Jump to content


Photo
- - - - -

Help!! i cant find the intruder...


  • This topic is locked This topic is locked
119 replies to this topic

#61 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 23 August 2010 - 01:43 PM

No problem. ;)

First of all the pop ups at bleepingcomputer: were you logged on to the site (in that case you shouldn't see ads) or were you just browsing it as guest. In that case you can see ads. If it was a real pop up, I would appreciate it if you could tell me what ad it was so I can see if I can find out anything about it (it will be disabled if it proves malicious).

The rest of your problems starts to sound more and more like hardware. First of all your battery. Please let it charge, then unplug the power outlet, turn on the computer and leave it on until the battery is empty. Do this three times or so. This way you "train" the battery.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#62 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 23 August 2010 - 02:39 PM

i was a guest on bleeping computer. it was however there and in the middle of the page, was not there when i first visited adn read, but it was there when i returned(clicked the other open browser on bottom of screen) nothing else. i then scrolled over the page to see if anything else would pop up, but nothing. it really didnt look like it belonged there. i was towards the middle of the topic/halfway down the page, showed up by itself covering one of the posts. i was not about to click anything(plus had read it already) so i closed the whole browser. "intel, get a free laptop' something like that. sorry i dont remember exactly what it said.

the other was on one of the 3 i had open and it was too fast to read, but i did see HP. i'll also had that while logged into this site, i search for a topic, adn get errors. i'll do it again an hour or 2 later and find it.

my computer just locked up 2 times while attempting to post this. fully charged bat(still plugged in)

2 manual reboots. the way i got it to work was not giving it time. as soon as desktop opens i click the moz browzer and open. there is a red x on my int logo right now..still

other 2 times it locked when trying to open a browser

sorry again, i hope i dont sound crazy....

ok, make that 3 manual reboots, i hope this one works....

#63 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 23 August 2010 - 03:44 PM

Yes, that opo up thing can be normal: some ads may pop up like that and although it can be annoying, it isn't malicious.

As for your other problems, this sounds like a hardware problem. Does the laptop get hot?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#64 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 24 August 2010 - 12:28 PM

hello Elise,
the computer getting hot is an understatement..... i've been getting creative by finding ways to suspend it in the air so the fans underneath get fresh air. i even run a normal house fan pointed under it to help cool it down sometimes. ;)

since you've helped me clear out all these culprits, its running MUCH smoother/quieter/not as hot..., but crashes. i am leaning on the hardware as well at this point.

looks like i have a new paper weight..... :)

do you think it could be from the infections?

again, thank you sooooo much for all your help!!!!! :)

#65 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 24 August 2010 - 12:55 PM

i just watched mbam block this IP, so i decided to check the protection logs from yesterday.

is something trying to get in again?? not that it really matters at this point, just curious.

thanks

08:05:03 BedigandMary MESSAGE Protection started successfully
08:05:07 BedigandMary MESSAGE IP Protection started successfully
10:49:59 BedigandMary IP-BLOCK 208.87.149.250
10:50:07 BedigandMary IP-BLOCK 208.87.149.250
10:50:07 BedigandMary IP-BLOCK 208.87.149.250
10:51:25 BedigandMary MESSAGE IP Protection stopped
10:51:26 BedigandMary MESSAGE IP Protection started successfully

#66 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 August 2010 - 01:36 PM

Hi, looks indeed like a small problem. Lets try to reset your vista firewall and see if that fixes the problem.

The overheating problem is definitely hardware and not related to malware. I'm not a hardware expert, however I have heard it might be a good idea sometimes to blow the laptop through with compressed air in order to dust it.

Click on Start button.
Type Cmd in the Start Search text box.
Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
Type netsh firewall reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.
Let me know if the reset command was successful and monitor for IP blocks afterwards.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#67 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 24 August 2010 - 03:04 PM

i reset firewall as instructed. this is so weird, when i clicked start and put in 'Cmd' comp froze before i could finish/execute.... manually rebooted, finished task(per your instructions), then restarted. i believe it was successful, it did say "ok" after i typed in 'netsh firewall reset' and hit enter on the black screen.

i will monitor for IP's

Question, since i back up all pics, docs, music etc to an ex hard dr, is it also infected(probably, i assume)? if so are there any tests/scans that you recommend? i have NOT plugged it into anything since this all started a few weeks back.

thx again ;)

#68 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 August 2010 - 03:36 PM

You can plug them in and scan them with MBAM (run a full scan, that will give you the option to choose the drive).
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#69 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 25 August 2010 - 01:30 PM

hello!
with only a few hours to poke around w this computer since yesterday, i have found a few suspicious occurrences.

