Malware or system corruption? Windows XP

[jkolak]

I'm not sure if I belong here because I don't know if I have malware or simple system corruption.

I have many of the symptoms of malware, in fact, the symptoms are very similar to System Security. I have erratic internet connectivity in which some processes can access the internet and browsers can't, or sometimes can and sometimes can't, or can connect for about 5 seconds and then get cut off. Anti-virus and anti-malware programs refuse to install. On boot up I'm told I have no firewall installed when Windows Firewall is on. System Restore repeatedly tells me it cannot create a restore point. Windows Update works sporadically. Access to shared documents on the other network computers is also sporadic. USB drives plugged in are not recognized, so getting utilities mentioned here onto the system has been difficult. Occasionally I get an error that there are insufficient system resources to connect to the network or access a folder on the local drive. Chrome keeps reporting files are corrupted and asks to run chkdsk. The hard drive hashes constantly, which I don't know if it is Windows trying to fix itself, or indexing, or malware bot activity. A google search on the connectivity irregularities brought me to a Computer Hope thread that directed me here:

http://www.computerhope.com/forum/index.php?PHPSESSID=7314ab665cc151c420ed5557e162ee5a&/topic,46313.0.html

Here are the results of trying to apply the steps:

Step A - Anti-virus. Unfortunately I got caught up in the expiration of AVG Free on Dec 1. As the deadline approached, I couldn't get an update I suppose because of heavy server traffic, and then I read a review that recommended Avast, so I figured I would just uninstall AVG and get Avast. I installed Avast just as the problems were starting to hit. Then when I read a forum post that solved connectivity by uninstalling Avast, I did that. It actually worked. I had good connections after that. But then I was trapped because the situation had deteriorated to the point that I was no longer able to install any programs, so I have not been able to install any Anti-virus at all. The ones that use the Windows Installer report that the installer is unavailable, and the ones that use their own installer exit with errors. What I can report is that While Avast was installed I did get one clean scan saying no threats detected. I also discovered that my installation of AVG on another computer was able to scan over the network and it also reported no threats detected.

So that makes me wonder if it is just plain corruption and not malware. So this is a good time to explain how I got to this stage. I have an early full install of Windows XP Pro from the initial release with no Service Packs. It has been updated over the years through all the service packs. But recently it has been getting quite slow, which I know is a symptom of malware, but I didn't expect malware firewalled behind a router and Windows Firewall on SP3. But I did read that XP tends to grind to a halt after running several years, so I visited some sites on the topic and applied some recommended system tweaks, particularly to the cache and turned off paging. When I rebooted it corrupted my hard drive and I started getting file corruption error messages from applications like the Google Chrome web browser.

So I wanted to do a Windows Repair from the installation disk, but I had read of errors from starting with the first edition and upgrading up through the service packs, so I downloaded the MSDN Technet distribution of WinXP Pro SP3 which passed all the MS published files hashes, and I used it to launch a system repair. Unfortunately, when it rebooted it would not allow me to log in, saying that it needed to be activated before logging in, and asked me if I wanted to activate now. Clicking Yes led to watching the hard drive light flash for hours, and even overnight without doing anything. So the only thing I could think of was to run the WPA crack. I know - dangerous unknown software. But I figured it was probably a legitimate offering from the hacker community, and if not, I figured the anti-malware programs would take care of it.

Well, that got me in, but I wasn't satisfied as it patched the binary file directly and Windows Explorer reported it as a corrupt file, and the patch seemed to interfere with other aspects MS functionality, including Windows Update. So I thought instead I would try a repair from my original old installation disk. That was a mistake. After rebooting, the computer would boot to a black screen and just hang. So fumbling back and forth with repeated repair attempts from both disks, I was amazed when I accidentally had the SP3 disk in the drive for an original disk repair, and when the installation prompted me for the Windows CD because of files not found, when I put it in, the installation was successful. Apparently the SP3 set up some initialization work that enabled the old original disk to complete installation.

Of course I expected trouble from this combination of Windows editions, but gradually as the system rebooted itself and updated itself, it got healthier and healthier. During this period I discovered System File Checker, and ran it a few times from the original disk to keep things flowing, and after SP3 successfully installed, I did the same with the XP Pro SP3 installer disk.

So, if System File Checker is supposed to get my installation in order, the mixed edition issues I was afraid of should have been straightened out, right? And if AVG, Avast, and Malwarebyte's Anti-Malware are reporting the system as clean, what is the problem?

So on to the next steps.

