~e5.001 problem - VERY IRRITATING

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BBR, Jan 20, 2007.

  1. BBR

    BBR Private E-2

    Hello, I have a problem that I believe is some kind of malware, but I can not get rid of it. I have a game called Rome: Total War, that I bought about a month ago, and recently I downloaded a modpack with various utilities in it. I believe one of these utilities put something bad on my computer, because whenever I try to start the game now, it just stops like nothing even happened. In Task Manager, I notice a process named ~e5.0001 that takes up about 95% of processing and seriously slows down my computer if I don't close it. I have read about it on various sites, and apparently it is "copyright protection", but it was never there before and I don't appreciate that it won't allow me to run the game. I read various procedures about removing it, but none worked. So I uninstalled the game, followed all the steps on this site about malware removal, reinstalled and it was still there. I uninstalled again, followed all the steps again, and now I'm here wondering if you guys can give me a hand. :) All the scan logs are attached below.
    I have:
    Windows XP Home w/SP 2
    512 MB RAM
    AMD Sempron Processor 3300+
    ATI Radeon 9550 Graphic card

    I appreciate any assistance you can lend me.
     

    Attached Files:

    BBR, Jan 20, 2007
    #1
  2. BBR

    BBR Private E-2

    Here are the other three logs, including HJT.
     

    Attached Files:

    BBR, Jan 20, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have more than one anti-virus program running?

    You need to stop this process or uninstall the program:
    "dvpapi.exe is a process belonging to Authentium Antivirus"

    Please delete the following folder:

    C:\PROGRA~1\McAfee\MPS\mps.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Please attach a new HJT log.

    Please tell us how things are running.
     
    TimW, Jan 20, 2007
    #3
  4. BBR

    BBR Private E-2

    No, McAfee is the only anti-virus program on my computer, although I have about five (other than the ones I installed for the READ AND RUN thing) spyware/adware programs on my computer normally.

    I stopped the dvpapi process, although I do not know what Authentium Antivirus is.

    Problem is, it will not let me delete the MPS folder manually, and when I try to fix that entry in HJT (yes, I closed all browsers) , it comes up again in the next scan. I am reinstalling the game again to see if it will run.

    Here is the log anyway.
     

    Attached Files:

    BBR, Jan 20, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is part of the McAfee privacy service and is a false reading in the HJT scan.

    How are things running?
     
    TimW, Jan 20, 2007
    #5
  6. BBR

    BBR Private E-2

    Same as before, the game won't start. The ~e5.0001 process also starts when I load the game, like before. dvpapi.exe is not running, however. Think that's about it. Any advice?confused
     
    BBR, Jan 20, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs appear clean ...would suggest that you post in the games section.

    You can now uninstall any programs that we had you install for the diagnostics.
     
    TimW, Jan 20, 2007
    #7
  8. BBR

    BBR Private E-2

    okay, thanks, I'll try posting in the Games section. hope this clears up soon. :major
     
    BBR, Jan 20, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Before you go off:
    Download
    - Pocket Killbox

    Using Add or Remove Programs in the Control Panel; uninstall the following: Quote:
    Adobe Reader 7.0.5 Language Support
    Adobe Reader 7.0.9
    Authentium AntiVirus SDK - 2
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    Mozilla Firefox (1.5)
    Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

    Install the current version of FireFox from: Mozilla Firefox

    Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

    Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*). Quote:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "MSConfig"=-
    Close Notepad.

    Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

    On the page that opens, scroll down to DvpApi ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

    DvpApi

    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines: Quote:
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
    Then after it deletes the files click the Exit (Save Settings) button.

    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): Quote:
      C:\Documents and Settings\Owner\Application Data\HHZUYQIL.inf
      C:\Documents and Settings\Owner\Application Data\HHZUYQIL.log
      C:\WINDOWS\system32\rhttpaa.dll
      C:\WINDOWS\system32\affv208325p1now.sys
      C:\WINDOWS\Temp\TFRE7.tmp
      C:\Documents and Settings\Owner\Local Settings\Temp\124.tmp
      C:\Documents and Settings\Owner\Local Settings\Temp\127.tmp
      C:\Documents and Settings\Owner\Local Settings\Temp\128.tmp
      C:\Documents and Settings\Owner\Local Settings\Temp\fb_2956.lck
      C:\Documents and Settings\Owner\Local Settings\Temp\TFR6B.tmp
      C:\Documents and Settings\Owner\Local Settings\Temp\wmplog00.sqm
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open WIndows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox) Quote:
    C:\Program Files\Common Files\Authentium
    C:\WINDOWS\Temp\sqlite_ZaU0JKcFyXRRkv1
    C:\WINDOWS\Temp\sqlite_2LjcVdQulUfhcOS
    C:\WINDOWS\Temp\sqlite_DgXCysDAdN7JS8J
    C:\WINDOWS\Temp\sqlite_UCvb5S5D6sHxRmX
    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    REBOOT to Normal Mode.

    Post fresh logs for:
    ShowNew
    GetRunKey
    HijackThis
     
    TimW, Jan 20, 2007
    #9
  10. BBR

    BBR Private E-2

    All right I'll do all that! :cool
     
    BBR, Jan 20, 2007
    #10
  11. BBR

    BBR Private E-2

    When I make the FixReg.reg, it shows up as a registry entry on the desktop, but it does not ask me to merge with the registry, it just opens it with notepad. :eek: I'll stop in the procedure because if this is crucial to success, I don't want to mess it up
     
    Last edited: Jan 20, 2007
    BBR, Jan 20, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Dang copy and paste ...

    Try that.....
     
    Last edited by a moderator: Jan 20, 2007
    TimW, Jan 20, 2007
    #12
  13. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    I just edited the registry patch. Try it again.
     
    Shadow_Puter_Dude, Jan 20, 2007
    #13
  14. BBR

    BBR Private E-2

    :*** it didn't work. I apologize for my stagnation :)

    Edited: which is strange, because I've made a few .reg files before, and it looks right to me.
     
    BBR, Jan 20, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to msconfig and return it to normal startup...reboot and then do the rest without the reg. fix.
     
    TimW, Jan 20, 2007
    #15
  16. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Tim beat me to it.
     
    Shadow_Puter_Dude, Jan 20, 2007
    #16
  17. BBR

    BBR Private E-2

    Okay, here are those three logs :)
     

    Attached Files:

    BBR, Jan 20, 2007
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any problems at this point.

    You may uninstall the programs that we asked you to download for the analysis.

    Then run CCleaner (both the cleaner and the issues - make the backup when prompted).

    And tell us how your system is running.
     
    TimW, Jan 21, 2007
    #18
  19. BBR

    BBR Private E-2

    It's unthinkable... but the game doesn't start. It starts up on my laptop, so it's not the disk... any other possibilities? :(
     
    BBR, Jan 21, 2007
    #19
  20. BBR

    BBR Private E-2

    I just noticed something. When the game fails to run on my computer, I open Task Manager and ~e5.0001 takes up a LOT of memory usage (about 95 under CPU), while RomeTW.exe (the file for the game) uses very little memory and is about 02 under CPU. However, I just installed Rome Total War on my old laptop and tried the same thing. Right after starting the game up (which actually runs on there), I open the Task Manager, and now it's the other way around, with RomeTW.exe being the main process and ~e5.0001 is a small process taking up almost no memory at all. Could the ~e5.0001 process have been corrupted somehow, or whatever confused
     
    BBR, Jan 21, 2007
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Best way to tell would be to uninstall and reinstall.
     
    TimW, Jan 21, 2007
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds