WD identified some spyware/adware on my machine the other day and when I tell
it to "Remove" or "Quarantine" I get an error message that says:

"Windows encountered an error: 0 x 80501001. One or more actions could be
completed successfully. Do you want details of this error?"

When I click "yes" I get the "history" window opens showing multiple
instances of the offending programs, specifically:
Software Bundler:Win32/KaZaA
TrojanDownloader:Win32/WebP2PInstaller

It has the date and a message in the right hand column that states an error
was encountered. I've gone to the bottom of the "frame" for more details,
clicked on the links that tell you what to do, followed those instructions
and still can't get rid of these messages. Problem this is creating is that
I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
which basically makes using WD useless. Any ideas or suggestions would be
greatly appreciated.

Sincerely,

Jeff Bue
Newark, Texas

Hello Jeff,

This error will occur if a threat is detected inside of a container such
as a
ZIP file, RAR archive, etc.

The "remove" action cannot (in most cases) be applied to an object inside of
such containers, without deleting the entire container.

The issue is that you may have a ZIP file with tons of non-malicious file
in it, but one or more "bad" files as well that are detected.

For now you can check if the ZIP file has anything else inside of it that
you want to keep. If not, just delete the ZIP file yourself and you will have
removed the threat.

If you really want to keep the ZIP file around but do not want to see this
error gain, you can disable scanning inside archives. Clear the checkbox for
"Scan inside archives" in the Tools section under the Options menu.
Generally, threats inside archives, while good to know about, are not
"active", meaning they can't do anything bad to your system while inside the
archive.

Open Disk Cleanup via Start, Programs, Accessories, System Tººls.
It will scan the system first. Click the More Options tªb.
Now click the Clean up button under System Restºre.
This will remove all but the most recent restore pºint.

For the benefit of the community reading this post, please rate the pºst.

I hope this post is helpful.

Let us know how it works ºut.

Еиçеl
--



LAW
Man do not make laws. They do but dscover them. -----Calving Coolidge


"Jeff Bue" wrote:

> WD identified some spyware/adware on my machine the other day and when I tell
> it to "Remove" or "Quarantine" I get an error message that says:
>
> "Windows encountered an error: 0 x 80501001. One or more actions could be
> completed successfully. Do you want details of this error?"
>
> When I click "yes" I get the "history" window opens showing multiple
> instances of the offending programs, specifically:
> Software Bundler:Win32/KaZaA
> TrojanDownloader:Win32/WebP2PInstaller
>
> It has the date and a message in the right hand column that states an error
> was encountered. I've gone to the bottom of the "frame" for more details,
> clicked on the links that tell you what to do, followed those instructions
> and still can't get rid of these messages. Problem this is creating is that
> I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
> which basically makes using WD useless. Any ideas or suggestions would be
> greatly appreciated.
>
> Sincerely,
>
> Jeff Bue
> Newark, Texas
>
>

Hi Jeff,

FYI

Known issues

Windows Defender might prompt you to remove some peer-to-peer (P2P)
file-sharing programs. If you choose to remove such a program, Windows
Defender deletes all the contents of the Program Files folder associated with
the P2P program. Because some P2P programs store downloaded files in a
default folder under Program Files, this might remove all files you have
downloaded through the file-sharing program. For example, KaZaA stores .exe
and .dll files at C:\Program Files\Kazaa. Downloaded files are stored at
C:\Program Files\Kazaa\My Shared Folder. If you use Windows Defender to
remove KaZaA, all files and folders under C:\Program Files\Kazaa are removed.
If you have installed any P2P file-sharing programs, it is a good idea to
back up your downloaded files before you run Windows Defender.

http://www.microsoft.com/athome/secu...easenotes.mspx
-- --

What is Adware?

Adware is software designed to track your usage patterns and display
targeted ads while you are using a free software package or while browsing
the web with a helper application you installed. The ads may appear inside
the application or may pop-up in separate windows. Either way, these ads are
based on information that has been gathered from your usage patterns and sent
to a server for storage and analysis. Typical applications include a program
like Kazaa that many users download and install without really reading the
license agreement (EULA) -- see, for example, Kazaa's Ad Support statement.


Watch what you download!

Many freeware programs, and P2P programs like Grokster, Imesh, LimeWire,
Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc. and others are
amongst the most notorious, come with an enormous amount of bundled spyware
that will eat system resources, slow down your system, clash with other
installed software, or just plain crash your browser or even Windows itself.
If you insist on using a P2P program, please read This Article written by
Mike Healan of Spywareinfo.com fame.

http://www.spywareinfo.com/articles/p2p/

It is an updated and comprehensive article that gives in-depth detail about
which P2P programs are "safe" to use.