Step 1 - Add or Remove Programs. I didn't see anything unusual or from the list, but removed anything I wasn't absolutely sure I had put on myself.

Step 2 - House Cleaning - I had been running Glary Utilities instead of CCleaner. Both report the same behavior. About 1100 or 1200 registry errors on the first pass, and again 9 to 20 errors on the second pass. Both report the errors as corrected, but they always come back. First I thought malware was preventing writing the repairs, but after seeing that CCleaner reports on them, I've decided they are unimportant as they are mostly missing .dlls. This brings up another point. When I repaired with the old system disk, the old HD drivers were not compatible with my drive and it immediately launched a check disk and reported that it was recovering all of my orphaned files. When finished I no longer had my third E: partition, an extended partition from D:. Disk Manager reported the correct size for D: and reported what was E: as unallocated space. This caused an initial panic, but a Linux Live CD could see it fine, and as Windows slowly updated itself  and straightened itself out, it was able to see it correctly too. Nevertheless, my current symptoms still report file corruption after all the SFCs and chkdsk repairs, so I wonder again, malware or system corruption. And again, maybe hard drive failure? I doubt it as the drive is only one year old and SMART reports itself as healthy.

Step 3 - Super Anti-Spyware - Unfortunately this one also refuses to install, stating that Windows Installer is not available.

Step 4 - MBAM - Reports no malicious items detected.

Step 5 - Update Your Java - Ran all the utilities here, current version already installed, old versions removed.

Step 6 - Hijack This - Log is submitted. Application installation error messages also seemed informative and are submitted separately.

Step 7 - Self-help Tool - Log report here: http://www.computerhope.com/cgi-bin/process.pl?o=872131

I remember looking at HJT many years ago, but without an interpreter like this excellent tool, the results were not meaningful to me. Interesting call on vistadrive.exe. It has been on my computer 2 years. I had thought it was just one of those customizing tweaks people add on to XP to make it behave like Vista. After reviewing all of the results, I feel satisfied that malware is not the cause of my problem. I think more to look at the "Missing" section on line 3. I don't understand why so many things are missing from the system when I have run System File Checker so many times. I wonder if running it more would restore these things, or if they really are present, but Registry doesn't know it. I'm afraid that continually running SFC will just put me into a loop where the CD restores old versions and Windows Update replaces them with new ones.

I should add that I have performed all of the fixes recommended by the Self-help Tool.

Thanks,

John

[Saving space, attachment deleted by admin]

[SuperDave]

Hello jkolak and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Looking over your log it seems you don't have any Anti-virus software.

Before we continue, download and install a free Anti-virus.

Remember to only install one Anti-virus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

I also noticed that you are running a P2P program(BitTorrent). While this program may be safe, the files you download with it are a major source of infections of all kinds. I strongly recommend that you uninstall it.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select open misc. tools section select open process manager select C:\WINDOWS\VistaDrive\VistaDrive.exe and select kill process.

Select Main Menu and select open misc tools section again. Select Delete an NT service. Copy and paste the line in the code box into the open space and click OK

Code: [Select]

WudfSvc

Click Main Menu. Select Do a system scan only

Place a check mark next to the following entries: (if there)

O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {94A5C93F-BD18-4C46-B777-C94C145C3CAB} - (no file)
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,
65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,
6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,
72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00 (file missing)


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[jkolak]

Thanks SD. I read another thread where you helped someone, so I am glad you are working on mine.

1) Alvira installed. 57 warnings found, but no list provided.

2) Windows Messenger removed.

3) Vista Drive already deleted from Windows folder.

4) Delete an NT Service. Error message - service is enabled or running. Disable it first using HJT or services.msc. Proceding to next step.

5) Mark items for HJT fix: Windows Messenger no longer appears in 09. All other items marked for fix as instructed.

After fix applied, retrying Step 4. Same error message appears re: WudfSvc. Rebooting to clear service. Try HJT again, same error.

Try to disable WudfSvc again in services.msc. HJT removal of WudfSvc now successful.

6) ComboFix. Running the program gives this error message:

"ComboFix is offline.
Please visit http://download.bleepingcomputer.com/subs/combofix.html"

This site has moved to this location: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Nothing on this page says anything about this message. Just for fun I also used "Run as Administrator" like the Vista people, but the error message is the same.

If this error means ComboFix is unable to access the internet, I should mention that currently the computer is working reasonably well with IE, and file sharing across the network is hit-and-miss. Downloading through IE has not been working, so I have to download utility programs you recommend through another computer and copy to the affected computer through the router (and back again to send logs). Sometimes I have to re-run the Network Creation wizard and Repair Connection before I can transfer the files.

