any other software recommendations?

I also followed your direction and pasted the RougeKiller log below too. As for the AOL Proxy I do use AOL Dialup, but accordingly the settings should be automatic. I will look to hear your next steps. While the firewall is disabled, please allow ESET to remove the two items it found. As to any substitute, I would have to have you clarify exactly what the software does. As it seems from your brief description, that you use it to convert pdf files for printing purposes? Is this correct? If that's all you use it for, then try

IrFanView. I use it for graphics manipulation but it has a multitude of purposes, surely you'll find some usefulness with it.

I will run ESET again while firewall is disabled - I would recommend doing a quick search for the CutePDF Writer - it is installed as a "printer" and enables the user to print a document directly to a .pdf file without the need to physically print it out. It gets saved as a .pdf file. Not sure if IfFanView is something that would work for me. I am not familiar with it - but I will review the link you posted.

At least this looks like progress. Thank You.

=========================================================

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 05/18/2013 15:47:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_05182013_02d1547.txt >>

As to your RogueKiller log above, it clearly shows that there are no issues relating to any proxy, as none are presented in that log. Further, this log shows NO issues of any kind relating to any serious issues commonly caused by today's most troublesome rogue applications. That looks like a clean machine to me!

A clean machine is good - except for the above mentioned. Where do we go from here with the links to the other antivirus protection links you were going to post. What other items should be run or installed to keep the system buttoned up?

Thank You.

(please note that my responses to your queries today are posted in orange. I hope I posted in the correct sequence.)

Edited by nirsmar, 19 May 2013 - 12:30 PM.

[1972vet]

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled (Microsoft Security Essentials users can disregard the Windows Defender disable instruction since while MSE is installed, Windows Defender is disabled already by default).

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

[nirsmar]

Hello 1972Vet:

I ran through your directions for the ESET Online Scanner as mentioned in your earlier posting - but ESET did not remove the two items it had found. How should I proceed with removal of the two items it has found? Secondly - I will run your most recent directions and post back with the reports. Just so we are on the same page - I just want to let you know that I currently do not have the active anti-virus software as you mention in your posted direction to disable it. I was waiting for the links to the alternatives to MSE you were going to post and download either of them.

Thank You for your help.

[1972vet]

Just to confirm, you used the instructions in my post #21 for running ESET:

...When prompted, install the needed software to perform the scan . When it finishes with the install, make sure to check the box titled Scan archives (the Remove found threats box should already be checked by default so PLEASE remove the check from this box).

Next, click the "Advanced Settings" link. Please make sure all boxes are checked except for "Use custom proxy settings". then click the Start button.

When it completes, use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt...

...and, before you attempted to allow ESET to remove anything, you, of course, returned to the "settings" feature mentioned above, and placed the check back into the appropriate box to allow removal of items that ESET finds.

If this is an accurate accounting of the steps you took and the results you detailed, then I'd have to say you should indeed contact ESET to notify them of this...as it would be a flaw that they would need to address.

If that is NOT what happened, then please be sure to place the check back into the appropriate box which allows ESET to remove items that it finds and determines to be a threat.

As to the instructions for combofix and the disabling of security software, I should point out that your system would still have the Windows Defender running it's real time protective feature on startup. I'll post the links for the Anti-Virus programs when we complete this troubleshooting endeavor.

When you started this thread, you weren't running ANY antivirus program on board, only an the on-demand scanner "Stinger"...which, by the way, isn't recommended for use for anything other than removing specific viruses. It's database is a mere 6 plus thousand signatures when in today's world, there are actually millions of virus threats. In spite of this, you seem to have gotten along fine so, although I personally recommend against this type of behavior, you are unable to get along well with the Microsoft Security Essentials antivirus program which WAS recommended.

That said, since we've already established the expectations we both have regarding this help session, then I'd say it's indeed safe for you to continue as of now, without any other security software installed until we complete our analysis of log findings from the utilities we are recommending.

[nirsmar]

Hello 1972Vet:

Here is the update info with ESET Online Scanner. I allowed the program to run fully and it found and quarantined the following item.

C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe - a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined

I am concerned because I use this CutePDFWriter program. Any alternatives?

I will continue with the steps you provided.

