Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Something is hidden in this computer

  • Please log in to reply
3 replies to this topic

#1 bcordone


  • Members
  • 48 posts
  • Location:East coast USA
  • Local time:10:13 PM

Posted 15 January 2010 - 11:49 AM

Hi! I am going to try to shorten this long story and give as much specific info as I can. My mother changed from McAfee Internet Security to AVG Internet Security in September 2009. A couple of days ago my mom tried to scan with her Malwarebytes and a message that the file could not be found came on. So I decided to make sure all of it was uninstalled and reinstall it. There was one file "mbamext.dll" that just could not be removed so I just went ahead and reinstalled Malwarebytes. That file (mbamext.dll) is still on the computer. In checking her AVG scan logs I see that (12) win32/fakexpa and (2) malware.gen has been put in her virus vault on Jan 4th & Jan 05th. Two days ago I put her computer into safe mode and I ran a full Malwarebytes scan, a full Superantivirus Professional scan and a full AVG scan that can only be done in safe mode and all came up clean. That night while she was on the computer she was interupted by a big ad saying her computer was infected and she needed to scan immediately with whatever they suggested. She x'd everything out. That was the only mishap. While she was on the computer last night she rec'd a message from AVG stating it had blocked "exploit rogue scanner (type 996)" program name "c:\program files\internet exployer\:explove.exe process id: 1964"
I am convinced there is something well hidden in her computer and have told her not to do anything on her computer such as banking, or important passwords etc. Is there something more thorough to scan with?

BC AdBot (Login to Remove)


#2 roadclosed


  • Members
  • 138 posts
  • Local time:10:13 PM

Posted 15 January 2010 - 02:10 PM

Can you please clarify; you say you scanned with 'Superantivirus '

Do you mean Superantivirus Professional or Superantispyware ?

Malwarebytes scans are best run in Normal Mode .Can you please fully update Malwarebytes,reboot and run a full deep computer scan in Normal Mode with it ?

Assuming you do need Superantispyware it can be found here

  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished
    it will list all the infections it has found.
  • Make sure that they all have a check next to them and press
  • Click finish and you will be taken back to the main
  • Click Preferences and then click the statistics/logs
    tab. Click the dated log and press view log and a text file will
  • Copy and paste the log onto the forum.
Let's see what both those up- to -date fresh scans say so please post both results for checking . They may take several hours to complete so please be patient

#3 bcordone

  • Topic Starter

  • Members
  • 48 posts
  • Location:East coast USA
  • Local time:10:13 PM

Posted 02 February 2010 - 10:35 AM

Right after I posted my original post we had a death in the family and I have been off computer till now. I am going over to my moms right now to follow your directions. Here are answers to your questions. Last year I had put the free version of Superantispyware on her computer and she liked it so much she paid for the Superantivirus Professional version. I also put the free version of Malwarebytes' Anti-Malware on her computer. I had put them on my computer and my kids computer through advice from this forum a couple of years ago and thought they were really good programs. The reason I am convinced there is something hiding on her computer is that her AVG scan is coming up with a slew of locked files that it had never shown before. Locked files?? What the hell are those? Is that normal? It never picked up those in her prior scans. So I'll follow your direction at my moms in the next half hour. Thank you for helping me.

#4 bcordone

  • Topic Starter

  • Members
  • 48 posts
  • Location:East coast USA
  • Local time:10:13 PM

Posted 03 February 2010 - 12:41 PM

:thumbsup: Here are the results of the SUPERAntiSpyware:
SUPERAntiSpyware Scan Log

Generated 02/03/2010 at 10:51 AM

Application Version : 4.33.1000

Core Rules Database Version : 4549
Trace Rules Database Version: 2361

Scan type : Complete Scan
Total Scan Time : 00:19:10

Memory items scanned : 497
Memory threats detected : 0
Registry items scanned : 5665
Registry threats detected : 0
File items scanned : 16677
File threats detected : 25

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.wsod[2].txt
C:\Documents and Settings\Owner\Cookies\owner@kontera[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\owner@smartmoney.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@eb.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[3].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@invitemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a1.interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.adtechus[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt

Here are the results of the Malwarebytes Anti-Malware
alwarebytes' Anti-Malware 1.44
Database version: 3684
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/3/2010 11:56:46 AM
mbam-log-2010-02-03 (11-56-46).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 187583
Time elapsed: 41 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the AVG Heuristic scan which found the locked files:

AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 9.0.712, engine 9.0.729
Virus Database: Version 270.14.139/2620 2010-01-14

C:\Documents and Settings\All Users\Application Data\avg9\Log\f2a6230e-91ee-4808-a189-67fe13f4e681 Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Owner\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Owner\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\CatRoot2\edb.log Locked file. Not tested.
C:\WINDOWS\system32\CatRoot2\tmp.edb Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

Objects scanned : 208486
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0

Also Microsoft Office 2003 Service Pack is not able to be installed or Adobe 9. The updates for both of these keep trying to update every day but will not. Tell me what you think. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users