Petesnewjob

Help!! i cant find the intruder...

120 posts in this topic

Hi, you can uninstall ESET using add/remove programs (it has a small applet installed).

MBRCheck and RKU are "new" tools so to say, so I think thats why they are not yet added to OTL's cleaning routine. You can just delete them.

Why do you think your computer is not yet clean?

As for the infection, its difficult to say; I asked MBRcheck's developper who told me 64 bit machines rarely have MBR infections and that it is quite possible this was a glitch.

Share this post


Link to post
Share on other sites

good morning Elise!

in hopes of not being reduntant. same as before, but a little better. ok, after proofreading, its redundant, sorry... ;)

here are my concerns...

during reboot, it seams that a program opens and blocks other programs. (in a nutshell) avast has warning on it, my internet connection has a red x on it(basically not ready)... these would all make sense if it was not connected to the internet yet, but thanks to my gadgets, i know the weather outside, watch the activity meter jump from 4%, 100%, 40%, 15%, 100%, and so on. working hard. yesterday after one of my many reboots my phisical memory was calmly (very reboot) at 37-40%. a few hours later i decided to check...i had nothing open, but my phisical memory was at 68% and usage was 25 too 80ish%, averaging around 55. i rebooted and usage went back down.

i decided to run an mbam scan. before i did, i checked if its been updated..my last update was on 8-13(doesnt it update itself?) so i updated and ran scan. clean. checked protection log, 1 IP Block.

just in case you want to see it...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4453

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

8/20/2010 4:25:13 PM

mbam-log-2010-08-20 (16-25-13).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 294528

Time elapsed: 1 hour(s), 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

08:14:27 BedigandMary MESSAGE Protection started successfully

08:14:31 BedigandMary MESSAGE IP Protection started successfully

10:48:54 BedigandMary MESSAGE Protection started successfully

10:48:58 BedigandMary MESSAGE IP Protection started successfully

14:29:23 BedigandMary MESSAGE Protection started successfully

14:29:26 BedigandMary MESSAGE IP Protection started successfully

14:39:00 BedigandMary MESSAGE Protection started successfully

14:39:04 BedigandMary MESSAGE IP Protection started successfully

15:19:49 BedigandMary MESSAGE IP Protection stopped

15:19:53 BedigandMary MESSAGE Database updated successfully

15:19:53 BedigandMary MESSAGE IP Protection started successfully

20:05:44 BedigandMary MESSAGE Protection started successfully

20:05:47 BedigandMary MESSAGE IP Protection started successfully

ran Avast(my full complete custom scan) came back clean. i open logs, avast shows the same password protected files as before, again. (the ones i never had) i would post them but i cannot click anything but close on the avast log page.

SwSetup\SPFS\setup.exe|>slingplayer\library/us.spl|........(add one of many). png or tif or xml ...error: Archive is password protected(42056)

after both were done, i rebooted. once on, i face same issues. i could not open task manager, computer froze. rather than rebooting it then, i decide to leave it be. woke up this morning, touched the mouse, screen lights up and the arrow is still thinking... i give it a few minutes, manually reboot, computer shuts off but turned on w a black screen that didnt go away. i gave it at least 5 minutes to allow it time, but was forced to manually reboot again. 2nd reboot everything turned on, quite fast actually. so fast that while i started this post, the int logo has a red x("wlan turned on" usually follows avast's vocal "system's secure") but im already typing to you and i know what the temp is outside. Avast has warning on it and internet supposedly is not connected yet. avast tells me im secure, int logo tell me no internet, but i have internet running, typing, gadgets up and running even before i opened moz browser. 'after' i open a browser WLAN pop up 'enabled' avast, 'your secure' and sometimes, like today, i was typing for at least 5 minutes before the wlan icon showed enabled and red x went away.

if the wlan is not enabled, how is it that options that use the internet are running? or i open a page/browser? obviously by now the computer shows normal(earth on int logo, avast has no warning)

i will say its running better though Elise, and its all thanks to you!!! with out your help and guidance, i could never have done any of this. You and this forum are such a HUGE, HUGE asset and help to us(regular guys & gals)....Thank you again and again!

once this comp gets the official "Clean" , i'm buying and installing malwarebytes on my acer netbook(next on the clean up list)

much appreciated Elise!

Share this post


Link to post
Share on other sites

I don't see the IP block you are referring to. ;) Only the start/stop/update lines.

As for your problem, that sounds as a hardware problem, not software. I wouldn't be surprised its related to your Network Adapter. Its normal it takes a bit for your connection to enable, this is normal.

Also the memory usage is quite normal. Many background tasks are scheduled to run when the system is idle (like updating/checking for updates for various applications).

Share this post


Link to post
Share on other sites

good morning Elise!

i will list my issues. again, i'm sorry if redundant(maybe i'm not explaining myself correctly)

1. if computer turns on and my gadget shows the temp and weather outside, isnt the interent working????

2. when i manually rebooted yesterday after a crash, Adobe Reader icon showed up next to avast(bottom right of screen) update is ready to be installed dialog box popped up. i did not open it but did scroll over it(did NOT say which update version) i open internet go to adobe.com, click update, shows 9.3.4 as new update, and i read somewhere 8.2.4 has vulnerabilities. HUGE mistake and completely my fault, i chose to install off my computer icon(assuming i'm safe). well, 8.2.4 installed..., cant uninstall it, and cant install 9.3.4. when attempting removal i get an unusual questions.. "are you sure you want to remove adobe 8.2.4" with a check box for "dont ever ask me again" i ignore that but proceed w removal. about a minute into it i get a security warning box asking me to either 'allow' or 'cancel' this 'Unknown Publishers' access. "an unidentified publisher wants access to your computer" i check details of this Unknown Publisher. (Adobe cant be Unknown, right?)