-yesterday while online i opened my email and clicked on a particular email with a link to a reg form(its a registration form for an event). this process has given me problems before(few weeks back when this all started) so i thought it would be a good test. i opened, click forms (my default program to open this type of file is 'Word') as usual, word is there as my default. i close and reopen it 3 or 4 times from the link in my email. on the last attempt, i ended up w a new default startup program..... WINWORD.EXE .... i've never seen this on my computer before(but im not a pro)... although i can positively say, if it was, i NEVER had it set as my default. specially when i didnt to anything different, just opened form, comp asked what program to use(default or ) but i didnt continue, just closed out adn did it again.

- computer froze a few times, one of which was this morning. after manual reboot, i was prompted to a screen i havent seen before, then was asked to do a system restore. i did NOT set a restore point but proceeded w the windows "launch start up repair" (recommended).. other choice was start normally.

Attached File  restart_pic_from_BB2.jpg   9.59KB   4 downloads

Attached File  restart_pic_from_BB1.jpg   4.52KB   5 downloads

still running fine since manual reboot about an hour ago. ran mbam, didnt have any IP blocks, but i have a feeling by tomorrow i might...

also, why isnt my mbam updating itself? before i ran test i checked if current version was installed but it wasnt. i updated adn ran check. i've been updating it manually.

09:30:22 BedigandMary MESSAGE Protection started successfully
09:30:26 BedigandMary MESSAGE IP Protection started successfully
09:38:48 BedigandMary MESSAGE IP Protection stopped
09:38:52 BedigandMary MESSAGE Database updated successfully
09:38:53 BedigandMary MESSAGE IP Protection started successfully
09:39:02 BedigandMary MESSAGE IP Protection stopped
09:39:03 BedigandMary MESSAGE IP Protection started successfully
09:39:07 BedigandMary MESSAGE IP Protection stopped
09:39:08 BedigandMary MESSAGE IP Protection started successfully

im still getting the "failure-security options" dialog box. almost every time its gonna crash, or when try to enter task manager.

Attached File  restart_pic_from_BB3_security_warning.jpg   3.59KB   3 downloads

i took these pics w my blackberry, emailed to myself, and attached. :)

thx again!

#70 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 25 August 2010 - 01:34 PM

MBAM auto updates only at certain intervals. This means that there might be a newer update available that is not yet downloaded.

Are you absolutely sure the registration form is in fact clean and not infected? To test, try and upload it to www.virustotal.com
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#71 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 25 August 2010 - 05:12 PM

browsed and found 2 of the same word files, (same name) look over properties for both, one is from original sender(has her name, etc) the other had microsoft or windows info?(i dont know if thats normal).. i checked the 1st w virustotal, came back clean.

went back to virustotal, clicked browse, the next Word file i wanted to scan disappeared..

then i open the same email link, 'Word' is my default again

i did some snooping around through my C drive, found a 'Chest' folder under Alwil service- avast5-chest. the chest folder when i click the desktop icon has nothing in it, but when accessed through C,program data, alwil, etc, i did find one.

among other files that i can not explain...i dont know if they belong there or not...


AhnLab-V3 2010.08.25.01 2010.08.25 -
AntiVir 8.2.4.38 2010.08.25 -
Antiy-AVL 2.0.3.7 2010.08.23 -
Authentium 5.2.0.5 2010.08.25 -
Avast 4.8.1351.0 2010.08.25 -
Avast5 5.0.594.0 2010.08.25 -
AVG 9.0.0.851 2010.08.25 -
BitDefender 7.2 2010.08.25 -
CAT-QuickHeal 11.00 2010.08.24 -
ClamAV 0.96.2.0-git 2010.08.25 -
Comodo 5854 2010.08.25 -
DrWeb 5.0.2.03300 2010.08.25 -
Emsisoft 5.0.0.37 2010.08.25 -
eSafe 7.0.17.0 2010.08.25 -
eTrust-Vet 36.1.7815 2010.08.25 -
F-Prot 4.6.1.107 2010.08.25 -
F-Secure 9.0.15370.0 2010.08.25 -
Fortinet 4.1.143.0 2010.08.25 -
GData 21 2010.08.25 -
Ikarus T3.1.1.88.0 2010.08.25 -
Jiangmin 13.0.900 2010.08.25 -
Kaspersky 7.0.0.125 2010.08.25 -
McAfee 5.400.0.1158 2010.08.25 -
Microsoft 1.6103 2010.08.25 -
NOD32 5397 2010.08.25 -
Norman 6.05.11 2010.08.25 -
nProtect 2010-08-25.02 2010.08.25 -
Panda 10.0.2.7 2010.08.25 -
PCTools 7.0.3.5 2010.08.25 -
Prevx 3.0 2010.08.25 -
Rising 22.62.02.04 2010.08.25 -
Sophos 4.56.0 2010.08.25 -
Sunbelt 6791 2010.08.25 -
SUPERAntiSpyware 4.40.0.1006 2010.08.25 -
Symantec 20101.1.1.7 2010.08.25 -
TheHacker 6.5.2.1.355 2010.08.25 -
TrendMicro 9.120.0.1004 2010.08.25 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.25 -
VBA32 3.12.14.0 2010.08.25 -
ViRobot 2010.8.25.4007 2010.08.25 -
VirusBuster 5.0.27.0 2010.08.25 -
Additional information
Show all
MD5 : 126df7d8c73e233ac338a92d821a5a89
SHA1 : 8458764f39605ae63c588519d1aaca105d481b17
SHA256: ca459f1a7b0de3204a9de5c32228a44f7e4e67edb61570851695ee6f6c53116c
ssdeep: 768:1+pMlQQ/xPRH8YV1JtzeszTztR/IaaCxgJto5l5yFFZ7b:1JrPRvxDbtR/IaaCxgJto5HuF
Z7b
File size : 83456 bytes
First seen: 2010-08-25 19:26:49
Last seen : 2010-08-25 19:26:49
TrID:
Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#72 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 August 2010 - 01:09 AM