File-Swapping - Another common security breach is the practice of P2P file
swapping. Basically, people could connect to a special network and swap
files with each other.
Music files in the popular mp3 format are the most commonly traded, but any
file can be swapped, such as movies and pirated commercial software.

You should know that if you are file-swapping, your computer's security is
breached. File-swapping programs create a "Shared Folder" on your hard drive
where you put the files you wish to make available to others. If you enable
file sharing of one folder, your entire hard drive is open to the world. If
you use your computer for business or have important personal information on
it, those files are potentially compromised, along with all your passwords.
Additionally, you take the chance of downloading some sort of malware with
your mp3's. Trojan horses and viruses have already been found in the KaZaA
and LimeWire programs. If you decide to participate in file-swapping, be
aware of the risks. You are basically bringing a file into your computer and
you have no idea whether the computer it came from is clean (virus-free),
whether the file-swapper you got it from is malicious or not. The best thing,
aside from refraining from file-swapping, is to use a separate dedicated
computer containing no important data. A separate hard drive is not a good
solution, because it is vulnerable to infection from the main drive. There
are now many legitimate places to download music, such as iTunes, Real's
Rhapsody, and even Napster which has reinvented itself as a legal download
service.
-- --

Please check Windows Defender's quarantine area to see whether the songs
have been quarantined.

If they have, you can restore them from the quarantine. Tools, quarantined
items.
--


Tools, spyware scan, manage spyware quarantine.

If this reads "there are currently no spyware threats in your spyware"

you are probably out of luck.

If it shows what you want, check off the items, and choose to unquarantine.

There are several processes here which may take a long time--perhaps hours:
One is the appearance of the list of items in the quarantine management
screen. If this screen is completely blank, leave it up there--go away, do
something fun--and check back on it later--maybe even overnight.

If the stuff appears, I'm unclear how long the unquarantine process takes,
once checked and initiated.

Once you've unquarantined the music, I STRONGLY recommend moving it to a
non-standard location--maybe under My Music, for example. We haven't seen
these reports for awhile, but there have been regular reports in the past of
loss of the files after the next reboot, in this kind of situation. So move
it before rebooting.

There have definitely been reports of success in removing large volumes of
music from quarantine, and quarantine is now the default action for these
files--so I believe you have a good chance. Folks who have interrupted the
process of moving the files INTO quarantine, and thus preventing creation of
the index for these files, have had no success.

The files are in a quarantine subfolder of \program files\microsoft
antispyware, and are renamed--i.e. if you name them back xxx.mp3, they will
play. However, although in theory there are command line apps to extract
the titles from the files, and allow you to use that info to rename the
files, I've not heard from anyone who succeeded in going that route.

Good luck

Watch what you download! and from where.
--


LAW
Man became free when he recognized that he was subject to law. -----Will
Durant







"Jeff Bue" wrote:

> WD identified some spyware/adware on my machine the other day and when I tell
> it to "Remove" or "Quarantine" I get an error message that says:
>
> "Windows encountered an error: 0 x 80501001. One or more actions could be
> completed successfully. Do you want details of this error?"
>
> When I click "yes" I get the "history" window opens showing multiple
> instances of the offending programs, specifically:
> Software Bundler:Win32/KaZaA
> TrojanDownloader:Win32/WebP2PInstaller
>
> It has the date and a message in the right hand column that states an error
> was encountered. I've gone to the bottom of the "frame" for more details,
> clicked on the links that tell you what to do, followed those instructions
> and still can't get rid of these messages. Problem this is creating is that
> I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
> which basically makes using WD useless. Any ideas or suggestions would be
> greatly appreciated.
>
> Sincerely,
>
> Jeff Bue
> Newark, Texas
>
>

Hi Engel,
I have the same problem as Jeff, i tried all the the items you listed but it
keeps coming back. I do not have a file or used Kaza or have any peer to peer
software. I also do not have any zipped files i deleted them all.
The only way i can get the WD icon out of my system tray is tell WD to
ignore the items. But then they come back on the next boot up. This is
driving me nuts.

Pedro, Canada.