Details:

Unknown Publisher

Update

8.2.4

Adobe Systems Incorporated

i cancel. how could Adobe have an 'Unknown Publisher'? i did research, and 8.2.4 has many vulnerabilities and i am not the only one going through this(did a search)new version was released 8-19

3. my system has locked up and needed manual reboot 3 times since yesterday. yet i've barely used it.

4. i've had 4 security warnings since yesterday. (w black screen, just like my other explanations)

5. task manager wont open without a crash or security warning. (same as my other explanations) i think i opened it successfully a few times without any odd affects.

6. network meter shows IP: 1x2.xxx.x.xxx(i put in x's) under it Ext IP: 70.xxx.xx.xxx(x's me). question: when 1st booted, before avast security warning goes away and my wlan connects, Ext IP shows "checking (-1)" once avast and wlan show running/etc, the numbers appear. What is 'checking(-1)"??

7. how do my gadgets work if wlan is not connected?

8. how can i open a browser when wlan is not connected adn avast shows ...(next, number 9)

9. how does avast go from Mail Shield, Web Shield and Security Shield TURNED OFF to all systems secure?

i understand what you explained to me earlier, but it doesnt make sense(to me anyway).... how does it need time to connect to the internet, when its already on? why do i get the WLAN box open telling me im now connected, when i've been watching the network meter's activity and weather?(doesnt that mean its on???) not to mention sometimes i already have a browser open...

10. i never had password protected files when running avast(before this infection). they are all still there adn i cant do anything about them. the only button that works on the log page is "close". i've been using Avast for at least 6 months... one of my signs of infection is/was the random and unexpected password protected files.

11. i removed all programs and logs from my desktop and uninstalled our tools used. cleared Recycle bin. cleared downloads folder.

i will continue to research my Adobe Reader issue as i wait for your reply. i did successfully remove Adobe Flash 10 and installed 10.1

Thanks for everything Elise! ;)

Share this post


Link to post
Share on other sites

Hi first of all, that adobe issue is nromal. Adobe reader had a new update yesterday (got one myself as well ^_^). Adobe can fairly well be an unknown publisher. Many companies don't digitally sign their files.

What other security warnings did you get besides the one you quoted (which was from Adobe and could be allowed).

As for Avast, during startup, the program initializes, which means its services are starting up. Unless that is finished, it will show as not protecting your system.

You mention your system locked up, can you give me a bit more details as to when?

Share this post


Link to post
Share on other sites

computer locked yesterday twice and once this morning. the computer has been running since yesterdays lock/manual reboot, so i just touch the mouse and give it a minute to boot up. open moz and the arrow started thinking. i gave it a minute and hit Crtl alt del,.....black screen, arrow is thinking, few minutes later windows security warning dialog box opens "" red X- security failure(center of dialog page) "" i exit by either clicking the red x on the top right, or cancel/exit(even tryed hitting ok a few days ago, all w same result). then it goes back to my desktop, but no task manager opens, not even the blue page which gives me the option to choose, just back to desktop, with the thinking wheel.. i can leave it like that for a day, or 5 minutes, end result is always the same, i have to manually reboot its done this 3 or 4 times since yesterday, and honestly, this is exactly what it was doing before. wont let me open my task manager.

i erased all programs and loggs to recycle bin. one freeze happened right before i did this yesterday. all i did is try and move my recycle bin closer to the files(so i can drag and drop easier) but froze as soon as i dragged it(it didnt even move, just started thinking) screen went shadow white adn i was forced to reboot manually.

once rebooted, i tryed it again. worked. i moved the recycle bin and deleted all shortcuts. went into programs and deleted/uninstalled. went to downloads and deleted all. restarted computer. seemed fine. today i wake up, touch mouse, desktop opens. click moz browser, arrow back to thinking, then black screen, ctrl alt del didnt work, security warning again. manual reboot again.

As for Avast, during startup, the program initializes, which means its services are starting up. Unless that is finished, it will show as not protecting your system.

regarding avast...i have it open right now.....its blank..... telling me to install adobe flash... i did, yesterday. just checked my programs and flash is installed.... and i did reboot a few times....

again, where did the password protected files come from????? prior to this, i NEVER had password protected files.

a few days back you had me do some sort of restore/cleanup, that is the only 2 startups i've had that did NOT show my avast unprotected.(only 2 normal startups i've had...) i just dont understand how my internet is on, but avast has not initialized. how can i open it, see my shields down, but NOT be able to do anything about it? how does it tell me(verbally through my speakers, and visually w a green dialog box) that my system is secure, when i see a warning on the icon and have the program open looking at the 'fix all' button(which does NOTHING when pressed)

im sure im being a bit to skeptical on some of these issues, but i feel as if i'm back at square one....

********i just had to restart again. i hit preview post, comp locked(black screen). task manger didnt open. waited a few minutes and had to manually reboot. i started sending this as avast shows warning and wlan hasnt opened, but browser is open, i'm typing.?. luckily now i copy my page before i do anything........just in case this happens...

i dont understand ^_^

its never crashed so much....