I did see that warnings are posted in the Avira report. Number of warnings now up to 270. Log attached.

Thanks,

John


[Saving space, attachment deleted by admin]

[SuperDave]

Yes, ComboFix was taken off-line two days ago. If you don't mind, I would like to wait until it comes back on-line to run that program. I'll notify you when it is ready to run.
I also noticed that you are running a P2P program (BitTorrent). While this program may be safe, the files you download are a major cause of a lot of infections and I strongly recommend that you uninstall it.
Could you please go to Start, Control panel and click on Add/Remove programs and check to see if there are any programs like Norton or Symantec. Please advise me and I will send you a tool to remove them.

[jkolak]

Sure. I'd like to run ComboFix. The system has improved with the steps we have taken, but there are still problems. Minor hard disk corruption frequently reported. IE behavior erratic. Chrome will not reinstall. (Firefox seems to work well though.) Insufficient system resource error frequent, from opening a network location to saving a file in OpenOffice. Hard drive hashes constantly even after turning off indexing.

I did remove BitTorrent last time but forgot to report it.

I had Norton Systemworks 2003 on my computer ever since 2003. Over the years I kept hearing bad things about it, but having no other tool to see if my OS was working right, I continued to use it. Last week after getting Glary Utilities I noticed it had most of the Systemworks functionality, so I decided to uninstall Systemworks. A few years ago I had heard that Systemworks itself is as bad as a virus and had to be uninstalled with the Symantec removal tool at their website, so I googled that and used it the other day to remove it.

The issue of anti-malware software on my system had me somewhat concerned due to the failure of the AVG9 install and apparent incomplete removal of Avast. Monitoring HJT for system changes, I noticed a couple of AVG processes still running, so I removed them with HJT and manually deleted both the AVG and Avast directories from Program Files. MBAM seems to not be an online monitor, so I have not done anything with it. So I think my system is ready for ComboFix. I have also turned off Windows Firewall. Avira is does not seem to be monitoring because there is nothing in the system tray, but Windows Security Center recognizes it's presence and does not report it as being offline. Maybe I need to adjust something?

[SuperDave]

Hello John. ComboFix is back on-line. You can run this scan.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

ComboFix

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[jkolak]

No luck on ComboFix. It never gets past the screen where it says the process is normally 10 minutes. The hard drive runs a lot for about 5 minutes. Then it settles down into its usual behavior of about one hard drive light flash per second with a low key light in between the flashes. That is what it did when XP would not boot. I let ComboFix run like this once for about 8 hours, then again for 2. Then I checked the instructions and saw that it was supposed to give stages progress, so obviously this is not working.

[SuperDave]

Hi John. This is a beta version of ComboFix that was supposed to help until they get the other back on-line. Ok. Let's try this:

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
Also, please give me another HJT log.

[jkolak]

Hi SD! This is an absolutely amazing and educational process! I might have to sign up for training when this is done. I ran ESET and it came up clean. Log attached.

While I was retrying ComboFix over and over, a few times I got an error message saying that something was preventing the registry from being written to or backed up. That was one of the early symptoms that got me thinking malware. Then one time I happened to have Task Manager running when IE and Networking started acting up again, and I noticed the CPU usage was a 100% for a long time. Process manager was showing 13% System and 87% to Networking Service. So I removed Avira and used msconfig to disable most of the non-Microsoft items that I knew what they were and didn't need.

Then I ran ComboFix again and it ran to completion this time. I am amazed at how much is in the report. This has profound implications too. It means that AVG, Avast, and ESET all agreed there was no problem, yet ComboFix found a lot. All those numbered dll's are one of the similarities to System Security that also got me thinking malware, even though the symptoms are not exactly the same as System Security. Avira did find one numbered .exe file though. I see even msconfig.exe was deleted. Does that mean malware substituted a changed version of itself for the real one? And why are My Documents.url and My Music.url on the deletions? Does malware work through that too?

Well, my questions could go on and on. Clearly a lot of the report is only status information for you to examine, and other parts of it are clearly above my head and ability to understand them, but it is really quite interesting.

In spite of the tremendous amount of work done by ComboFix, I am still not symptom free. Actually I had used msconfig to turn everything back on to give you a full HJT log, but networking was working better before when I transferred the ComboFix and ESET logs to the other computer. Now I get the Insufficient System Resources error again when I try to open the shared folder. Maybe a software conflict in startup programs? Or a malware process was turned off?