"Engel" wrote:

> Hello Jeff,
>
> This error will occur if a threat is detected inside of a container such
> as a
> ZIP file, RAR archive, etc.
>
> The "remove" action cannot (in most cases) be applied to an object inside of
> such containers, without deleting the entire container.
>
> The issue is that you may have a ZIP file with tons of non-malicious file
> in it, but one or more "bad" files as well that are detected.
>
> For now you can check if the ZIP file has anything else inside of it that
> you want to keep. If not, just delete the ZIP file yourself and you will have
> removed the threat.
>
> If you really want to keep the ZIP file around but do not want to see this
> error gain, you can disable scanning inside archives. Clear the checkbox for
> "Scan inside archives" in the Tools section under the Options menu.
> Generally, threats inside archives, while good to know about, are not
> "active", meaning they can't do anything bad to your system while inside the
> archive.
>
> Open Disk Cleanup via Start, Programs, Accessories, System Tººls.
> It will scan the system first. Click the More Options tªb.
> Now click the Clean up button under System Restºre.
> This will remove all but the most recent restore pºint.
>
> For the benefit of the community reading this post, please rate the pºst.
>
> I hope this post is helpful.
>
> Let us know how it works ºut.
>
> Еиçеl
> --
>
>
>
> LAW
> Man do not make laws. They do but dscover them. -----Calving Coolidge
>
>
> "Jeff Bue" wrote:
>
> > WD identified some spyware/adware on my machine the other day and when I tell
> > it to "Remove" or "Quarantine" I get an error message that says:
> >
> > "Windows encountered an error: 0 x 80501001. One or more actions could be
> > completed successfully. Do you want details of this error?"
> >
> > When I click "yes" I get the "history" window opens showing multiple
> > instances of the offending programs, specifically:
> > Software Bundler:Win32/KaZaA
> > TrojanDownloader:Win32/WebP2PInstaller
> >
> > It has the date and a message in the right hand column that states an error
> > was encountered. I've gone to the bottom of the "frame" for more details,
> > clicked on the links that tell you what to do, followed those instructions
> > and still can't get rid of these messages. Problem this is creating is that
> > I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
> > which basically makes using WD useless. Any ideas or suggestions would be
> > greatly appreciated.
> >
> > Sincerely,
> >
> > Jeff Bue
> > Newark, Texas
> >
> >

Hi Pedro,

It seems possible that your Windows installation has been deliberately
damaged by the trojan so as to prevent you removing the trojan.

Your first priority must be to cleanse your PC of all malware. as it is
being subverted by malware.
--

Update both Windows Defender and your anti virus applicªtion.
--

In safe mode, some of the protective services which these programs use to
ensure that they aren't removed, are not running, so they are easier to
remºve.

Getting into Windows Safe Mode.

http://www.computerhope.com/issues/chsafe.htm

Shut down the computer and turn off the power.

Wait for at least 30 seconds, and then restart the computer in Safe mode or
VGA mºde.
--

Enable Hidden Files and folder's.

To enable hidden files and folders Go to task bar, click Start > My Computer.
On the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Make sure that 'Show hidden files and folders' is enabled.
Display the contents of system folders' is checked & 'Hide extentions for
known file types' is not checked then press ªpply.

You can set this back later by opening the same page and pressing 'restore
defaults' then pressing ªpply,

HOW TO Enable Hidden Files:
http://service1.symantec.com/SUPPORT...02092715262339
--

In Safe Mode
You can clear prefetch files by going to Start menu and Run and typing

prefetch

and then click OK.

Remove the content of the folder Prefetch

The problem is that many spyware/malware/virus/Trojan (you get the idea)
writers use it to cause their programs to get respawned the moment you launch
the app whose prefetch data is linked to the code placed there by the
infection.
--

Open a Internet window and go to Internet Options, Delete Cookies and Temp
Files, and included all off line content.

Then also go to Start menu and Run and type (with %)

%temp%

and clear the files in that fºlder. Also go to Start menu and Run and type:

%windir%\temp

and clear the files in that fºlder.
--

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those fºlders; and
c:\Documents and Settings\username\local settings\Temporary Internet
Files\Content.IE5 and delete all the files in those directories and
subdirectºries).
http://www.mvps.org/winhelp2002/delcache.htm
--

After the cleaning, run Windows Defender and your anti virus applicªtion,
also any other anti spyware program like Ad-Aware http://www.lavasoftusa.com
, Spybot Search & Destroy http://www.safer-networking.org/ , etc. etc.
--

CCleaner - http://www.ccleaner.com
Note, uncheck Yahoos toolbar during install.