Share this post


Link to post
Share on other sites

Lets first check for a common bug:

UPLOAD A FILE

--------------------

We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\explorer.exe

If you get the message that the file has already been scanned before, please click Reanalyse file now.

Please post back the results of the scan in your next post.

Share this post


Link to post
Share on other sites

didnt know if you needed the additiona info, so i added it anyway.

thanks again!

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

explorer.exe

Submission date:

2010-08-22 20:33:15 (UTC)

Current status:

queued queued analysing finished

Result:

0/ 40 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.08.22.00 2010.08.21 -

AntiVir 8.2.4.38 2010.08.20 -

Antiy-AVL 2.0.3.7 2010.08.16 -

Authentium 5.2.0.5 2010.08.22 -

Avast 4.8.1351.0 2010.08.22 -

Avast5 5.0.332.0 2010.08.22 -

AVG 9.0.0.851 2010.08.22 -

BitDefender 7.2 2010.08.22 -

CAT-QuickHeal 11.00 2010.08.21 -

ClamAV 0.96.2.0-git 2010.08.22 -

Comodo 5821 2010.08.22 -

DrWeb 5.0.2.03300 2010.08.22 -

Emsisoft 5.0.0.37 2010.08.22 -

eSafe 7.0.17.0 2010.08.22 -

eTrust-Vet 36.1.7804 2010.08.21 -

F-Prot 4.6.1.107 2010.08.22 -

F-Secure 9.0.15370.0 2010.08.22 -

GData 21 2010.08.22 -

Ikarus T3.1.1.88.0 2010.08.22 -

Jiangmin 13.0.900 2010.08.21 -

Kaspersky 7.0.0.125 2010.08.22 -

McAfee 5.400.0.1158 2010.08.22 -

Microsoft 1.6103 2010.08.22 -

NOD32 5386 2010.08.22 -

Norman 6.05.11 2010.08.22 -

nProtect 2010-08-22.01 2010.08.22 -

Panda 10.0.2.7 2010.08.22 -

PCTools 7.0.3.5 2010.08.22 -

Prevx 3.0 2010.08.22 -

Rising 22.61.06.04 2010.08.22 -

Sophos 4.56.0 2010.08.22 -

Sunbelt 6776 2010.08.22 -

SUPERAntiSpyware 4.40.0.1006 2010.08.22 -

Symantec 20101.1.1.7 2010.08.22 -

TheHacker 6.5.2.1.353 2010.08.22 -

TrendMicro 9.120.0.1004 2010.08.22 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.22 -

VBA32 3.12.14.0 2010.08.20 -

ViRobot 2010.8.18.3995 2010.08.22 -

VirusBuster 5.0.27.0 2010.08.21 -

Additional information

Show all

MD5 : d07d4c3038f3578ffce1c0237f2a1253

SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a

SHA256: 135dd05678c8997b45982d77298dbdd98061c9d4fe43d77866846012eb061a04

ssdeep: 24576:5d8uxOc/QpDk5pGYCW5uXSA7jTeFadRsxFb/g/J/ulZl:TOcLC8A7/eFwY3l/

File size : 2926592 bytes

First seen: 2009-05-24 18:27:11

Last seen : 2010-08-22 20:33:15

TrID:

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: Windows Explorer

original name: EXPLORER.EXE

internal name: explorer

file version.: 6.0.6002.18005 (lh_sp2rtm.090410-1830)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x25E33

timedatestamp....: 0x49E01DA5 (Sat Apr 11 04:33:41 2009)

machinetype......: 0x14c (I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x6BD15, 0x6BE00, 6.42, 65eba3253a27a14fe8b3534030b7be61

.data, 0x6D000, 0x2164, 0x2000, 0.83, 8d2597b8ca27314e6e6987b53b153d90

.rsrc, 0x70000, 0x2566A0, 0x256800, 7.04, e9c988e2d7bc4683dcec8a4fcb4b5c6d

.reloc, 0x2C7000, 0x5A20, 0x5C00, 6.74, a3b567255330d05abe32eb8a34f61792

[[ 19 import(s) ]]

ADVAPI32.dll: RegCloseKey, RegCreateKeyW, RegGetValueW, RegOpenKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, EventWrite, EventEnabled, GetLengthSid, GetTokenInformation, OpenProcessToken, EventUnregister, EventRegister, GetUserNameW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, TraceMessage, RegOpenKeyW, RegEnumKeyW, RegEnumValueW, CloseServiceHandle, OpenServiceW, OpenSCManagerW, QueryServiceStatus, CheckTokenMembership, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, ConvertSidToStringSidW, StartServiceW, CreateWellKnownSid