Hmmm... Now trying to save the HJT log from Notepad gives an Insufficient System Resources message. Last time it did that the system hung and never recovered, as well as starting a flurry of intense HD activity that ran so long it scared me into sending the shutdown signal to power off. This time, while I was waiting to see if the shared folder would open on the problem computer, I wanted to attach the other two logs that had already been copied to the good computer. Here the good computer could not even open the sharing folder on it's own hard drive, Explorer also being hung up for a long time. Maybe just a conflict of two computers trying to access the folder at the same time, but if it's malware, I hope the bad computer isn't able to infect the good computer simply by transferring log files and utility programs across the LAN. Well, eventually after several retries the bad computer stopped giving the error message and was able to open the sharing folder to transfer the HJT log.

Rebooting again after disabling all the unnecessary startup items, running Task Manager, I noticed 4 copies of svchost.exe running - two by System and two by Network Service. I wonder if that is a cause of contention and the source of my networking difficulties. Hard drive light never goes off, though. Still same behavior - always dimly lit with a medium brightness pulse every second - not bright like when the drive is really doing something important. CPU usage staying at 0% now.

Don't mean to bore you. Just hoping that a description of my symptoms will help you diagnose the situation.

That's about all I can think of for now.

Thanks

John

[Saving space, attachment deleted by admin]

[SuperDave]

Hello jkolak. I noticed that still don't have any Anti-Virus program on your computer as discussed in Reply #1. Before we continue, I want you to install one of those free AV's because every moment you spend on-line puts you at risk of more infections and more cleaning. I also noticed that you are running a P2P program (Bittorrent) on your computer. This program may, by itself, be safe but the files you download are a major source of infections. I strongly urge you to uninstall it.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Please get me another HJT log when all this is finished.

[jkolak]

Hi SD,

Well, per reply #2, step 1, Avira was installed, and per reply 8, paragraph 2, it was removed as suspect in preventing ComboFix from running. After running ComboFix and transferring logs to the other computer, Avira was reinstalled.

Also, per reply 4, paragraph 2, BitTorrent was removed in Reply 2 between Steps 1 and 2. Googling msconfig controlled files, I see DNA is part of BitTorrent, so I removed it now.

HJT log attached.

Thanks,

John

[Saving space, attachment deleted by admin]

[SuperDave]

Hello John. I would like you to do this for me:

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\system32\NOTEPAD.EXE
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

I would like to see a new log of ComboFix. Since CF only has a shelf life of 10 days, it will be necessary to delete the one you now have and download a new one. You don't have uninstall your Avira; just disable it until the scan is done.See below for instructions how to do this.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[jkolak]

Hi SD,

Here is Jotti's link:

http://virusscan.jotti.org/en/scanresult/99b19e4aff4267e
599165e0e582931889f63126a/cba6158945c1b30f0131861f661d8d83d66248e9

New ComboFix installed and logs for it and HJT attached. Anti-malware software re-enabled.

Thanks

[Saving space, attachment deleted by admin]

[SuperDave]

Hello John. The logs look clean. One more scan, if you please. Please let me know how your computer is running.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[jkolak]

Hi SD,

ESET did not detect any threats, so I guess that is why it did not offer to save a log. So, instead, I copied the screen text for you and uploaded it as ESET.txt.

On the subject of ESET, while scanning, it triggered Avira upon opening KaraPlayer.exe which belongs to All in One Karaoke. This program has been on my computer since March 2008 and has never been noted by any anti-virus program until I switched to Avira last month. At first I just assumed it was a false positive because the message displayed was not a detection, but rather a caution that the program was packed with an unusual compression scheme (PCK / Yoda Prot). I just figured since the program is from Thailand that they are using different programming styles from what we are used to in the states. But since Avira keeps nagging about it, tonight I decided to look it up on Microsoft's Malware Encyclopedia. While the encyclopedia did not have a listing for the file, the scheme mentioned above yielded a list of nasties which must be associated with it some way, perhaps using the method. The worrisome thing was that the symptoms listed were similar to mine.

In spite of this, I did not think this program was the source of my problem because I don't think I have run the program since I got it nearly two years ago. Also, when I thought I might lose my data last month, I transferred it to my wife's computer. She invited her parents over to our house to sing on Christmas Day and her computer shows no adverse effects from using the program.