The first time you run CCleaner's Issues scanner you'll have to keep
running it back-to-back until it finds nothing. One scenario is a registry
key may only be a reference pointing to a completely different location in
the registry and when it's removed then that reference link is also noticed
as being invalid on a subsequent scan. It's generally a good idea to keep
running the Issues scan until nothing is listed.
--
Reboot
--

Go to Ewido
http://www.ewido.net/en
run a online scanner
--

Good luck Pedro.
--


DAY
The first hour of the morning is the rudder of the day. -----H. W. Beecher



"Pedro" wrote:

> Hi Engel,
> I have the same problem as Jeff, i tried all the the items you listed but it
> keeps coming back. I do not have a file or used Kaza or have any peer to peer
> software. I also do not have any zipped files i deleted them all.
> The only way i can get the WD icon out of my system tray is tell WD to
> ignore the items. But then they come back on the next boot up. This is
> driving me nuts.
>
> Pedro, Canada.
>
>
> "Engel" wrote:
>
> > Hello Jeff,
> >
> > This error will occur if a threat is detected inside of a container such
> > as a
> > ZIP file, RAR archive, etc.
> >
> > The "remove" action cannot (in most cases) be applied to an object inside of
> > such containers, without deleting the entire container.
> >
> > The issue is that you may have a ZIP file with tons of non-malicious file
> > in it, but one or more "bad" files as well that are detected.
> >
> > For now you can check if the ZIP file has anything else inside of it that
> > you want to keep. If not, just delete the ZIP file yourself and you will have
> > removed the threat.
> >
> > If you really want to keep the ZIP file around but do not want to see this
> > error gain, you can disable scanning inside archives. Clear the checkbox for
> > "Scan inside archives" in the Tools section under the Options menu.
> > Generally, threats inside archives, while good to know about, are not
> > "active", meaning they can't do anything bad to your system while inside the
> > archive.
> >
> > Open Disk Cleanup via Start, Programs, Accessories, System Tººls.
> > It will scan the system first. Click the More Options tªb.
> > Now click the Clean up button under System Restºre.
> > This will remove all but the most recent restore pºint.
> >
> > For the benefit of the community reading this post, please rate the pºst.
> >
> > I hope this post is helpful.
> >
> > Let us know how it works ºut.
> >
> > Еиçеl
> > --
> >
> >
> >
> > LAW
> > Man do not make laws. They do but dscover them. -----Calving Coolidge
> >
> >
> > "Jeff Bue" wrote:
> >
> > > WD identified some spyware/adware on my machine the other day and when I tell
> > > it to "Remove" or "Quarantine" I get an error message that says:
> > >
> > > "Windows encountered an error: 0 x 80501001. One or more actions could be
> > > completed successfully. Do you want details of this error?"
> > >
> > > When I click "yes" I get the "history" window opens showing multiple
> > > instances of the offending programs, specifically:
> > > Software Bundler:Win32/KaZaA
> > > TrojanDownloader:Win32/WebP2PInstaller
> > >
> > > It has the date and a message in the right hand column that states an error
> > > was encountered. I've gone to the bottom of the "frame" for more details,
> > > clicked on the links that tell you what to do, followed those instructions
> > > and still can't get rid of these messages. Problem this is creating is that
> > > I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
> > > which basically makes using WD useless. Any ideas or suggestions would be
> > > greatly appreciated.
> > >
> > > Sincerely,
> > >
> > > Jeff Bue
> > > Newark, Texas
> > >
> > >

Thanks Engel,
Do i do all this in safe mode??

"Engel" wrote:

> Hi Pedro,
>
> It seems possible that your Windows installation has been deliberately
> damaged by the trojan so as to prevent you removing the trojan.
>
> Your first priority must be to cleanse your PC of all malware. as it is
> being subverted by malware.
> --
>
> Update both Windows Defender and your anti virus applicªtion.
> --
>
> In safe mode, some of the protective services which these programs use to
> ensure that they aren't removed, are not running, so they are easier to
> remºve.
>
> Getting into Windows Safe Mode.
>
> http://www.computerhope.com/issues/chsafe.htm
>
> Shut down the computer and turn off the power.
>
> Wait for at least 30 seconds, and then restart the computer in Safe mode or
> VGA mºde.
> --
>
> Enable Hidden Files and folder's.
>
> To enable hidden files and folders Go to task bar, click Start > My Computer.
> On the Tools menu, click Folder Options.
> On the View tab, uncheck Hide file extensions for known file types.
> Make sure that 'Show hidden files and folders' is enabled.
> Display the contents of system folders' is checked & 'Hide extentions for
> known file types' is not checked then press ªpply.
>
> You can set this back later by opening the same page and pressing 'restore
> defaults' then pressing ªpply,
>
> HOW TO Enable Hidden Files:
> http://service1.symantec.com/SUPPORT...02092715262339
> --
>
> In Safe Mode
> You can clear prefetch files by going to Start menu and Run and typing
>
> prefetch
>
> and then click OK.
>
> Remove the content of the folder Prefetch
>
> The problem is that many spyware/malware/virus/Trojan (you get the idea)
> writers use it to cause their programs to get respawned the moment you launch
> the app whose prefetch data is linked to the code placed there by the
> infection.
> --
>
> Open a Internet window and go to Internet Options, Delete Cookies and Temp
> Files, and included all off line content.
>
> Then also go to Start menu and Run and type (with %)
>
> %temp%
>
> and clear the files in that fºlder. Also go to Start menu and Run and type:
>
> %windir%\temp
>
> and clear the files in that fºlder.
> --
>
> Empty your IE cache and your other temporary file folders, eg: c:\temp,
> c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
> path to your temp folder will change depending on your name) - sometimes
> programmes can be hidden in there - watch out for mysterious *.exe files or
> *.dll files in those fºlders; and
> c:\Documents and Settings\username\local settings\Temporary Internet
> Files\Content.IE5 and delete all the files in those directories and
> subdirectºries).
> http://www.mvps.org/winhelp2002/delcache.htm
> --
>
> After the cleaning, run Windows Defender and your anti virus applicªtion,
> also any other anti spyware program like Ad-Aware http://www.lavasoftusa.com
> , Spybot Search & Destroy http://www.safer-networking.org/ , etc. etc.
> --
>
> CCleaner - http://www.ccleaner.com
> Note, uncheck Yahoos toolbar during install.
>
> The first time you run CCleaner's Issues scanner you'll have to keep
> running it back-to-back until it finds nothing. One scenario is a registry
> key may only be a reference pointing to a completely different location in
> the registry and when it's removed then that reference link is also noticed
> as being invalid on a subsequent scan. It's generally a good idea to keep
> running the Issues scan until nothing is listed.
> --
> Reboot
> --
>
> Go to Ewido
> http://www.ewido.net/en
> run a online scanner
> --
>
> Good luck Pedro.

Hi Pedro,

YES, The cleaning is better in safe mode.

DANGER
In great straits and when hope is small, the boldest counsels are the safes.
-----Livy
--

"Pedro" wrote:

> Thanks Engel,
> Do i do all this in safe mode??
>
> "Engel" wrote:
>
> > Hi Pedro,
> >
> > It seems possible that your Windows installation has been deliberately
> > damaged by the trojan so as to prevent you removing the trojan.
> >
> > Your first priority must be to cleanse your PC of all malware. as it is
> > being subverted by malware.
> > --
> >
> > Update both Windows Defender and your anti virus applicªtion.
> > --
> >
> > In safe mode, some of the protective services which these programs use to
> > ensure that they aren't removed, are not running, so they are easier to
> > remºve.
> >
> > Getting into Windows Safe Mode.
> >
> > http://www.computerhope.com/issues/chsafe.htm
> >
> > Shut down the computer and turn off the power.
> >
> > Wait for at least 30 seconds, and then restart the computer in Safe mode or
> > VGA mºde.
> > --
> >
> > Enable Hidden Files and folder's.
> >
> > To enable hidden files and folders Go to task bar, click Start > My Computer.
> > On the Tools menu, click Folder Options.
> > On the View tab, uncheck Hide file extensions for known file types.
> > Make sure that 'Show hidden files and folders' is enabled.
> > Display the contents of system folders' is checked & 'Hide extentions for
> > known file types' is not checked then press ªpply.
> >
> > You can set this back later by opening the same page and pressing 'restore
> > defaults' then pressing ªpply,
> >
> > HOW TO Enable Hidden Files:
> > http://service1.symantec.com/SUPPORT...02092715262339
> > --
> >
> > In Safe Mode
> > You can clear prefetch files by going to Start menu and Run and typing
> >
> > prefetch
> >
> > and then click OK.
> >
> > Remove the content of the folder Prefetch
> >
> > The problem is that many spyware/malware/virus/Trojan (you get the idea)
> > writers use it to cause their programs to get respawned the moment you launch
> > the app whose prefetch data is linked to the code placed there by the
> > infection.
> > --
> >
> > Open a Internet window and go to Internet Options, Delete Cookies and Temp
> > Files, and included all off line content.
> >
> > Then also go to Start menu and Run and type (with %)
> >
> > %temp%
> >
> > and clear the files in that fºlder. Also go to Start menu and Run and type:
> >
> > %windir%\temp
> >
> > and clear the files in that fºlder.
> > --
> >
> > Empty your IE cache and your other temporary file folders, eg: c:\temp,
> > c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
> > path to your temp folder will change depending on your name) - sometimes
> > programmes can be hidden in there - watch out for mysterious *.exe files or
> > *.dll files in those fºlders; and
> > c:\Documents and Settings\username\local settings\Temporary Internet
> > Files\Content.IE5 and delete all the files in those directories and
> > subdirectºries).
> > http://www.mvps.org/winhelp2002/delcache.htm
> > --
> >
> > After the cleaning, run Windows Defender and your anti virus applicªtion,
> > also any other anti spyware program like Ad-Aware http://www.lavasoftusa.com
> > , Spybot Search & Destroy http://www.safer-networking.org/ , etc. etc.
> > --
> >
> > CCleaner - http://www.ccleaner.com
> > Note, uncheck Yahoos toolbar during install.
> >
> > The first time you run CCleaner's Issues scanner you'll have to keep
> > running it back-to-back until it finds nothing. One scenario is a registry
> > key may only be a reference pointing to a completely different location in
> > the registry and when it's removed then that reference link is also noticed
> > as being invalid on a subsequent scan. It's generally a good idea to keep
> > running the Issues scan until nothing is listed.
> > --
> > Reboot
> > --
> >
> > Go to Ewido
> > http://www.ewido.net/en
> > run a online scanner
> > --
> >
> > Good luck Pedro.
>