I may be missing something through the directions regarding Windows Defender, but I can not seem to locate it through the directions in the link.

Thank You.

Edited by nirsmar, 24 May 2013 - 12:54 PM.

[1972vet]

Hello 1972Vet:

... ESET Online Scanner...quarantined the following item.

C:\Documents and Settings\Admin\My Documents\Downloads\CutePDFWriter.exe - a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined

I am concerned because I use this CutePDFWriter program. Any alternatives?

I may be missing something through the directions regarding Windows Defender, but I can not seem to locate it through the directions in the link.

Thank You.

Click start--->type "Windows Defender" in the Search programs and files box. As to the alternative to CutePDF writer, tell us, do you use this to actually write PDF files? If not, what do you use it for?

[nirsmar]

Hi 1972Vet:

I conducted a search through the -search results- by START>SEARCH>ALL FILES AND FOLDERS and nothing came back with the term "Windows Defender"

The CutePDFWriter (freeware version) installs itself as a "printer subsystem" and it is used to create .pfd files from any printable document. For example, I could use the program to print out these directions by clicking on FILE>PRINT in IE and then select the Cutepdfwriter (freeware version) and it would convert it to a .pdf file. If a forum member can recommend an alternative that would be fine. You may learn more about the program to get a better idea at http://cutepdf.com/P...PDF/writer.asp.


I ran the ComboFix program. But as it was running a window popped up with the following:

pev.3XE has encountered a problem and needs to close. We are sorry for the inconvenience.

AppName: pev.3xe AppVer: 0.0.0.0 ModName: ntdll.dll
ModVer: 5.1.2600.6055 Offset: 00014013


I closed the window and the ComboFix seemed to continue to run. The log as requested is pasted below.

======================

ComboFix 13-05-24.01 - Admin 05/24/2013 19:54:11.1.1 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2013-04-25 to 2013-05-25 )))))))))))))))))))))))))))))))
.
.
2013-05-22 23:36 . 2013-05-22 23:36 -------- d-----w- c:\program files\7-ZipPortable
2013-05-22 22:21 . 2003-01-10 21:13 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
2013-05-17 14:07 . 2013-05-17 14:07 -------- d-----w- c:\program files\ESET
2013-05-17 12:19 . 2013-05-17 12:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2013-05-14 20:39 . 2013-05-14 20:39 -------- d-----w- C:\found.005
2013-05-11 18:59 . 2013-05-12 20:05 448 ----a-w- C:\FixitRegBackup.reg
2013-05-05 18:07 . 2013-05-05 18:07 -------- d-----w- C:\found.004
2013-04-28 23:36 . 2012-10-04 23:50 88688 ----a-w- c:\windows\system32\cpwmon2k.dll
2013-04-28 23:17 . 2013-04-28 23:17 -------- d-----w- c:\program files\gs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-14 20:20 . 2013-02-20 23:59 14664 ----a-w- c:\windows\stinger.sys
2013-03-07 14:31 . 2013-04-22 22:05 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^GBPVRTray.exe.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\GBPVRTray.exe.lnk
backup=c:\windows\pss\GBPVRTray.exe.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 ----a-w- c:\program files\Common Files\AOL\1364077436\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-02-24 11:32 5537792 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-02-24 11:32 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-02-24 11:32 1495040 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-10-30 20:16 19456 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GB-PVR Recording Service"=2 (0x2)
"wuauserv"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turtle Beach\\Santa Cruz\\Control Panel\\SantaCruzCpl.exe"=
"c:\\Program Files\\Turtle Beach\\Santa Cruz\\Control Panel\\SCSChk.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\1364077436\\ee\\aolsoftware.exe"=
.
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [x]
R3 NUVision;Studio PCTV USB/Radio (NTSC);c:\windows\system32\DRIVERS\NUVision.sys [x]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [x]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
TCP: Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}: NameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
SafeBoot-91081020.sys
MSConfigStartUp-AOL Fast Start - c:\program files\AOL Desktop 9.6\AOL.EXE
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-24 20:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1993962763-1708537768-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-05-24 21:07:13
ComboFix-quarantined-files.txt 2013-05-25 01:06
.
Pre-Run: 12,975,996,928 bytes free
Post-Run: 12,917,436,416 bytes free
.
- - End Of File - - 3139FFCA10B2DFDBDB3045639373AAAC


Thank You for your assistance.