KERNEL32.dll: GetSystemTime, GetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FlushInstructionCache, RaiseException, GetSystemWindowsDirectoryW, SetLastError, ReadFile, GetFileSize, CreateFileW, InterlockedCompareExchange, LoadLibraryA, SystemTimeToFileTime, ExpandEnvironmentStringsW, GlobalGetAtomNameW, MultiByteToWideChar, GetEnvironmentVariableW, GetCurrentProcessId, GetModuleHandleW, lstrlenW, OpenEventW, SetEvent, GetBinaryTypeW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, CompareFileTime, GlobalFree, GetTickCount, MulDiv, GetUserDefaultLangID, GetPrivateProfileIntW, GetCurrentThread, GetThreadPriority, GetCurrentThreadId, SetThreadPriority, CompareStringOrdinal, lstrcmpiW, HeapSetInformation, SetErrorMode, CreateMutexW, ReleaseMutex, GetTimeZoneInformation, SetFilePointer, SetProcessShutdownParameters, GetSystemDirectoryW, CreateEventW, SetTermsrvAppInstallMode, RegisterApplicationRestart, ExitProcess, GetModuleFileNameW, GetPrivateProfileStringW, HeapDestroy, InitializeCriticalSection, DeleteCriticalSection, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceFrequency, GetFileAttributesExW, QueueUserWorkItem, GetLongPathNameW, GetProcessTimes, TerminateThread, GetProcessId, CreateIoCompletionPort, GetQueuedCompletionStatus, GetWindowsDirectoryW, FormatMessageW, QueryFullProcessImageNameW, GlobalAlloc, DuplicateHandle, GetCurrentDirectoryW, WideCharToMultiByte, WriteFile, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, FindResourceExW, LoadResource, LockResource, GetUserDefaultUILanguage, LoadLibraryW, GetProcAddress, FreeLibrary, WaitForSingleObject, CreateProcessW, GetCommandLineW, GetStartupInfoW, CreateThread, AssignProcessToJobObject, ResumeThread, Sleep, QueryInformationJobObject, LocalAlloc, LocalFree, CloseHandle, OpenProcess, SetPriorityClass, GetPriorityClass, CreateJobObjectW, SetInformationJobObject, GetLastError, InterlockedDecrement, InterlockedIncrement, HeapFree, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedExchange, VirtualAlloc, VirtualFree, DelayLoadFailureHook

GDI32.dll: GetStockObject, CombineRgn, GetLayout, CreatePatternBrush, OffsetViewportOrgEx, GdiAlphaBlend, GetTextExtentPoint32W, ExtTextOutW, SetWindowOrgEx, GetPixel, PatBlt, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateCompatibleBitmap, OffsetWindowOrgEx, SetBkColor, GetTextExtentPointW, GetClipBox, CreateDIBSection, CreateRectRgnIndirect, SetTextColor, SetBkMode, GetTextMetricsW, CreateFontIndirectW, CreateSolidBrush, GetObjectW, DeleteObject, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, GetDeviceCaps

USER32.dll: GetDlgItem, LoadCursorW, RegisterClassW, IsChild, SetTimer, MonitorFromRect, SetWindowTextW, SetClassLongW, GetClassInfoW, GetClassLongW, KillTimer, GetClassInfoExW, IsWindowEnabled, GetShellWindow, GetIconInfo, SetScrollInfo, GetLastActivePopup, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, IsWindowVisible, IsWindow, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, SetFocus, SetForegroundWindow, LoadMenuW, SetMenuInfo, SetMenuDefaultItem, GetSubMenu, TrackPopupMenuEx, LoadImageW, InsertMenuItemW, DestroyIcon, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharUpperBuffW, PostQuitMessage, LoadStringW, ShutdownBlockReasonCreate, GetWindowLongA, SetWindowLongW, UnregisterDeviceNotification, RegisterDeviceNotificationW, RegisterWindowMessageW, SetWindowPos, RegisterClassExW, GetDesktopWindow, UpdateWindow, InvalidateRect, BeginPaint, LoadBitmapW, SetLayeredWindowAttributes, EndPaint, ShowWindow, DefWindowProcW, MoveWindow, DestroyWindow, UnregisterClassW, SetProcessDPIAware, PeekMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, GetKeyboardLayout, ActivateKeyboardLayout, IsProcessDPIAware, PrintWindow, GetDCEx, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, GetDlgCtrlID, ChildWindowFromPointEx, GetCapture, GetGUIThreadInfo, SetWindowLongA, CharUpperW, GetWindowDC, RegisterClipboardFormatW, UnhookWinEvent, SetWinEventHook, ReleaseCapture, GetUserObjectInformationW, GetProcessWindowStation, FlashWindowEx, GetForegroundWindow, PostMessageW, CreatePopupMenu, GetWindowThreadProcessId, MsgWaitForMultipleObjectsEx, CharPrevW, CharNextW, DispatchMessageW, TranslateMessage, GetMessageW, EqualRect, UnionRect, MapWindowPoints, GetClientRect, EnumWindows, EndTask, SetThreadDesktop, GetThreadDesktop, GetMenuItemID, IsHungAppWindow, DrawTextW, GetSysColor, TrackPopupMenu, SendMessageCallbackW, DeregisterShellHookWindow, EndDialog, IsDlgButtonChecked, LoadIconW, GetSysColorBrush, CloseDesktop, OpenInputDesktop, SetActiveWindow, IsRectEmpty, GetAsyncKeyState, RegisterShellHookWindow, FillRect, GetCursorPos, SetPropW, CopyRect, LockSetForegroundWindow, MonitorFromPoint, InflateRect, GetClassNameW, SubtractRect, RedrawWindow, EnumDisplayMonitors, OffsetRect, IntersectRect, SetWindowRgn, GetMenuState, GhostWindowFromHungWindow, HungWindowFromGhostWindow, GetWindowPlacement, RemovePropW, SendMessageTimeoutW, UnregisterHotKey, RegisterHotKey, InsertMenuW, ModifyMenuW, ClientToScreen, ScreenToClient, GetMenuItemCount, GetFocus, GetScrollInfo, InternalGetWindowText, GetKeyState, ChangeDisplaySettingsW, GetWindowLongW, EnumChildWindows, SendMessageW, GetWindow, GetWindowRect, PtInRect, SetCursor, ChildWindowFromPoint, SetCursorPos, GetMessagePos, LoadAcceleratorsW, WaitMessage, TranslateAcceleratorW, GetWindowRgnBox, GetActiveWindow, MessageBeep, SetWindowPlacement, SetRect, SendNotifyMessageW, UpdateLayeredWindow, GetLastInputInfo, SendDlgItemMessageW, AllowSetForegroundWindow, RemoveMenu, SetParent, CallWindowProcW, EnableWindow, GetDlgItemInt, SetDlgItemInt, CheckDlgButton, CopyIcon, DrawFocusRect, NotifyWinEvent, ExitWindowsEx, DrawEdge, WindowFromPoint, GetDoubleClickTime, SetCapture, TrackMouseEvent, LockWorkStation, AppendMenuW, GetParent, SetScrollPos, SetRectEmpty, AdjustWindowRectEx, BringWindowToTop, CascadeWindows, GetSystemMetrics, SystemParametersInfoW, FindWindowW, ReleaseDC, GetDC, DestroyMenu, GetMenuDefaultItem, TileWindows, GetAncestor, SwitchToThisWindow, CheckMenuItem, ShowWindowAsync