I had a similar problem. See below. My question is, should I remove the
various files listed under "resources"?

Error encountered:
Code 0x80508017. Some actions couldn't be applied to potentially harmful
items. The items might be stored in a read-only location. Delete the files or
folders that contains the items or, for information on removing read-only
permissions from files and folders, see Help and Support.

Category:
Trojan

Description:
This program has potentially unwanted behavior.

Advice:
Remove this software immediately.

Resources:
file:
C:\WINDOWS\system32\oqdijyfu.exe->(Upack)->[RSRCEmb]

file:
C:\WINDOWS\system32\hvgovmit.exe->(Upack)->[RSRCEmb]

file:
C:\WINDOWS\system32\qedvuhqu.exe->(Upack)->[RSRCEmb]

file:
C:\WINDOWS\system32\ktvocbly.exe->(Upack)->[RSRCEmb]

file:
C:\WINDOWS\system32\qqmpvcsw.exe->(Upack)->[RSRCEmb]

containerfile:
C:\WINDOWS\system32\qqmpvcsw.exe

containerfile:
C:\WINDOWS\system32\qedvuhqu.exe

containerfile:
C:\WINDOWS\system32\oqdijyfu.exe

containerfile:
C:\WINDOWS\system32\ktvocbly.exe

containerfile:
C:\WINDOWS\system32\hvgovmit.exe

--
rocky


"Jeff Bue" wrote:

> WD identified some spyware/adware on my machine the other day and when I tell
> it to "Remove" or "Quarantine" I get an error message that says:
>
> "Windows encountered an error: 0 x 80501001. One or more actions could be
> completed successfully. Do you want details of this error?"
>
> When I click "yes" I get the "history" window opens showing multiple
> instances of the offending programs, specifically:
> Software Bundler:Win32/KaZaA
> TrojanDownloader:Win32/WebP2PInstaller
>
> It has the date and a message in the right hand column that states an error
> was encountered. I've gone to the bottom of the "frame" for more details,
> clicked on the links that tell you what to do, followed those instructions
> and still can't get rid of these messages. Problem this is creating is that
> I ALWAYS have an "!" (exclamation point) on my WD icon in the system trary,
> which basically makes using WD useless. Any ideas or suggestions would be
> greatly appreciated.
>
> Sincerely,
>
> Jeff Bue
> Newark, Texas
>
>

Hi Engel,
It did not help WD still finds the same items.
I give up, everything works fine and Spybot-Search & Destroy, SpywareBlaster
& Norton AntiVirus do not find any problems. I also tried PC Doctor for
Windows and it could not find anything.

Thank's for the help, much appreciated.
Pedro.