[1972vet]

There is information missing from the combofix log...can you re-post the log and include all the data without editing please? Thanks!

[nirsmar]

Hello 1972Vet:

No editing has been done. This was the entire log. Maybe the issue with the pev.3XE had to do with it. I will re-run the program and post the results again.

Thank you for your assistance.

[nirsmar]

Hello 1972Vet:

No editing has been done. This was the entire log. Maybe the issue with the pev.3XE had to do with it. I will re-run the program and post the results again.

Thank you for your assistance.

Here is the ComboFix results log I re-ran. Looks to be very similar.

ComboFix 13-05-24.01 - Admin 05/26/2013 18:00:51.2.1 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-26 to 2013-05-26 )))))))))))))))))))))))))))))))
.
.
2013-05-22 23:36 . 2013-05-22 23:36 -------- d-----w- c:\program files\7-ZipPortable
2013-05-22 22:21 . 2003-01-10 21:13 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
2013-05-17 14:07 . 2013-05-17 14:07 -------- d-----w- c:\program files\ESET
2013-05-17 12:19 . 2013-05-17 12:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2013-05-14 20:39 . 2013-05-14 20:39 -------- d-----w- C:\found.005
2013-05-11 18:59 . 2013-05-12 20:05 448 ----a-w- C:\FixitRegBackup.reg
2013-05-05 18:07 . 2013-05-05 18:07 -------- d-----w- C:\found.004
2013-04-28 23:36 . 2012-10-04 23:50 88688 ----a-w- c:\windows\system32\cpwmon2k.dll
2013-04-28 23:17 . 2013-04-28 23:17 -------- d-----w- c:\program files\gs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-14 20:20 . 2013-02-20 23:59 14664 ----a-w- c:\windows\stinger.sys
2013-03-07 14:31 . 2013-04-22 22:05 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^GBPVRTray.exe.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\GBPVRTray.exe.lnk
backup=c:\windows\pss\GBPVRTray.exe.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 ----a-w- c:\program files\Common Files\AOL\1364077436\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-02-24 11:32 5537792 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-02-24 11:32 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-02-24 11:32 1495040 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-10-30 20:16 19456 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GB-PVR Recording Service"=2 (0x2)
"wuauserv"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turtle Beach\\Santa Cruz\\Control Panel\\SantaCruzCpl.exe"=
"c:\\Program Files\\Turtle Beach\\Santa Cruz\\Control Panel\\SCSChk.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\1364077436\\ee\\aolsoftware.exe"=
.
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [x]
R3 NUVision;Studio PCTV USB/Radio (NTSC);c:\windows\system32\DRIVERS\NUVision.sys [x]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [x]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [x]
.
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
TCP: Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}: NameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423\
.
.
------- File Associations -------
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-26 19:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1993962763-1708537768-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-05-26 19:30:07
ComboFix-quarantined-files.txt 2013-05-26 23:29
ComboFix2.txt 2013-05-25 01:07
.
Pre-Run: 12,733,120,512 bytes free
Post-Run: 12,637,253,632 bytes free
.
- - End Of File - - 2C888BF56D4B04C5C6A471EAF290BAAF


Thank You for your assistance.

[1972vet]

Hello 1972Vet:

No editing has been done. This was the entire log.

Below I've constructed an example of what the log header should look like when combofix completes a scan:

ComboFix 13-05-24.01 - UserNameGoesHere 05/24/2013 11:12:48.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5924.3320 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

...it's the part of the text above in Bold that is missing from your log. Please take another look.

[nirsmar]

Hello 1972Vet:

I double checked the two logs that were produced by combofix as per your inquery and the previous postings of mine is the only information from the combofix logs.

Thank you for your assistance.

[1972vet]

K...then yours is the only one on the planet with this type of behavior. Interesting. Are you having any other issues at this time?

[nirsmar]

Hello 1972Vet:

Really. The only one that has the report results this way. Interesting? That does not sound so good. I would say that the items which we have been discussing are the primary issues? Thank You for your assistance.

Edited by nirsmar, 01 June 2013 - 01:26 PM.