msvcrt.dll: memset, _unlock, _ftol2_sse, _except_handler4_common, __set_app_type, memcpy, free, memmove, realloc, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, _vsnwprintf, malloc, __wgetmainargs, _cexit, _exit, __p__fmode, _XcptFilter, exit, _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode

ntdll.dll: NtOpenThreadToken, NtOpenProcessToken, RtlGetProductInfo, NtQueryInformationToken, NtClose, NtQueryInformationProcess, NtSetInformationProcess, WinSqmAddToStream, NtSetSystemInformation

SHLWAPI.dll: PathGetDriveNumberW, -, -, PathRemoveFileSpecW, -, -, SHRegGetUSValueW, -, StrDupW, PathQuoteSpacesW, -, -, -, -, StrChrIW, -, -, -, SHRegOpenUSKeyW, SHRegQueryUSValueW, StrCmpW, AssocQueryStringW, -, -, -, -, -, AssocQueryKeyW, PathParseIconLocationW, PathIsPrefixW, -, PathRemoveExtensionW, SHOpenRegStream2W, PathFileExistsW, -, -, -, -, PathFindExtensionW, SHQueryInfoKeyW, -, -, -, -, -, -, -, -, SHDeleteKeyW, PathAppendW, SHDeleteValueW, -, -, -, PathRemoveArgsW, PathRemoveBlanksW, StrCmpNIW, PathFindFileNameW, -, SHSetValueW, SHGetValueW, SHCreateThreadRef, SHSetThreadRef, -, -, PathCombineW, SHRegGetValueW, StrToIntW, -, -, -, PathGetArgsW, StrChrW, -, -, -, -, SHStrDupW, -, -, -, -, -, StrRetToBufW, -, -, -, -, -, -, StrRetToStrW, -, -, StrStrIW, -, -, PathMatchSpecW, PathIsRootW, PathIsNetworkPathW, SHQueryValueExW, AssocCreate, StrCmpIW, -, -, -, StrCmpNW, -, -, StrPBrkW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, -

SHELL32.dll: -, -, -, -, -, -, -, -, SHGetDesktopFolder, -, SHBindToFolderIDListParent, -, -, -, -, -, -, SHGetIDListFromObject, -, -, -, -, -, -, SHCreateShellItemArrayFromIDLists, -, -, SHCreateItemFromIDList, SHCreateShellItemArrayFromShellItem, -, -, SHBindToFolderIDListParentEx, SHChangeNotify, SHAddToRecentDocs, DuplicateIcon, -, -, -, ShellExecuteW, -, -, SHGetPathFromIDListA, SHUpdateRecycleBinIcon, SHGetKnownFolderIDList, SHGetFolderPathEx, SHFileOperationW, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, SHGetSpecialFolderLocation, -, -, SHBindToParent, Shell_NotifyIconW, SHGetFolderPathAndSubDirW, Shell_GetCachedImageIndexW, SHGetFolderPathW, -, SHEvaluateSystemCommandTemplate, -, -, -, -, -, -, -, -, -, -, -, SHBindToObject, -, ShellExecuteExW, -, -, SHGetSpecialFolderPathW, -, SHParseDisplayName, -, SHGetFolderLocation, -, -, -, -, -

ole32.dll: CoTaskMemFree, CoCreateInstance, CoRegisterClassObject, CoRevokeClassObject, CoGetClassObject, OleInitialize, OleUninitialize, CoGetObject, StringFromGUID2, CoUninitialize, CoInitialize, RevokeDragDrop, RegisterDragDrop, CoRegisterMessageFilter, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, DoDragDrop, CoInitializeEx, CreateBindCtx, CoFreeUnusedLibraries, PropVariantClear