"Engel" wrote:

> Hi Pedro,
>
> YES, The cleaning is better in safe mode.
>
> DANGER
> In great straits and when hope is small, the boldest counsels are the safes.
> -----Livy
> --
>
> "Pedro" wrote:
>
> > Thanks Engel,
> > Do i do all this in safe mode??
> >
> > "Engel" wrote:
> >
> > > Hi Pedro,
> > >
> > > It seems possible that your Windows installation has been deliberately
> > > damaged by the trojan so as to prevent you removing the trojan.
> > >
> > > Your first priority must be to cleanse your PC of all malware. as it is
> > > being subverted by malware.
> > > --
> > >
> > > Update both Windows Defender and your anti virus applicªtion.
> > > --
> > >
> > > In safe mode, some of the protective services which these programs use to
> > > ensure that they aren't removed, are not running, so they are easier to
> > > remºve.
> > >
> > > Getting into Windows Safe Mode.
> > >
> > > http://www.computerhope.com/issues/chsafe.htm
> > >
> > > Shut down the computer and turn off the power.
> > >
> > > Wait for at least 30 seconds, and then restart the computer in Safe mode or
> > > VGA mºde.
> > > --
> > >
> > > Enable Hidden Files and folder's.
> > >
> > > To enable hidden files and folders Go to task bar, click Start > My Computer.
> > > On the Tools menu, click Folder Options.
> > > On the View tab, uncheck Hide file extensions for known file types.
> > > Make sure that 'Show hidden files and folders' is enabled.
> > > Display the contents of system folders' is checked & 'Hide extentions for
> > > known file types' is not checked then press ªpply.
> > >
> > > You can set this back later by opening the same page and pressing 'restore
> > > defaults' then pressing ªpply,
> > >
> > > HOW TO Enable Hidden Files:
> > > http://service1.symantec.com/SUPPORT...02092715262339
> > > --
> > >
> > > In Safe Mode
> > > You can clear prefetch files by going to Start menu and Run and typing
> > >
> > > prefetch
> > >
> > > and then click OK.
> > >
> > > Remove the content of the folder Prefetch
> > >
> > > The problem is that many spyware/malware/virus/Trojan (you get the idea)
> > > writers use it to cause their programs to get respawned the moment you launch
> > > the app whose prefetch data is linked to the code placed there by the
> > > infection.
> > > --
> > >
> > > Open a Internet window and go to Internet Options, Delete Cookies and Temp
> > > Files, and included all off line content.
> > >
> > > Then also go to Start menu and Run and type (with %)
> > >
> > > %temp%
> > >
> > > and clear the files in that fºlder. Also go to Start menu and Run and type:
> > >
> > > %windir%\temp
> > >
> > > and clear the files in that fºlder.
> > > --
> > >
> > > Empty your IE cache and your other temporary file folders, eg: c:\temp,
> > > c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
> > > path to your temp folder will change depending on your name) - sometimes
> > > programmes can be hidden in there - watch out for mysterious *.exe files or
> > > *.dll files in those fºlders; and
> > > c:\Documents and Settings\username\local settings\Temporary Internet
> > > Files\Content.IE5 and delete all the files in those directories and
> > > subdirectºries).
> > > http://www.mvps.org/winhelp2002/delcache.htm
> > > --
> > >
> > > After the cleaning, run Windows Defender and your anti virus applicªtion,
> > > also any other anti spyware program like Ad-Aware http://www.lavasoftusa.com
> > > , Spybot Search & Destroy http://www.safer-networking.org/ , etc. etc.
> > > --
> > >
> > > CCleaner - http://www.ccleaner.com
> > > Note, uncheck Yahoos toolbar during install.
> > >
> > > The first time you run CCleaner's Issues scanner you'll have to keep
> > > running it back-to-back until it finds nothing. One scenario is a registry
> > > key may only be a reference pointing to a completely different location in
> > > the registry and when it's removed then that reference link is also noticed
> > > as being invalid on a subsequent scan. It's generally a good idea to keep
> > > running the Issues scan until nothing is listed.
> > > --
> > > Reboot
> > > --
> > >
> > > Go to Ewido
> > > http://www.ewido.net/en
> > > run a online scanner
> > > --
> > >
> > > Good luck Pedro.
> >

Hi Pedro,

Windows Defender records, in the System event log, at the time of the scan,
the precise path and filename of each detection.

So--right click My Computer, choose Manage.
Click on the plus sign in front of Event Viewer.
Click on the System events log, in the left column.
Click on View (top menu), filter.
Click the down-arrow at the right of Event Source, and choose "WinDefend."
Click apply, click OK.