Avasts chest is protected; you will not see anything in it normally. Quarantined files are stored there. You can only manage these quarantined files by opening Avast.

This leaves us with the security alert. Can you please tell me whats in the titlebar of this message and when it does appear? I can't read the titlebar from this picture unfortunately.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#73 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 26 August 2010 - 11:54 AM

sure,

log on process has failed to create teh security options dialoge


'red X' Failure- Security Options


'OK' box

its the same Security warning i've been telling you about. usually happens when i try to access task manager or when its about to freeze.

thank you about the avast info.

i havent been able to remove adobe 8.2.3 for the updated version. when snooping around, i came across this as well...... adobe-Replicate-Security-nothing. ?? there's more, but this type of info goes right over my head. i just know when it does not look right but i cant really explain myself correctly. my apologies Elise!

i woke up today, touched mouse, computer froze when i tryed to open moz...as usual. it seamed to have locked up over night, since my gadget was reading dark, clowdy, and definitley not 60 degrees outside. i manually rebooted.

checked protection logs, no IP blocks, but IP protection stopped and started a number of times.

#74 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 August 2010 - 12:53 PM

I've done a bit of research on this problem and it seems you're not the only one who encounters it. Good news is, it seems not related to malware.

Since you mentioned using the weather gadget for sidebar, that might be the culprit, so lets try to disable the sidebar and see what happens.

Go to the control panel, double-click 'Windows Sidebar...'
and uncheck 'Start Sidebar when Windows starts'.

Now please let me know if you still have problems.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#75 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 26 August 2010 - 12:59 PM

i hit refresh on this page and got this error message...


tab: 500 internal error log


Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@malwarebytes.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log


it was about 10:25am PST, i hit refresh to see if you responded yet...

when not loading, i hit stop, refresh,(a few times). hit stop, tryed hotmail, worked. all other sites worked but this. i closed the browser, opened another, same issue. rather than use my bookmark, i type in www.forums.mawarebytes.org. it took a minute to load but worked. i dont know if this pertains to anything, but thought you should know.

it took about 10 minutes for this to post....

again, thx :)

#76 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 26 August 2010 - 01:12 PM

ok, done.

maybe worth telling you the gadgets and info...
Clock....................version: 1.0.0.0 Author: Microsoft corp
CPU meter.............version: 1.0.0.0 Author: Microsoft corp
shutdown gadget....version: 1.0 Author: M.M
Weather................version 1.1.0.0 Author: Microsoft corp
Wireless Network meter..... version: 4.0 Author: AddGadget

#77 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 August 2010 - 01:25 PM

The forum seemed to have a problem earlier. I had great difficulty to post my earlier post.