As a further check, I visited the publisher's website and downloaded it from there. The file fetched from there was 25KB smaller than the file on my computer. That worried me initially, so I took a closer look at file information and found both versions were made within two hours of each other. Therefore, it seems unlikely that it got into the hands of a hacker and was released with a trojan within two hours. It looks more like an in-house change at the last minute on release day. Of course, the publisher itself could be supplying it with malware, but again, it has not shown any symptoms in the past, or on my wife's computer at the present time. Also, it seems every Karaoke DJ in town is using the same software, so you would think there would be problems if an unsafe program was that widely used. I thought I'd run Jotti's Malware on both versions of the file. They are here:

KaraPlayer 1st version:

http://virusscan.jotti.org/en/scanresult/ba5804431c4fc962cb2f84ca2e82875917cce506

KaraPlayer 2nd Version:

http://virusscan.jotti.org/en/scanresult/ce0e1fd190508d84af563d1e74320f9919eb0ddf

I didn't pay much attention to the issue of false positives in the past. I just assumed AV publishers had their signature lists and that they just worked. A random match of data bits that match seemed too small a chance to worry about. But I've been following the CNET reviews of security software recently, and I noticed for the first time that the percentage of false positives is a rating factor. Also, upon installing Avira last month, I was surprised at their candor concerning the chances of false positives with respect to the sensitivity settings chosen. In fact, it is the first program I have ever seen with sensitivity settings.

My first concerns about false positives came about a year or two ago when our 12 year old boy started playing Ghost Online on his computer. I would think this is a legitimate game because you have to go to 7-11 to buy cards for game time, but it scanned as a virus by AVG, and then again by Avira. Here's Jotti's report:

GhostSoul_NP.exe

http://virusscan.jotti.org/en/scanresult/7c9689475ae5a153cf3b0c8acdbee8539f2b00bb

So, showing 8 out of 20 scanners giving a positive result, it shows that AV labs aren't sharing their results. I ran the .exe to see what it was. It is the file downloader that fetches updates and changes to the game. So I don't know if this is a what they are detecting as a trojan downloader and only indicates a false positive. Another of his games, Talesrunner, shows a detection too. Again, this is a game we have to go to the store to buy game time for:

Talesrunner:

http://virusscan.jotti.org/en/scanresult/6f747123b34113ef7db96c5158c3221a7dec39fc

Well, I'm getting off topic. Again, neither of these games are on my computer, and his computer shows no malware symptoms, but tying the topic of false positives with my possible false positive on KaraPlayer, I would appreciate it if you or your mentor have any experience or knowledge about false positives and these 3 programs that you could share with me.

So, to get back to the question of how my computer is running, I can say I have been very gratified to see my computer come back to life and slowly see symptoms mitigate and things start behaving correctly. For example, earlier I reported that Firefox was fine, but IE could not be used reliably. Now IE seems to be behaving well. Of course, with 25 years of using computers, I have learned from the days before malware was around that hardware and software don't need any help from malware to misbehave. It's just that when going through a malware crisis like I have had here that I am more sensitive to things that are going wrong. So I have just a couple of issues I would like to report.

First is that SuperAntiSpyware hangs regularly. The registry scans are running about 6400 items. When it gets around 6100 to 6200 items through it, it hangs and gives a dialog box encountering an unexpected error and invites me to submit my email address before shutting down. Actually, it used to just freeze until I discovered Safe Mode scanning. Then it successfully completed a scan and found a registry key for Trojan.FakeAlert-IEBT which was repaired. Now I can scan in regular mode, but it still gives the unexpected error every time. It turns out the file name is always the same, but the key number changes. The key is WMPNetworkSvc. What I have learned is that if I run a Quick Scan first, it scans successfully, and then I can run a complete scan, and it won't hang on the unexpected error anymore (but, again, only if I run the quick scan first). There is never anything detected anymore other than tracking cookies.

The second item is that I ran a Kaspersky Online Scan as well last week, which is a Java Script application. First, I had a Java "error on page" message on the lower left hand IE window. On retrying, it successfully continued, but hung again on a message about downloading definition updates. This time the entire taskbar froze and the hard drive activity light took off at a furious pace. Well, for all I know it was just verifying what files were needed, and maybe even continuing with the scan, but without the screen updating the status, I was worried. I keep the Task Manager open so I can see what is happening, but clicking on Task Manager tabs, menus, and buttons did not have any effect, so I reset the computer after about 3 minutes of that. Scans came back clean, but I thought I should report this behavior.

I haven't wanted to try any of my applications programs until we are clear on the scanners and browsers in case there is a risk of further infection or corruption.

That's about it for now. Thanks for hanging in there with me.

[Saving space, attachment deleted by admin]