Now--in the right window, scroll back to the time of the original detection,
and look for yellow-triangle marked records for those original detections.
Double-click a record in the right window to open it and see the full
detail. You can cut and paste, via a button--back to this thread.
--


"Pedro" wrote:

> Hi Engel,
> It did not help WD still finds the same items.
> I give up, everything works fine and Spybot-Search & Destroy, SpywareBlaster
> & Norton AntiVirus do not find any problems. I also tried PC Doctor for
> Windows and it could not find anything.
>
> Thank's for the help, much appreciated.
> Pedro.
>
> "Engel" wrote:
>
> > Hi Pedro,
> >
> > YES, The cleaning is better in safe mode.
> >
> > DANGER
> > In great straits and when hope is small, the boldest counsels are the safes.
> > -----Livy
> > --
> >
> > "Pedro" wrote:
> >
> > > Thanks Engel,
> > > Do i do all this in safe mode??
> > >
> > > "Engel" wrote:
> > >
> > > > Hi Pedro,
> > > >
> > > > It seems possible that your Windows installation has been deliberately
> > > > damaged by the trojan so as to prevent you removing the trojan.
> > > >
> > > > Your first priority must be to cleanse your PC of all malware. as it is
> > > > being subverted by malware.
> > > > --
> > > >
> > > > Update both Windows Defender and your anti virus applicªtion.
> > > > --
> > > >
> > > > In safe mode, some of the protective services which these programs use to
> > > > ensure that they aren't removed, are not running, so they are easier to
> > > > remºve.
> > > >
> > > > Getting into Windows Safe Mode.
> > > >
> > > > http://www.computerhope.com/issues/chsafe.htm
> > > >
> > > > Shut down the computer and turn off the power.
> > > >
> > > > Wait for at least 30 seconds, and then restart the computer in Safe mode or
> > > > VGA mºde.
> > > > --
> > > >
> > > > Enable Hidden Files and folder's.
> > > >
> > > > To enable hidden files and folders Go to task bar, click Start > My Computer.
> > > > On the Tools menu, click Folder Options.
> > > > On the View tab, uncheck Hide file extensions for known file types.
> > > > Make sure that 'Show hidden files and folders' is enabled.
> > > > Display the contents of system folders' is checked & 'Hide extentions for
> > > > known file types' is not checked then press ªpply.
> > > >
> > > > You can set this back later by opening the same page and pressing 'restore
> > > > defaults' then pressing ªpply,
> > > >
> > > > HOW TO Enable Hidden Files:
> > > > http://service1.symantec.com/SUPPORT...02092715262339
> > > > --
> > > >
> > > > In Safe Mode
> > > > You can clear prefetch files by going to Start menu and Run and typing
> > > >
> > > > prefetch
> > > >
> > > > and then click OK.
> > > >
> > > > Remove the content of the folder Prefetch
> > > >
> > > > The problem is that many spyware/malware/virus/Trojan (you get the idea)
> > > > writers use it to cause their programs to get respawned the moment you launch
> > > > the app whose prefetch data is linked to the code placed there by the
> > > > infection.
> > > > --
> > > >
> > > > Open a Internet window and go to Internet Options, Delete Cookies and Temp
> > > > Files, and included all off line content.
> > > >
> > > > Then also go to Start menu and Run and type (with %)
> > > >
> > > > %temp%
> > > >
> > > > and clear the files in that fºlder. Also go to Start menu and Run and type:
> > > >
> > > > %windir%\temp
> > > >
> > > > and clear the files in that fºlder.
> > > > --
> > > >
> > > > Empty your IE cache and your other temporary file folders, eg: c:\temp,
> > > > c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
> > > > path to your temp folder will change depending on your name) - sometimes
> > > > programmes can be hidden in there - watch out for mysterious *.exe files or
> > > > *.dll files in those fºlders; and
> > > > c:\Documents and Settings\username\local settings\Temporary Internet
> > > > Files\Content.IE5 and delete all the files in those directories and
> > > > subdirectºries).
> > > > http://www.mvps.org/winhelp2002/delcache.htm
> > > > --
> > > >
> > > > After the cleaning, run Windows Defender and your anti virus applicªtion,
> > > > also any other anti spyware program like Ad-Aware http://www.lavasoftusa.com
> > > > , Spybot Search & Destroy http://www.safer-networking.org/ , etc. etc.
> > > > --
> > > >
> > > > CCleaner - http://www.ccleaner.com
> > > > Note, uncheck Yahoos toolbar during install.
> > > >
> > > > The first time you run CCleaner's Issues scanner you'll have to keep
> > > > running it back-to-back until it finds nothing. One scenario is a registry
> > > > key may only be a reference pointing to a completely different location in
> > > > the registry and when it's removed then that reference link is also noticed
> > > > as being invalid on a subsequent scan. It's generally a good idea to keep
> > > > running the Issues scan until nothing is listed.
> > > > --
> > > > Reboot
> > > > --
> > > >
> > > > Go to Ewido
> > > > http://www.ewido.net/en
> > > > run a online scanner
> > > > --
> > > >
> > > > Good luck Pedro.
> > >