OLEAUT32.dll: -, -, -, -, -, -

SHDOCVW.dll: -, -

UxTheme.dll: IsCompositionActive, IsAppThemed, GetThemeMargins, GetThemeRect, IsThemePartDefined, GetThemeBackgroundRegion, DrawThemeTextEx, GetThemeFont, GetThemeColor, GetThemeBool, GetThemeInt, SetWindowTheme, DrawThemeText, GetThemeTextExtent, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, GetThemePartSize, GetThemeMetric, GetThemeBackgroundContentRect

POWRPROF.dll: GetPwrCapabilities

dwmapi.dll: DwmIsCompositionEnabled, -, DwmSetWindowAttribute, DwmEnableBlurBehindWindow, DwmQueryThumbnailSourceSize, DwmGetColorizationColor, DwmUpdateThumbnailProperties, DwmRegisterThumbnail, DwmUnregisterThumbnail

gdiplus.dll: GdiplusShutdown, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdiplusStartup, GdipCreateFromHDC, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipDeleteGraphics, GdipFree, GdipAlloc, GdipSetCompositingMode

slc.dll: SLGetWindowsInformationDWORD

RPCRT4.dll: RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrClientCall2, RpcStringBindingComposeW, I_RpcExceptionFilter, RpcBindingSetAuthInfoExW

PROPSYS.dll: PSGetPropertyKeyFromName, PSPropertyKeyFromString, PSGetPropertyDescription, PSGetNameFromPropertyKey, VariantToBooleanWithDefault, VariantToInt32WithDefault, VariantToStringWithDefault, PSCreateMemoryPropertyStore, VariantToStringAlloc, PropVariantToStringAlloc

BROWSEUI.dll: -, -

Share this post


Link to post
Share on other sites

Can you please reboot in safe mode with networking and see if things lock up there as well?

Share this post


Link to post
Share on other sites

sure, i'll do it now.

by the way, i used this laptop yesterday for a few hours. 1st, i googled "running programs"....and found bleeping computers web page. also looked at auto parts(1st for a few weeks) also google. 2 browsers open, one had car page and this site(my post) the other had bleeping computer info.

after an hour or so, i click on my 2nd browser and see a pop up on bleeping computer's website, "intel advertisement" i checked the page to see if i scrolled over a word that activated it, but no. i did not touch it, just closed the browser. now the 1st browser, which had an hp popup for a split second(disappeared so fast all i saw was hp.) anyway, closed that as well(both tabs, quit without saving/remembering)

everything is fine, windows closed w no problems.

i decide to click adobe reader before i walk away from the computer..... FROZE! arrow started thinking....

ok, so i manually reboot(again).... but it went to standby?..?... i held down the power button as i have become very good at it, but it went to standby. i turn it on again, hold down the power button, and it turned off.

i restarted, then shut down. just in case. just turned it on this morning to check if you responded. turned on ok, but my blue "I" on the computer that shows the wireless card turned orange(off) halfway through this post, but i'm still online...

i will do what you asked now.

**************

started in safe mode w networking. internet did not connect. when i attempted to connect i was prompted for my password(for internet). i did not enter it.

opened some programs, etc, seemed fine.

rebooted to normal mode, enter password, desktop shows for about 2 seconds, then computer shut down on its own. no freeze, just off.

restart, enter pw, desktop shows. i wait and observe and watched my power indicator go from 40% charge to battery instantly dead..computer shut off again...all within a second or 2 (by the way, this is the 1st time my computer was unplugged during use) now bat is at 30%(i plugged it in) and its been 10 minutes. and my orange "I" came back about halfway through typing this 2nd post. computer was unplugged from power cord for maybe 30 minutes. i know my battery life isnt good, but i know it has never done that before. and its already at 48% charged... total charge time since i plugged it in...15 to 20 minutes tops.

thank you for your patience Elise! sorry for the long post....

Share this post


Link to post
Share on other sites

No problem. ;)

First of all the pop ups at bleepingcomputer: were you logged on to the site (in that case you shouldn't see ads) or were you just browsing it as guest. In that case you can see ads. If it was a real pop up, I would appreciate it if you could tell me what ad it was so I can see if I can find out anything about it (it will be disabled if it proves malicious).

The rest of your problems starts to sound more and more like hardware. First of all your battery. Please let it charge, then unplug the power outlet, turn on the computer and leave it on until the battery is empty. Do this three times or so. This way you "train" the battery.

Share this post


Link to post
Share on other sites

i was a guest on bleeping computer. it was however there and in the middle of the page, was not there when i first visited adn read, but it was there when i returned(clicked the other open browser on bottom of screen) nothing else. i then scrolled over the page to see if anything else would pop up, but nothing. it really didnt look like it belonged there. i was towards the middle of the topic/halfway down the page, showed up by itself covering one of the posts. i was not about to click anything(plus had read it already) so i closed the whole browser. "intel, get a free laptop' something like that. sorry i dont remember exactly what it said.

the other was on one of the 3 i had open and it was too fast to read, but i did see HP. i'll also had that while logged into this site, i search for a topic, adn get errors. i'll do it again an hour or 2 later and find it.

my computer just locked up 2 times while attempting to post this. fully charged bat(still plugged in)

2 manual reboots. the way i got it to work was not giving it time. as soon as desktop opens i click the moz browzer and open. there is a red x on my int logo right now..still

other 2 times it locked when trying to open a browser

sorry again, i hope i dont sound crazy....

ok, make that 3 manual reboots, i hope this one works....

Share this post


Link to post
Share on other sites

Yes, that opo up thing can be normal: some ads may pop up like that and although it can be annoying, it isn't malicious.