As for your gadgets, disable them all, see if the problem is gone, if so, turn them on one by one in order to see which one might be causing the problem.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#78 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 28 August 2010 - 12:25 PM

hello Elise
i did what you asked but its still acting up. the gadgets have been disabled for a few days. computer freezes constantly(NOTE: usually when i wake it from hibernation or when i try and access task manager)

i'm finding files that i cant access, prompts that tell me 'program is in use' and 'i can not access'. or 'im not allowed'(something along those lines)

i attempted removal of adobe reader, but its still in my computer. i deleted shortcut, add/remove programs, emptied recycle bin, but still there. i had a good friend over yesterday who is MUCH better w computer than i am, he just shook his head and giggled... told me to get a new computer or remove and reinstall new hardware(but also added it still may be inside hiding)

i have come across files that disappear from one day to the next. i wanted to show my friend the avast Chest under programs(not though icon), but it is gone. no Chest file anymore. also found multiple identical programs. some w huge files, some w non.

in C dr i found a long 'fhgnssi223nva;lddkgodsshdo3345jg'(just made that up) file. then another different long number/letter combo(within 20 minutes) then a few hours later when i access C dr and look for it, ..gone...

these are only 2 examples of many.

any ideas? thx again Elise! :P

#79 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 28 August 2010 - 12:37 PM

Folders like the one you mention, from random letters/numbers, often get created by updates (windows updates, hardware installations and so on).

However, from what you describe this indeed may point to faulty hardware.

I can tell you with absolute certainty there is no more malware hiding there.

Did you still get the security error (as in your screenshot)?

I've seen some references that this error might be caused by security programs that are not fully 64 bit compatible. You can try to uninstall Avast and see if that changes anything.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#80 Petesnewjob

Petesnewjob

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts

Posted 29 August 2010 - 12:06 PM

thank you Elise, i will remove Avast now. should i download a different anti virus or Avast again? Avira maybe?

btw, i have not done any downloads or updates(not manually anyway). but i did find this... is it normal??

thanks again!!! your the best :P

----------------------------------------------------------------------------------
Command: c:\609bd44e100682acb0\MPSigStub.exe WD /q
Start time: 8/23/2010 9:29 AM (version 2.1.1112.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):
Status: Active
Product: 1.1.1600.0
Engine: 1.1.6004.0
Signatures: 1.87.2231.0

================================ PackageDiscovery ================================

AS BDE:
Engine: ?.?.?.?
AS base VDM: ?.?.?.?
AV base VDM: Not included
AS delta VDM: 1.89.175.0
AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpengine.dll to 1.1.6103.0
Patched mpasbase.vdm to 1.89.0.0

================================= MpUpdateEngine =================================

Updated from c:\609bd44e100682acb0 (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDE package.

Original: Updated to:
Engine: 1.1.6004.0 1.1.6103.0
AS base VDM: 1.87.0.0 1.89.0.0
AS delta VDM: 1.87.2231.0 1.89.175.0

Set DeltaUpdateFailure to 0
Deleted c:\609bd44e100682acb0\mpengine.dll._p
Deleted c:\609bd44e100682acb0\mpasbase.vdm._p
Deleted c:\609bd44e100682acb0\mpasbase.vdm
Deleted c:\609bd44e100682acb0\mpasdlta.vdm
Deleted c:\609bd44e100682acb0\mpengine.dll
End time: 8/23/2010 9:29 AM
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
Command: MpSigStub.exe /program c:\c44c639e117908b339442e22fe\MpMiniSigStub.exe WD /q
Start time: 8/24/2010 8:09 AM (version 2.1.1112.0)

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):
Status: Active
Product: 1.1.1600.0
Engine: 1.1.6103.0
Signatures: 1.89.175.0

================================ PackageDiscovery ================================

AS BDD:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.89.207.0
AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpasdlta.vdm to 1.89.207.0

================================= MpUpdateEngine =================================

Updated from c:\c44c639e117908b339442e22fe (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDD package.

Original: Updated to:
AS delta VDM: 1.89.175.0 1.89.207.0

Set BddUpdateFailure to 0
Deleted c:\c44c639e117908b339442e22fe\1.89.175.0_to_1.89.207.0_mpasdlta.vdm._p
Deleted c:\c44c639e117908b339442e22fe\mpasdlta.vdm
End time: 8/24/2010 8:09 AM
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
Command: MpSigStub.exe /program c:\79ac2c0f551556c5b60c\MpMiniSigStub.exe WD /q
Start time: 8/27/2010 10:01 AM (version 2.1.1112.0)

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):
Status: Active
Product: 1.1.1600.0
Engine: 1.1.6103.0
Signatures: 1.89.207.0

================================ PackageDiscovery ================================

AS BDD:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.89.471.0
AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpasdlta.vdm to 1.89.471.0

================================= MpUpdateEngine =================================

Updated from c:\79ac2c0f551556c5b60c (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDD package.

Original: Updated to:
AS delta VDM: 1.89.207.0 1.89.471.0

Set BddUpdateFailure to 0
Deleted c:\79ac2c0f551556c5b60c\1.89.207.0_to_1.89.471.0_mpasdlta.vdm._p
Deleted c:\79ac2c0f551556c5b60c\mpasdlta.vdm
End time: 8/27/2010 10:01 AM
----------------------------------------------------------------------------------




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users