As for your other problems, this sounds like a hardware problem. Does the laptop get hot?

Share this post


Link to post
Share on other sites

hello Elise,

the computer getting hot is an understatement..... i've been getting creative by finding ways to suspend it in the air so the fans underneath get fresh air. i even run a normal house fan pointed under it to help cool it down sometimes. ;)

since you've helped me clear out all these culprits, its running MUCH smoother/quieter/not as hot..., but crashes. i am leaning on the hardware as well at this point.

looks like i have a new paper weight..... :)

do you think it could be from the infections?

again, thank you sooooo much for all your help!!!!! :)

Share this post


Link to post
Share on other sites

i just watched mbam block this IP, so i decided to check the protection logs from yesterday.

is something trying to get in again?? not that it really matters at this point, just curious.

thanks

08:05:03 BedigandMary MESSAGE Protection started successfully

08:05:07 BedigandMary MESSAGE IP Protection started successfully

10:49:59 BedigandMary IP-BLOCK 208.87.149.250

10:50:07 BedigandMary IP-BLOCK 208.87.149.250

10:50:07 BedigandMary IP-BLOCK 208.87.149.250

10:51:25 BedigandMary MESSAGE IP Protection stopped

10:51:26 BedigandMary MESSAGE IP Protection started successfully

Share this post


Link to post
Share on other sites

Hi, looks indeed like a small problem. Lets try to reset your vista firewall and see if that fixes the problem.

The overheating problem is definitely hardware and not related to malware. I'm not a hardware expert, however I have heard it might be a good idea sometimes to blow the laptop through with compressed air in order to dust it.

Click on Start button.

Type Cmd in the Start Search text box.

Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.

Type netsh firewall reset in the Command Prompt shell, and then press the Enter key.

Restart the computer.

Let me know if the reset command was successful and monitor for IP blocks afterwards.

Share this post


Link to post
Share on other sites

i reset firewall as instructed. this is so weird, when i clicked start and put in 'Cmd' comp froze before i could finish/execute.... manually rebooted, finished task(per your instructions), then restarted. i believe it was successful, it did say "ok" after i typed in 'netsh firewall reset' and hit enter on the black screen.

i will monitor for IP's

Question, since i back up all pics, docs, music etc to an ex hard dr, is it also infected(probably, i assume)? if so are there any tests/scans that you recommend? i have NOT plugged it into anything since this all started a few weeks back.

thx again ;)

Share this post


Link to post
Share on other sites

You can plug them in and scan them with MBAM (run a full scan, that will give you the option to choose the drive).

Share this post


Link to post
Share on other sites

hello!

with only a few hours to poke around w this computer since yesterday, i have found a few suspicious occurrences.

-yesterday while online i opened my email and clicked on a particular email with a link to a reg form(its a registration form for an event). this process has given me problems before(few weeks back when this all started) so i thought it would be a good test. i opened, click forms (my default program to open this type of file is 'Word') as usual, word is there as my default. i close and reopen it 3 or 4 times from the link in my email. on the last attempt, i ended up w a new default startup program..... WINWORD.EXE .... i've never seen this on my computer before(but im not a pro)... although i can positively say, if it was, i NEVER had it set as my default. specially when i didnt to anything different, just opened form, comp asked what program to use(default or ) but i didnt continue, just closed out adn did it again.

- computer froze a few times, one of which was this morning. after manual reboot, i was prompted to a screen i havent seen before, then was asked to do a system restore. i did NOT set a restore point but proceeded w the windows "launch start up repair" (recommended).. other choice was start normally.

post-49128-1282760654_thumb.jpg

post-49128-1282760686_thumb.jpg

still running fine since manual reboot about an hour ago. ran mbam, didnt have any IP blocks, but i have a feeling by tomorrow i might...

also, why isnt my mbam updating itself? before i ran test i checked if current version was installed but it wasnt. i updated adn ran check. i've been updating it manually.

09:30:22 BedigandMary MESSAGE Protection started successfully

09:30:26 BedigandMary MESSAGE IP Protection started successfully

09:38:48 BedigandMary MESSAGE IP Protection stopped

09:38:52 BedigandMary MESSAGE Database updated successfully

09:38:53 BedigandMary MESSAGE IP Protection started successfully

09:39:02 BedigandMary MESSAGE IP Protection stopped

09:39:03 BedigandMary MESSAGE IP Protection started successfully

09:39:07 BedigandMary MESSAGE IP Protection stopped

09:39:08 BedigandMary MESSAGE IP Protection started successfully

im still getting the "failure-security options" dialog box. almost every time its gonna crash, or when try to enter task manager.

post-49128-1282760466_thumb.jpg

i took these pics w my blackberry, emailed to myself, and attached. :)

thx again!

Share this post


Link to post
Share on other sites

MBAM auto updates only at certain intervals. This means that there might be a newer update available that is not yet downloaded.

Are you absolutely sure the registration form is in fact clean and not infected? To test, try and upload it to www.virustotal.com

Share this post


Link to post
Share on other sites

browsed and found 2 of the same word files, (same name) look over properties for both, one is from original sender(has her name, etc) the other had microsoft or windows info?(i dont know if thats normal).. i checked the 1st w virustotal, came back clean.

went back to virustotal, clicked browse, the next Word file i wanted to scan disappeared..

then i open the same email link, 'Word' is my default again

i did some snooping around through my C drive, found a 'Chest' folder under Alwil service- avast5-chest. the chest folder when i click the desktop icon has nothing in it, but when accessed through C,program data, alwil, etc, i did find one.

among other files that i can not explain...i dont know if they belong there or not...

AhnLab-V3 2010.08.25.01 2010.08.25 -

AntiVir 8.2.4.38 2010.08.25 -

Antiy-AVL 2.0.3.7 2010.08.23 -

Authentium 5.2.0.5 2010.08.25 -

Avast 4.8.1351.0 2010.08.25 -

Avast5 5.0.594.0 2010.08.25 -

AVG 9.0.0.851 2010.08.25 -

BitDefender 7.2 2010.08.25 -

CAT-QuickHeal 11.00 2010.08.24 -

ClamAV 0.96.2.0-git 2010.08.25 -

Comodo 5854 2010.08.25 -

DrWeb 5.0.2.03300 2010.08.25 -

Emsisoft 5.0.0.37 2010.08.25 -

eSafe 7.0.17.0 2010.08.25 -

eTrust-Vet 36.1.7815 2010.08.25 -

F-Prot 4.6.1.107 2010.08.25 -

F-Secure 9.0.15370.0 2010.08.25 -

Fortinet 4.1.143.0 2010.08.25 -

GData 21 2010.08.25 -

Ikarus T3.1.1.88.0 2010.08.25 -

Jiangmin 13.0.900 2010.08.25 -

Kaspersky 7.0.0.125 2010.08.25 -

McAfee 5.400.0.1158 2010.08.25 -

Microsoft 1.6103 2010.08.25 -

NOD32 5397 2010.08.25 -

Norman 6.05.11 2010.08.25 -

nProtect 2010-08-25.02 2010.08.25 -

Panda 10.0.2.7 2010.08.25 -

PCTools 7.0.3.5 2010.08.25 -

Prevx 3.0 2010.08.25 -

Rising 22.62.02.04 2010.08.25 -

Sophos 4.56.0 2010.08.25 -

Sunbelt 6791 2010.08.25 -

SUPERAntiSpyware 4.40.0.1006 2010.08.25 -

Symantec 20101.1.1.7 2010.08.25 -

TheHacker 6.5.2.1.355 2010.08.25 -

TrendMicro 9.120.0.1004 2010.08.25 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.25 -

VBA32 3.12.14.0 2010.08.25 -

ViRobot 2010.8.25.4007 2010.08.25 -

VirusBuster 5.0.27.0 2010.08.25 -

Additional information

Show all

MD5 : 126df7d8c73e233ac338a92d821a5a89

SHA1 : 8458764f39605ae63c588519d1aaca105d481b17

SHA256: ca459f1a7b0de3204a9de5c32228a44f7e4e67edb61570851695ee6f6c53116c

ssdeep: 768:1+pMlQQ/xPRH8YV1JtzeszTztR/IaaCxgJto5l5yFFZ7b:1JrPRvxDbtR/IaaCxgJto5HuF

Z7b

File size : 83456 bytes

First seen: 2010-08-25 19:26:49

Last seen : 2010-08-25 19:26:49

TrID:

Microsoft Word document (80.0%)

Generic OLE2 / Multistream Compound File (20.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Share this post


Link to post
Share on other sites

Avasts chest is protected; you will not see anything in it normally. Quarantined files are stored there. You can only manage these quarantined files by opening Avast.

This leaves us with the security alert. Can you please tell me whats in the titlebar of this message and when it does appear? I can't read the titlebar from this picture unfortunately.

Share this post


Link to post
Share on other sites

sure,

log on process has failed to create teh security options dialoge

'red X' Failure- Security Options

'OK' box

its the same Security warning i've been telling you about. usually happens when i try to access task manager or when its about to freeze.

thank you about the avast info.

i havent been able to remove adobe 8.2.3 for the updated version. when snooping around, i came across this as well...... adobe-Replicate-Security-nothing. ?? there's more, but this type of info goes right over my head. i just know when it does not look right but i cant really explain myself correctly. my apologies Elise!

i woke up today, touched mouse, computer froze when i tryed to open moz...as usual. it seamed to have locked up over night, since my gadget was reading dark, clowdy, and definitley not 60 degrees outside. i manually rebooted.

checked protection logs, no IP blocks, but IP protection stopped and started a number of times.

Share this post


Link to post
Share on other sites

I've done a bit of research on this problem and it seems you're not the only one who encounters it. Good news is, it seems not related to malware.

Since you mentioned using the weather gadget for sidebar, that might be the culprit, so lets try to disable the sidebar and see what happens.

Go to the control panel, double-click 'Windows Sidebar...'

and uncheck 'Start Sidebar when Windows starts'.

Now please let me know if you still have problems.

Share this post


Link to post
Share on other sites

i hit refresh on this page and got this error message...

tab: 500 internal error log

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@malwarebytes.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log

it was about 10:25am PST, i hit refresh to see if you responded yet...

when not loading, i hit stop, refresh,(a few times). hit stop, tryed hotmail, worked. all other sites worked but this. i closed the browser, opened another, same issue. rather than use my bookmark, i type in www.forums.mawarebytes.org. it took a minute to load but worked. i dont know if this pertains to anything, but thought you should know.

it took about 10 minutes for this to post....

again, thx :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.